Smart TV from LG phones home with user's viewing habits, USB file names

[nsane.forums]

It's not the premise of a sci-fi novel. Internet-connected TVs are watching you now.

It sounds like the premise of a Philip K. Dick story, but it's not. A blogger has offered evidence that his Internet-connected television has been transmitting detailed information about his family's viewing habits, including the times and channels they watch and even the names of computer video files stored on connected USB drives.

The unidentified blogger, whose twitter profile described him as a "developer, tweaker and Linux enthusiast" living in UK county of Yorkshire, said the LG Smart TV model is LG 42LN575V and was manufactured May 2013. He provided screenshots of data packets he said he captured showing the information his TV sent unencrypted over the Internet. The data appeared to show a device ID unique to his set, along with the name of the channel it was tuned to. In his tests, the information was sent in the clear every time the channel was changed. Even more remarkable, he said, the smart TV sent the data even after he waded through the system preferences and set the "Collection of watching info" setting to "off" (it was on by default).

But the logging didn't stop there. Included in the traffic sent over the Internet were the names of files stored on a USB drive connected to the LG television. For dramatic purposes and to ensure he chose a file name not likely used by the firmware, he created a mock video file called Midget_Porn_2013.avi, loaded it onto a USB drive and plugged it into his TV. Sure enough, the file name was transmitted unencrypted in HTTP traffic sent to the address GB.smartshare.lgtvsdp.com. In some cases, he said, file names for an entire folder were transmitted, and other times nothing at all was sent. He never determined the rules that controlled when data was or wasn't sent.

In fairness to LG, it should be emphasized that the address included in the POST requests returned 404 errors typically used to indicate that a specified file isn't available. That means the personal information in the request may not have been logged by the server, although there's no guarantee that this is the case. But even if the information wasn't stored by servers belonging to LG or other companies, it hardly softens the privacy intrusion, for several reasons.

"Despite being missing at the moment, this collection URL could be implemented by LG on their server tomorrow, enabling them to start transparently collecting detailed information on what media files you have stored," the blogger, calling himself DoctorBeet, wrote in a blog post published Monday. "It would easily be possible to infer the presence of adult content or files that had been downloaded from file sharing sites. My wife was shocked to see our children's names being transmitted in the name of a Christmas video file that we had watched from USB."

Data packets sent over the Internet include the string "Midget_Porn_2013.avi," the name of a file stored on a USB drive.

And even if LG servers never implement the URL, the blogger's TV—and any other set that behaves similarly—will continue sending the data in an unencrypted format. That means anyone on the same local network—say in a corporate office building or over an inadequately secured Wi-Fi connection—can monitor users' file names and viewing habits. And of course, government actors or anyone else who can monitor the Internet at large can do the same thing.

All your midget porn are belong to us

According to DoctorBeet, LG representatives made no apologies when he brought the monitoring behavior to their attention.

"The advice we have been given is that unfortunately as you accepted the Terms and Conditions on your TV, your concerns would be best directed to the retailer," the representatives wrote in a response to the blogger. "We understand you feel you should have been made aware of these T's and C's at the point of sale, and for obvious reasons LG are unable to pass comment on their actions."

The facts and screenshots in this post are based on the account of a single person testing a single model. That makes it hard to know how widespread the monitoring and phone-home behavior is. It also makes it difficult to say if there are factors that might mitigate or explain some of the monitoring the blogger reported. LG representatives didn't respond to an e-mail Ars sent requesting comment for this post. This post will be updated if they respond later. It's also not clear if smart TVs from other manufacturers do the same thing.

Assuming the blogger is picking up on behavior common to a significant percentage of smart TVs, it wouldn't be the first time a traditional consumer device that has been retooled with an Internet connection has been found to present a potential privacy threat. Last year, a researcher uncovered a vulnerability in many Samsung smart TVs that allowed him to remotely take control of devices that were connected to the same local network he was on. From there, he could access USB files and install malicious apps, and use the TV's microphone and camera to spy on users. Last month, a security researcher demonstrated how to turn a wireless baby monitor made by Belkin into a stealthy and persistent bugging device. This raises an important question about what consumers of these devices can do.

The blogger solved the problem presented by his LG TV by configuring his home router to block the seven Internet addresses his model automatically attempted to contact. This method obviously won't work for people who aren't comfortable mucking about with their hardware settings. But even for those who are comfortable, there's a limit to how effective this can be. A decade from now, when the majority of appliances and consumer devices in homes come with their own Internet connection, it won't be feasible to block every single privacy-invading address. Eventually, the only solution will be for manufacturers of these once-dumb devices to pour the same talent and resources into securing their wares that are standard at Microsoft, Apple, and Google. In the race to cash in on the Internet of things goldrush, readers shouldn't count on that happening anytime soon.

View: Original Article

[Cataract Kid]

Interesting read, brings up some goood points.

[masterupc]

and that's why i don't watch to the tv... nor i own one... :tehe:

[janedoe]

Personal user data sent without consent, and that too with no encryption? How mind-numbingly stupid can they get? :wtf: Companies proved to have spied on unsuspecting customers like this should be slapped with fines that make them afraid to ever try something like this again (they're not going to be repentent in any case, no matter what they say).

On a related note, every device requires an internet connection nowadays, whether it makes sense or not. Dumb devices that used to work fine for decades now require firmware updates even for normal functionality. News like this makes it easy for conspiracy theorists to claim that we're slowly being surrounded by a vast network of snooping devices engineered to track our movements and habits 24x7. Of course, given what has been revealed about the NSA (which is just the tip of the iceberg obviously), it's not that easy now to laugh at conspiracy theorists and brush off their claims as being ludicrous, is it? :unsure:

[Hottwire]

Well that's put me off buying a LG tv...