More like this

Security

Samsung's spying smart TVs don't encrypt voice recordings sent over the internet – new claim

They only listen with permission but blab everything in the clear

Updated Not only is your Samsung smart TV snooping on what you say, it sends recordings of your voice over the internet unencrypted – leaving it open to eavesdropping and mischief – security researchers say.

Samsung insisted last week that its TV voice-control technology isn't half as creepy as its terms and conditions suggested. But findings by security consultancy Pen Test Partners will renew fears of smart gizmos riding roughshod over your privacy.

Modern Samsung smart TVs can be controlled by voice: just speak, and a builtin microphone will hear you. You start a command by saying a phrase, such as "Hi TV”. This causes the television to listen in for more, and then – as the terms and conditions state – your voice, and whatever else is going on around you, is recorded and transmitted over the internet for processing.

This has been the case for some time: it was flagged up last year, but only this month has word spread across the world.

David Lodge, of Pen Test Partners, borrowed a Samsung smart TV and used network inspection tool Wireshark to examine the data coming out of the set to the wider internet; he has good and bad news.

The telly only records what’s said in front of it after the wake-up command, such as "Hi TV", is spoken – so it's not recording all the time. This could change in a future firmware update, Lodge points out, but for now this is reassuring.

However, recorded voice commands are sometimes sent as encoded audio to an outside organization for processing – this applies to any commands more complex than, say, changing the volume. For example, spoken web search requests are piped to a company called Nuance to analyze and turn into query results sent back to the TVs.

A specific server receives data from the televisions in plaintext, and replies with unencrypted responses; for those itching to firewall off access, it is:

av.nvc.enGB.nuancemobility.net     208.94.122.45

The information is sent over port 443, normally used for TLS-secured HTTPS connections and typically not firewalled off. The stream is not encrypted, Lodge said. This allows a man-in-the-middle in the network to eavesdrop on the data and tamper with it.

Intercepted data from the smart TV ... Credit: Pen Test Partners

“What we see here is not SSL encrypted data,” Lodge explains in a blog post revealing traffic snippets and analysis. “It’s not even HTTP data, it's a mix of XML and some custom binary data packet.”

Information transmitted includes plenty of information about the TV including its MAC address and the version of the OS in use, as well as the audio; the processing server sends back a transcript of what was said, also in plaintext.

Lodge points out this opens the door to possible on-the-fly mischief making: spoken commands could be swapped for others, and web search results could be altered, maliciously, for instance.

The lack of encryption means that, even as things stand, plenty of sensitive data generated by smart TVs is making its way onto the internet.

Lodge concludes: “Based on the limited information leaked above in plaintext, there’s plenty to suggest that interesting data is making its way on to the interwebs from your TV. Come on Samsung, how about at least protecting it with SSL?”

Ken Munro, of Pen Test Partners, told The Register that since publishing the blog, its security researchers had been able to decode the encoded voice audio, allowing them to replay what the hi-tech telly overheard.

“So it does kinda spy on you, but then leaks the spied data on to the public internet,” Munro told El Reg. “The critical point about this is that Samsung haven’t encrypted the traffic.”

Nuance was not available for immediate comment. ®

Update

Since the publication of this story, Samsung has been in touch to say:

Samsung takes consumer privacy very seriously and our products are designed with privacy in mind. Our latest Smart TV models are equipped with data encryption and a software update will soon be available for download on other models.

Sponsored: The world has changed, has your IAM strategy?