Consumer Reports has found that millions of smart TVs can be controlled by hackers exploiting easy-to-find security flaws.

The problems affect Samsung televisions, along with models made by TCL and other brands that use the Roku TV smart-TV platform, as well as streaming devices such as the Roku Ultra.

We found that a relatively unsophisticated hacker could change channels, play offensive content, or crank up the volume, which might be deeply unsettling to someone who didn't understand what was happening. This could be done over the web, from thousands of miles away. (These vulnerabilities would not allow a hacker to spy on the user or steal information.)

The findings were part of a broad privacy and security evaluation, led by Consumer Reports, of smart TVs from top brands that also included LG, Sony, and Vizio.

The testing also found that all these TVs raised privacy concerns by collecting very detailed information on their users. Consumers can limit the data collection. But they have to give up a lot of the TVs' functionality—and know the right buttons to click and settings to look for. (See below for more information.)

Data Collection in the Living Room

This is the first time Consumer Reports has carried out a test based on our new Digital Standard, which was developed by CR and partner cybersecurity and privacy organizations to help set expectations for how manufacturers should handle privacy, security, and other digital rights.

The goal is to educate consumers on their privacy and security options and to influence manufacturers to take these concerns into consideration when developing their products.

"The Digital Standard can be used to evaluate many products that collect data and connect to the internet," says Maria Rerecich, who oversees electronics testing at Consumer Reports. "But smart TVs were a natural place to start. These sets are growing in popularity, and they can transmit a remarkable amount of information about their users back to the TV manufacturers and their business partners."

Smart TVs represent the lion's share of new televisions. According to market research firm IHS Markit, 69 percent of all new sets shipped in North America in 2017 were internet-capable, and the percentage is set to rise in 2018. Eighty-two million of these sets have already found their way to consumers.

Internet connectivity brings a lot of appealing functionality to modern televisions—including the ability to stream content through popular apps such as Hulu and Netflix, as well as to find content quickly using voice commands.

But that functionality comes with substantial data collection. Smart TVs can identify every show you watch using a technology called automatic content recognition, or ACR, which we first reported on in 2015. That viewing information can be combined with other consumer information and used for targeted advertising, not only on your TV but also on mobile phones and computers. For instance, if you're watching a particular sports event, you could see an online advertisement from a brand interested in reaching fans of that sport.

In 2017 Vizio got in trouble with federal and state regulators for collecting this kind of data without users' knowledge or consent. The company settled with the Federal Trade Commission for $1.5 million and the state of New Jersey for $700,000. The FTC has now made it clear that companies need your permission before collecting viewing data—but consumers may not understand the details, says Justin Brookman, director of privacy and technology at Consumers Union, the policy and mobilization division of Consumer Reports.

"For years, consumers have had their behavior tracked when they're online or using their smartphones," Brookman says. "But I don't think a lot of people expect their television to be watching what they do."

And manufacturers are aiming to make smart TVs the centerpiece of consumers' increasingly connected homes. Companies such as LG and Samsung have recently shown off sets with built-in digital assistants that let you control other smart-home devices ranging from thermostats to security cameras to washing machines to smart speakers.

In a recent Consumer Reports subscriber survey of 38,000 smart-TV owners, 51 percent were at least somewhat worried about the privacy implications of smart TVs and 62 percent were at least somewhat worried about the sets' security practices.  

What We Tested

We purchased five smart TVs from the most widely sold TV brands in the U.S. As we do for all products involved in CR's testing program, we bought our samples through regular retail outlets.

Each set we bought used a different smart-TV platform.

Two of these were proprietary platforms. The Samsung UN49MU8000 incorporates the company's Tizen system, and the LG 49UJ7700 uses LG's webOS system.

The other sets make use of smart-TV platforms that are incorporated into multiple brands. The TCL 55P605 uses the Roku platform, which is also found in Hisense, Insignia, and other brands.

The Sony XBR-49X800E uses a version of Google's Android TV, a platform also found in sets from LeEco and Sharp. And the Vizio P55-E1 SmartCast TV we tested uses Chromecast, another Google platform.

We didn't incorporate our privacy and security findings into the Consumer Reports ratings of these televisions, and all these sets except the TCL are recommended models. But Consumer Reports is planning to include privacy and security test results in a number of products' Overall Scores in the future.

For our security assessment we worked with engineers at Disconnect, which makes privacy-enhancing software for consumers and is one of CR's partners in developing the Digital Standard. We conducted our privacy investigation in collaboration with both Disconnect and Ranking Digital Rights, another of our Digital Standard partners. (Like most websites, ConsumerReports.org collects user data. You can get the details on our privacy policy and our approach to privacy, including our policy positions, here.)

Samsung, Roku Smart TVs were vulnerable to hacking in CR testing, as demonstrated by a tester in our TV lab.
Consumer Reports found that Samsung and Roku Smart TVs were vulnerable to hacking through a web-based attack.
Photo: Michael A. Smith

What We Found: Security

Our security testing focused on whether basic security practices were being followed in the design of each television's software. "We were just looking for good security practices," Rerecich says. "Encryption of personal or sensitive data, protection from common vulnerabilities, that sort of thing."

We discovered flaws in sets from TCL and Samsung.

They allowed researchers to pump the volume from a whisper to blaring levels, rapidly cycle through channels, open disturbing YouTube content, or kick the TV off the WiFi network.

The exploits didn't let us extract information from the sets or monitor what was playing. The process was crude, like someone using a remote control with their eyes closed. But to a television viewer who didn't know what was happening, it might feel creepy, as though an intruder were lurking nearby or spying on you through the set.

The TCL vulnerability applies to devices running the Roku TV platform—including sets from other companies such Hisense, Hitachi, Insignia, Philips, RCA, and Sharp—as well as some of Roku's own streaming media players, such as the Ultra.

