Consumer Reports Says Hackers Could Expose Samsung, Roku Smart TV Flaws
Millions of smart TVs can be controlled by hackers exploiting easy-to-find security flaws, said Consumer Reports. Also finding privacy issues with smart TVs’ “substantial data collection,” Wednesday's report was the first test from its Digital Standard. It was developed with cybersecurity and privacy organizations Disconnect, Ranking Digital Rights, The Cyber Independent Testing Lab and nonprofit tech organization Aspiration to help set expectations for how connected product manufacturers should handle privacy and security.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
CR​ said unsophisticated hackers could expose security vulnerabilities in Samsung, TCL and other TVs based on Roku’s smart TV platform to cause electronic mischief: change channels, play offensive YouTube content or crank the volume. A hacker wouldn’t have to be within range of the user’s Wi-Fi network; he could break in from thousands of miles away via the web, it said. The vulnerabilities wouldn’t allow a hacker to spy on the user or steal information, said the report.
Samsung has been in contact with CR and is looking into specific findings, a spokesman said: “To ensure the security of any device, we continue to evaluate the feedback we receive on all of our connected products.”
CR identified a problem in the Roku application programming interface the company makes available to developers to create products that run on its platform -- an issue dating to 2015 on a Roku programmer forum, it said. The report called Roku’s remote control API “totally unsecured,” enabling “even extremely unsophisticated hackers” to take control of Roku products, calling it a “neon ‘We’re open!’ sign.”
A company spokeswoman said tests finding Roku TVs and players are vulnerable to hacking are “a mischaracterization of a feature” and it's “unfortunate” it was reported that way. The company assures customers “there is no security risk,” she said. Roku enables third-party developers to create remote controls consumers can use to operate their Roku products, she said, and those applications “are only accessible to those on a customer’s Wi-Fi" network. Calling that feature a vulnerability “is inaccurate,” she said, noting customers can disable it in advanced settings.
Smart TVs raise privacy concerns by collecting “very detailed information on their users,” said the report, citing an agreement a year ago requiring Vizio (see 1702060042) to pay $1.5 million to the FTC and $2.2 million to New Jersey to settle allegations it designed its smart TVs to spy on users’ viewing behavior. Vizio didn't comment. The study noted new smart TVs from LG and Samsung with digital assistants that can control other smart devices in the home add another layer to the privacy question.
CR cited automatic content recognition technology that steers a smart TV to recommend shows a user might want to watch based on viewing history. ACR is also used for targeting advertisements to a household, “and you can’t easily review or delete this data later,” said the report. Users must make a choice between protecting their data or accessing the internet. “You can turn off ACR monitoring while still agreeing to a set’s basic privacy policy,” the report said, but that could limit recommendations for shows with similar themes.
Samsung privacy practices “are specifically designed to keep the personal information of consumers secure,” while ensuring “the best possible user experience,” said the spokesman. Before the company collects information from users, “we always ask their consent” and ensure data is handled carefully, he said.
Roku gives customers the choice to opt in to ACR, which isn’t enabled by default, its spokeswoman said. If users activate it, they can disable it later through a privacy submenu, she said: “We take the security of our platform and the privacy of our users very seriously.”
A Sony Android TV was the only model tested requiring users to agree to a privacy policy and terms of service to complete setup. Consumers have to click "yes" to Google agreements “even if they don’t plan to connect to the internet,” it said. The report quoted Sony saying customers concerned about sharing information with Google don’t have to connect their TV to the internet and can use cable or broadcast signals. Sony didn't comment.
Smart TVs are the majority of new TVs shipped. CR cited IHS Markit that 69 percent of new sets shipped in North America last year were internet-capable, with that due to rise this year. IHS didn’t comment.
A recent CR subscriber survey of 38,000 smart-TV owners said 51 percent were at least somewhat worried about privacy implications of smart TVs, and 62 percent were at least somewhat worried about the sets' security practices.