Nov 24 2013
I’m getting used to the idea that the NSA and the GCHQ are looking at every packet that crosses the Internet. I hate it, I think it’s wrong, but I can understand that they think it’s their mandate to spy on us in order to protect us. The logic is deeply flawed, but at least it’s understandable that they’d convince themselves that it’s worth the risk that such spying entails. However, when my television starts spying on my viewing habits, the drives I plug into it and every file on my network, then sending the information back to LG, all in the name of providing ‘a better viewing experience’, someone has most definitley pole vaulted over the line to into the pit of pure stupidity.
If you’ve missed it, last week blogger DoctorBeet did some sniffing on his home network and found his LG TV was phoning home to the manufacturer and reporting on his viewing habits. It sent packets when turned on, as it was turned off, any time he changed the channel, and most importantly, it catalogued any USB he plugged into it. And now a second blogger has found that LG is scanning all the network shares you might have and reporting that information back to the home servers. When confronted by DoctorBeet with these egregious privacy violations, LG’s initial response was “you signed off on the terms of service, so take the TV back to the store you bought it from if you don’t like it”. They’ve since had a change of heart, mostly because bloggers and news sites around the globe have started raising a big stink about the story. Oh, and while there is an option to turn off the data collection, this just means that you’ve set a flag to tell LG to ignore your data when it gets to their servers, not stop collecting it in the first place. You’ll just have to trust them that there’s no PII and that they actually dump your infomration from the databases.
We already know that Smart TV’s are riddled with vulnerabilities and that many are running a stripped down Linux kernel in the background, some complete with web servers on the backend. I’d hazard a guess that most of the services are running as root on the TV, that the developers have never heard of SSL and that all the connections to your phone and tablet are done over the public internet completely unencrypted. While someone at the manufacturer might have raised the spectre of security, he or she was probably shouted down in favor of adding more capabilities to the TV as cheaply as possible.
The Internet of Things means that this type of spying and vulnerable technology on our home networks is only going to get more prevelant as time goes by. Someone out there is probably already working on the web enabled refrigerator that reads the NFC chip on your milk carton to automatically send a request to Tesco when your milk gets low or reaches it’s expiration date. And some day we’ll have an alarm clock that phones in to work for you when you sleep in and are going to be later for work. And this will all be a data source for the marketing companies. And the NSA.
Some of this will be handled by legislation that makes data collection like what LG is doing illegal. It will still happen, but it’ll become less common as companies get caught by bloggers and the press, embarrased into removing the snooping technologies from their hardware. Or, more likely, they’ll learn to be more circumspect in what they’re capturing and how they transmit it back to home base. And the intelligence agencies will want access to it all. Isn’t paranoia fun, especially when it’s closer to reality than a psychosis?
Update: I’ve only had a little time to poke at the web server on my Samsung TV, but some gentlemen at University of Amsterdam have dug into it more deeply than I could hope to. I’m guessing there’s still more to find on these TVs.