The problem we found involved the application programming interface, or API, the program that lets developers make their own products work with the Roku platform. "Roku devices have a totally unsecured remote control API enabled by default," says Eason Goodale, Disconnect's lead engineer. "This means that even extremely unsophisticated hackers can take control of Rokus. It's less of a locked door and more of a see-through curtain next to a neon ‘We're open!' sign."

And, it turned out we weren't the first to notice this: The unsecured API had been discussed in online programming forums since 2015.

To become a victim of a real-world attack, a TV user would need to be using a phone or laptop running on the same WiFi network as the television, and then visit a site or download a mobile app with malicious code. That could happen, for instance, if they were tricked into clicking on a link in a phishing email or if they visited a site containing an advertisement with the code embedded.

TCL referred us to Roku for questions about data collection and this vulnerability. A Roku spokeswoman said via email, "There is no security risk to our customers' accounts or the Roku platform with the use of this API," and pointed out that the External Control feature can be turned off in the settings. However, this will also disable control of the device through Roku's own app. 

The Samsung vulnerability was harder to spot, and it could be exploited only if the user had previously employed a remote control app on a mobile device that works with the TV, and then opened the malicious webpage using that device. "Samsung smart TVs attempt to ensure that only authorized applications can control the television," Goodale of Disconnect says. "Unfortunately, the mechanism they use to ensure that applications have previously been authorized is flawed. It's as though once you unlocked your door, the door would never lock again."

In an emailed statement, Samsung said, "We appreciate Consumer Reports' alerting us to their potential concern," and that the company was still evaluating the issue. The company also said it would update the API to address other, less severe problems related to data security that CR uncovered. Those changes "will be in a 2018 update, [with timing] to be determined, but as soon as technically feasible," the spokesman said.

LG TV user agreements.
During setup, many smart TVs, such as this LG model, ask you to agree to a broad range of data collection.
Photo: Michael A. Smith

What We Found: Privacy

Every smart TV we evaluated asked for permission to collect viewing data and other kinds of information.

But we found that it's not always easy to understand what you're agreeing to as you proceed through the setup process. And if you decline permissions, you can lose a surprising amount of functionality. In fact, one TV requires that you accept a broad privacy policy during setup before you can use the most basic, internet-free functions, such as watching TV using an antenna.

Here are some of the key findings.

Oversharing by design. Race through your TV's setup, agreeing to everything, and a constant stream of viewing data will be collected through automatic content recognition. The technology identifies every show you play on the TV—including cable, over-the-air broadcasts, streaming services, and even DVDs and Blu-ray discs—and sends the data to the TV maker or one of its business partners, or both.

ACR helps the TV recommend other shows you might want to watch. But it's also used for targeting ads to you and your family, and for other marketing purposes. And you can't easily review or delete this data later.

Your data or your internet. You can limit data collection, but you'll lose functionality. Specifically, if you pay close attention, you can turn off ACR monitoring while still agreeing to a set's basic privacy policy. But that may keep you from getting recommendations ("You liked ‘Westworld.' Have you checked out ‘Godless'?") And even the basic privacy policies may ask for the right to collect information on your location, which streaming apps you click on, and more.

If you say no to these basic policies, the sets revert to old-fashioned dumb TVs: You can hook up a cable box or an antenna, but you won't be able to stream anything from Amazon, Netflix, or other web-based services.

All-or-nothing privacy policy. The Sony television was the only one that required you to agree to a privacy policy and terms of service to complete the setup of the TV.

The set uses Google's Android TV platform, and consumers have to click yes to Google agreements, even if they don't plan to connect to the internet. That could be a frustrating thing to discover only after you'd bought the big-screen TV at the store, lugged it home, and maybe mounted it to a wall. Even though you can't skip the Google privacy policy, you can say no to the user agreements from Sony itself and from Samba TV, a provider of ACR technology.

And, Sony said in an emailed statement, "If a customer has any concerns about sharing information with Google/Android [they] need not connect their smart TV to the Internet or to Android servers to use the device as a television, for example, using cable or over-the-air broadcast signals."  

What Consumers Can Do

You could just buy an old-fashioned "dumb" TV, without built-in streaming capabilities, but these are becoming harder to find. Of the nearly 200 midsized and large sets in Consumer Reports' ratings, only 16 aren't smart TVs. And those are 2017 models—in 2018 we expect to see even fewer internet-free televisions.

If you do buy a new smart TV, decide whether you want to block the collection of viewing data. If so, pay close attention during setup. There, you can agree to the basic privacy policy and terms of service—which still triggers a significant amount of data collection—while declining ACR.

And, if you already have a smart TV but would like to restrict data collection, you can do the following:

Reset the TV to factory settings. Then, as you go through the setup process, say yes to the most basic privacy policies and terms of service but don't agree to the collection of viewing data.

Turn off ACR using the settings. These settings are typically buried three or four menus deep—but we've compiled directions for you. "And," Brookman says, "if you can't figure it out, call customer support and make them walk you through it." That will have the added benefit of letting companies know that you care about your privacy.

Turn off the TV's WiFi connection. Do this, though, and you essentially don't have a smart TV anymore. You'll need to add a separate streaming media device to get web-based content. And, you won't be surprised to hear, those devices may have their own expansive data collection practices.

 

Editor's Note: An earlier version of this story incorrectly stated that Vizio settled a case about consumer viewing data with the FTC for $1.5 million and the state of New Jersey for $2.2 million. The settlement with New Jersey was for $700,000.

Smart TVs: Is Your TV Watching You?

Is your smart TV watching you? On the 'Consumer 101' TV show, Jack Rico, learns from a Consumer Reports' expert how you can turn off the data collection features on your television.