Millions of smart TVs from Samsung and some streaming devices from Roku recently were found to be vulnerable to cyberattacks, allowing intruders to take control and remotely change channels and volume settings, among other things, according to Consumer Reports research.
Vulnerabilities were discovered not only in Samsung televisions, but also in TVs from TCL and other brands that sell sets compatible with the Roku TV smart-TV platform and streaming video devices such as Roku Ultra, according to the report.
Further, the affected televisions and devices collect a wide range of personal data, Consumer Reports noted, and users who choose to limit that data collection would risk limiting the functionality of the TV.
The report is based on a wide ranging security and privacy review of major brands, including Vizio, LG and Sony.
This review was the first conducted as part of Consumer Reports’ new Digital Standard, which is an effort among several nonprofits, including the Cyber Independent Testing Lab and Aspiration, to help set standards for the way electronics makers handle digital rights, cybersecurity and privacy issues.
The vulnerability Consumer Reports detected in Samsung TVs did not allow testers to extract data from the affected device or monitor what was playing, said spokesperson James McQueen.
Televisions from other makers using the Roku TV platform also were vulnerable to attack, he told TechNewsWorld.
This is not the first time an unsecured API has been found to be problematic, McQueen said, noting that this issue has been discussed in forums since 2015.
Further legislative action is needed to protect the integrity of consumer data, according to Consumers Union, the advocacy arm of Consumer Reports .
“Congress needs to pass data security standards for connected products, and federal regulators need to step up and hold companies accountable for privacy, security and safety of these products,” argued Justin Brookman, director of consumer privacy and technology policy at Consumers Union.
Protecting consumer data is one of our top priorities,” Samsung said in a statement provided to TechNewsWorld by spokesperson Zach Dugan. “Samsung’s privacy practices are specifically designed to keep the personal information of consumers secure.”
Samsung’s Smart TVs include “a number of features that combine data security with the best possible user experience,” the company said.
Before it collects any information on consumers, Samsung always asks for their consent, according to the statement, and it makes “every effort to ensure that data is handled with the utmost care.”
Samsung has reached out to Consumer Reports and is looking into the specific points made regarding its smart televisions, it said.
The Consumer Reports findings are a “mischaracterization of a feature,” Gary Ellison, vice president for trust engineering at Roku, maintained in an online post.
Roku wanted “to assure our customers that there is no security risk,” he added.
Roku allows third-party developers to create remote controls, Ellison pointed out.
The technology is derived from an open interface that the company designed and published itself, and there is no risk to consumers or to the Roku platform using the API, he explained. Consumers can turn off the feature by clicking Settings>System>Advanced System Settings>External Control>Disabled.
As for the Automated Content Recognition, Roku ensures that consumers have to opt in to get the feature, Ellison said, and it is not on by default. Consumers can undo the feature by clicking on Settings>Privacy>Smart TV experience>Use info from TV inputs.
Security has been a growing concern with the increased use of smart television and video streaming devices, observed Brett Sappington, director of research at Parks Associates.
“For many years, there was no reason to hack a television or a smart streaming media player,” he told TechNewsWorld.
It was only with the advent of subscription-based video services and transactional video that you started to see financial data, like credit card numbers, get stored online, Sappington noted.
Roku is at the top of the food chain among U.S. streaming video makers. The company controlled 37 percent of the domestic market as of the first quarter 2017, up from about one-third of the market in the same period in 2016, Parks reported last summer. In the global market, Roku is second to Apple, because Apple operates in market across the world with many devices.
Sixty-nine percent of new televisions sold have Internet functionality that helps them operate as smart entertainment devices, Consumer Reports noted, citing data from IHS Markit.
Adding security and privacy to the menu of consumer product issues it evaluates was a great move on the part of Consumer Reports, as the use of smart devices in the home is rapidly expanding, said Mark Nunnikhoven, vice president, cloud research at Trend Micro.
“The issue with the Samsung, Roku and other devices is a simple and, unfortunately, common one,” he told TechNewsWorld. “An API that blindly trusts anyone calling it, or — slightly better — a broken authentication scheme.”
Trend Micro has seen similar problems in other devices, Nunnikhoven said, most recently with smart speakers from Bose and Sonos, which compete against Google Home and Amazon Echo at the top end, targeting the audiophile market.
These devices were designed with the idea that the network they would connect to would be secure — but home and corporate networks often are not secure, he pointed out. “I wouldn’t consider this a hack, but a flawed design.”
These issues don’t pose a direct threat to consumer privacy, but they are symptomatic of a deeper issue, which is a failure to build security and privacy protocols into the fabric of the technology, Nunnikhoven said, and the entire tech community needs to do a better job of addressing that challenge.