OFFICIAL SECURITY BLOG
November 21, 2013 | BY Jean Taggart
A UK blogger known as DoctorBeet reported his LG smart TV apparently collecting usage information, in effect spying on him, under the guise of better targeted advertising to be shown on the “dashboard” of his LG smart TV.
The adverts prompted him to start capturing the network traffic flowing from his TV and investigate further.
This traffic analysis yielded that his smart TV is transmitting:
Even more alarming, when disabling the “collection of watching info” by changing the setting to OFF, a menu option conveniently lacked an explanation bubble in the smart TV configuration interface, changes a field from 1 to 0 in the flow of data.
This indicates the user does not want to be tracked, but the traffic is still sent.
Further sleuthing revealed some marketing material, used for potential advertisers that he classified as “creepy” and after reading it, I would concur.
As usual the emphasis is based on what an amazing advertising platform smart LG smart TV’s are and very little is said on what and how is collected on LG smart TV owners.
DoctorBeet contacted LG and was basically told that having agreed to the terms and conditions, they were off the hook.
DoctorBeet does point out that his traffic captures show that the information being sent returns a code 404 presently, indicating that the collection at LG’s end isn’t taking place, yet.
He also provides advice on how to block this traffic at the router at the end of his blog post.
“So how can we prevent this from happening? I haven’t read the T&Cs but one thing I am sure about is that I own my router and have absolute jurisdiction of any traffic that I allow to pass, so I have compiled an initial list of internet domains that you can block to stop spying and advertising on TVs that we, as customers have actually paid for.
This will free you from seeing ads plastered on your screen and having your viewing habits monitored, whilst it should still allow firmware updates to be applied.”
It will be interesting to see LG’s official reaction to these glaring privacy violations.
I will now be performing traffic analysis on my smart TV, possibly navigating intentionally obscure menu options, to switch off tracking options, if such are available on my model.
I will be blocking specific URL’s at my router, depending on what I find in the traffic captures.
All these things I will do, because I have the necessary knowledge.
These discoveries will certainly spur many other technically minded users to do the same, but I hope LG addresses this issue, because it will really hurt their brand reputation if they do not.
Making these changes is beyond the average user, and manufacturers can decide to just play the numbers game.
On the plus side, I think I can now justify buying an LG smart TV for testing, and if I play my cards right, I might be able to roll out an IDS on my home network!
As more and more devices deploy with internet connectivity and smart features, we are seeing a rush to deliver features, with very little thought about security.
There are already precedents such as this research paper by SeungJin hacking. Surveilling, and deceiving victims on smart tv, presented at blackhat 2013 and some more related content: Defcon 21 home invasion 2.0
These videos help bring home the point that the internet of things is rife for abuse.
*UPDATE* LG has responded: “A firmware update is being prepared for immediate roll out that will correct this problem on all affected LG Smart TVs so when this feature is disabled, no data will be transmitted.”