Sophos Cloud Optix
Last year we wrote about a security hole in Samsung TVs which could have allowed hackers to get in to your television, watch you, change channels and plant malware.
Now, a UK blogger, known only as ‘DoctorBeet‘, has apparently discovered that his LG Smart TV has actually been sending data about his family’s viewing habits back to the South Korean manufacturer.
After some investigation he found that his Smart TV would send data back to LG, even after he disabled an option in the system settings menu called “Collection of watching info.”
He said that his LG set, model number LG 42LN575V, connects to a non-functional URL with details of the times and channels being watched.
Worse still, he also discovered that the filenames of some media on a USB device connected to the TV were also transmitted, saying that:
My wife was shocked to see our children's names being transmitted in the name of a Christmas video file that we had watched from USB.
This discovery prompted DoctorBeet to create a mock video file which he transferred to a USB stick. He deliberately chose a filename – Midget_Porn_2013.avi – that couldn’t possibly be confused with the TV set’s firmware. After connecting the USB drive to his TV he later found that the filename had been transmitted in an unencrypted format to GB.smartshare.lgtvsdp.com.
Strangely, not all filenames belonging to media on USB devices were transmitted:
Sometimes the names of the contents of an entire folder was posted, other times nothing was sent. I couldn't determine what rules controlled this.
He did stress, however, that the URL to which the data is being sent returned HTTP 404 errors which could mean that LG’s servers may not have logged any personal information. Although that isn’t necessarily the case, as one commentator on DoctorBeet’s blog posting pointed out:
Note in particular that it means *nothing* that the script returns a 404: The information may still be in their logs - collecting information this way without actually having anything at the endpoint is an old practice, and more efficient on server resources than making the web server execute anything.
DoctorBeet himself said that the current 404 status of the URL could mean very little:
However, despite being missing at the moment, this collection URL could be implemented by LG on their server tomorrow, enabling them to start transparently collecting detailed information on what media files you have stored.
It would easily be possible to infer the presence of adult content or files that had been downloaded from file sharing sites.
According to DoctorBeet, LG was somewhat dismissive of his concerns when he brought them up in a letter.
In an emailed reply the company simply said that, as he had accepted the Terms and Conditions on his TV, it wasn’t really its problem. LG suggested that he take up the issue with the retailer who sold him the set.
LG spoke to the BBC, saying that the company is looking into the complaint:
Customer privacy is a top priority at LG Electronics and as such, we take this issue very seriously
We are looking into reports that certain viewing information on LG Smart TVs was shared without consent.
LG offers many unique Smart TV models which differ in features and functions from one market to another, so we ask for your patience and understanding as we look into this matter.
As for why this particular LG Smart TV is collecting data in the first place, DoctorBeet cites a corporate video aimed at potential advertising partners. The lengthy clip includes claims such as:
LG Smart Ad analyses users' favourite programs, online behaviour, search keywords and other information to offer relevant ads to target audiences. For example, LG Smart Ad can feature sharp suits to men, or alluring cosmetics and fragrances to women.
The kind of data collection and serving of targeted ads is reminiscent of Tesco’s recent decision to use facial recognition for a similar purpose in its petrol forecourts.
Short of boycotting the UK’s most successful supermarket or wearing a balaclava there isn’t much consumers can do about that scheme.
Fortunately, owners of LG smart TVs can do something to protect their privacy though: at the end of his post DoctorBeet identifies 7 domains that he blocked via his router in order to prevent the collection of data and presentation of ads by his too-smart-by-far TV set.
Disconnect the TV from the Internet.
That means disconnecting from cable as well?
LG need to look at the laws concerning Privacy especially in the UK. I am sure someone somewhere will be very unhappy about their data being collected and will more than possibly sue LG. I am sure LG do not want a law suit against them
I’m glad you added the part that he blocked the IP’s via his router. That’s what I was thinking when I started reading the story. I agree, many manufacturers need to wise up about how people want to be tracked, even if it’s anonymous.
Jack
Using a TiVo should throw them off. By coming in through the Inputs, they can’t record channel.
That’s funny that one of the tags for the article is the midget porn avi file. On a serious note, has anyone read the terms and conditions on the smart tvs? Do they all have a sneaky terms that they can collect data?
“top priority… we take this issue very seriously”
We seem to hear those phrases rather frequently these days.
How do you resolve and URL with comma in it, GB.smartshare,lgtvsdp.com? The article states that the server returned 404, but I can’t even find the server.
Fixed, thanks.
The comma should be a dot – *that* server definitely exists:
$ wget -S GB.smartshare.lgtvsdp.com/
Connecting to gb.smartshare.lgtvsdp.com (gb.smartshare.lgtvsdp.com)|193.67.216.135|:80… connected.
HTTP request sent, awaiting response…
HTTP/1.1 200 OK
Content-Length: 520
…
Wow this is a good find, I have an LG TV, I wonder if other smart TV’s are sffected? Blocking IP’s is a good idea, that’s my Saturday afternoon task sorted.
Blocking IPAs (or URLs)? Surely, that’s a moving target. New collection servers can be specified at any time, either over a channel you’ve yet to block, or as part of a firmware update.
What we need is a firewall that downloads a block list, frequently updated by a dedicated team of researchers, or an ISP that will provide similar filtering for its customers.
Maybe one day, however, we’ll be able to buy our consumer electronics from large companies that are actually trustworthy. Perhaps they will be regulated by a government we can trust. OK let me dream.