LG Smart TVs phone home with viewing habits and USB file names

LG TVs too Smart, phones home with personal viewing habits and USB file names

LG logoLast year we wrote about a security hole in Samsung TVs which could have allowed hackers to get in to your television, watch you, change channels and plant malware.

Now, a UK blogger, known only as ‘DoctorBeet‘, has apparently discovered that his LG Smart TV has actually been sending data about his family’s viewing habits back to the South Korean manufacturer.

After some investigation he found that his Smart TV would send data back to LG, even after he disabled an option in the system settings menu called “Collection of watching info.”

collection of watching info

He said that his LG set, model number LG 42LN575V, connects to a non-functional URL with details of the times and channels being watched.

Worse still, he also discovered that the filenames of some media on a USB device connected to the TV were also transmitted, saying that:

My wife was shocked to see our children's names being transmitted in the name of a Christmas video file that we had watched from USB.

This discovery prompted DoctorBeet to create a mock video file which he transferred to a USB stick. He deliberately chose a filename – Midget_Porn_2013.avi – that couldn’t possibly be confused with the TV set’s firmware. After connecting the USB drive to his TV he later found that the filename had been transmitted in an unencrypted format to GB.smartshare.lgtvsdp.com.

Strangely, not all filenames belonging to media on USB devices were transmitted:

Sometimes the names of the contents of an entire folder was posted, other times nothing was sent. I couldn't determine what rules controlled this.

He did stress, however, that the URL to which the data is being sent returned HTTP 404 errors which could mean that LG’s servers may not have logged any personal information. Although that isn’t necessarily the case, as one commentator on DoctorBeet’s blog posting pointed out:

Note in particular that it means *nothing* that the script returns a 404: The information may still be in their logs - collecting information this way without actually having anything at the endpoint is an old practice, and more efficient on server resources than making the web server execute anything.

DoctorBeet himself said that the current 404 status of the URL could mean very little:

However, despite being missing at the moment, this collection URL could be implemented by LG on their server tomorrow, enabling them to start transparently collecting detailed information on what media files you have stored.

It would easily be possible to infer the presence of adult content or files that had been downloaded from file sharing sites.

According to DoctorBeet, LG was somewhat dismissive of his concerns when he brought them up in a letter.

In an emailed reply the company simply said that, as he had accepted the Terms and Conditions on his TV, it wasn’t really its problem. LG suggested that he take up the issue with the retailer who sold him the set.

LG spoke to the BBC, saying that the company is looking into the complaint:

Customer privacy is a top priority at LG Electronics and as such, we take this issue very seriously

We are looking into reports that certain viewing information on LG Smart TVs was shared without consent.

LG offers many unique Smart TV models which differ in features and functions from one market to another, so we ask for your patience and understanding as we look into this matter.

As for why this particular LG Smart TV is collecting data in the first place, DoctorBeet cites a corporate video aimed at potential advertising partners. The lengthy clip includes claims such as:

LG Smart Ad analyses users' favourite programs, online behaviour, search keywords and other information to offer relevant ads to target audiences. For example, LG Smart Ad can feature sharp suits to men, or alluring cosmetics and fragrances to women.

The kind of data collection and serving of targeted ads is reminiscent of Tesco’s recent decision to use facial recognition for a similar purpose in its petrol forecourts.

Short of boycotting the UK’s most successful supermarket or wearing a balaclava there isn’t much consumers can do about that scheme.

Fortunately, owners of LG smart TVs can do something to protect their privacy though: at the end of his post DoctorBeet identifies 7 domains that he blocked via his router in order to prevent the collection of data and presentation of ads by his too-smart-by-far TV set.