Risk

11/22/2013
02:18 PM
50%
50%

LG Admits Smart TVs Spied On Users

LG admits it collected information on consumers' viewing habits, promises firmware update to honor opt-out requests.

South Korean multinational LG Electronics Thursday confirmed that its smart televisions can track what consumers are watching, and that they continue to do so even after consumers select a preference that purports to deactivate that tracking.

Viewing data -- including viewing duration, real-time tracking of the selected channel, and the names of all files stored on connected USB drives and network shares -- "is collected as part of the Smart TV platform to deliver more relevant advertisements and to offer recommendations to viewers based on what other LG Smart TV owners are watching," according to a statement LG emailed to security researcher Graham Cluley.

LG promised to issue a firmware upgrade to honor consumers' opt-out preferences. It also promised to remove a feature that collected filenames and folder names on connected USB drives and network shares. "This feature, however, was never fully implemented and no personal data was ever collected or retained," said LG. "This feature will also be removed from affected LG Smart TVs with the firmware update."

[ Will Facebook's privacy tweaks never end? Here are some of the latest: 10 Most Misunderstood Facebook Privacy Facts. ]

Cluley criticized LG for failing to apologize for tracking its customers despite the company's claim that "our customers' privacy is a very important part of the Smart TV experience." He also criticized the company for creating a system that sent viewing data over the Internet in plaintext format, meaning that it could be easily intercepted. "I assume they're not sorry because they've passed up the opportunity to apologize to the consumers who may find it disturbing that their TVs were spying on their viewing habits, and the files on their USB sticks," Cluley said in a blog post.

Despite LG's promised firmware changes, consumers will likely be no wiser about how their viewing habits are being tracked or how they can stop that from happening. In addition, finding firmware updates that fix the always-on tracking problem will require users to manually check for firmware updates (menu >> network >> software updates) once they're available and ensure that the TV is connected to the network via an Ethernet cable, since LG's support site notes that wireless Internet connections are not reliable enough for firmware updates.

LG's data collection practices came to light Monday, after a security researcher known as DoctorBeet reported in a blog post that his LG smart TV was "logging USB filenames and viewing info to LG servers."

DoctorBeet started investigating what data his TV might be collecting after he found advertising displayed on its "smart" screen, along with a "creepy corporate video" -- which LC has since deleted -- that advertised LG's data collection practices to potential advertisers.

Buried in his TV's preferences menu DoctorBeet also found a "collection of watching info" setting, which was active by default. When that setting was active, it transmitted a unique device ID and name of the channel being watched. Every channel change triggered a signal to LG's servers, and overall viewing duration appeared to also be tracked. Furthermore, DoctorBeet found that the TV was also sending the names of all files that were stored on an external USB hard drive connected to the TV.

All that information continued to be transmitted even after turning the "collection of watching info" setting off, although the transmitted data did then include a special flag, meaning LG may have intended to discard the data.

One caveat, DoctorBeet noted, was that the URLs to which the TV tried to send data didn't appear to exist, because they resulted in HTTP 404 errors. "However, despite being missing at the moment, this collection URL could be implemented by LG on their server tomorrow," DoctorBeet explained, "enabling them to start transparently collecting detailed information on what media files you have stored."

DoctorBeet, who lives in Britain, emailed LG to ask why the company was insecurely collecting data on consumers' viewing habits and ignoring the opt-out setting. In response, LG's help desk told him that by using the TV, he'd agreed to certain terms and conditions and that he should take up any related complaints with the retailer that had sold him the television.

DoctorBeet's finding were corroborated Thursday by a security researcher -- posting under the name Mark -- who found that his LG television was not only tracking his viewing habits but was also cataloging and sending the names of all folders and files on networks that had been shared with the device. He also noted what appeared to be regional firmware variations in LG devices, including no option on his smart TV to disable viewing data collection.

The use of cloud technology is booming, often offering the only way to meet customers', employees', and partners' rapidly rising requirements. But IT pros are rightly nervous about a lack of visibility into the security of data in the cloud. In this Dark Reading report, "Integrating Vulnerability Management Into The Application Development Process," we put the risk in context and offer recommendations for products and practices that can increase insight -- and enterprise security. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
11/22/2013 | 2:36:51 PM
Now all we need ...
Is to have an LG smart TV with a Kinect attached, and our TVs can not only track what we watch, they can watch us right back and report on whether we fell asleep during Letterman. Yikes.
Michael Endler
50%
50%
Michael Endler,
User Rank: Apprentice
11/22/2013 | 3:03:13 PM
Sheesh
"In response, LG's help desk told him that by using the TV, he'd agreed to certain terms and conditions and that he should take up any related complaints with the retailer that had sold him the television."

I know LG isn't the only offender here; they were just sloppy enough to get caught. But good grief, could they have provided a worse answer?

Every reporter going to CES this year now know what to harass LG about. You think 4K or OLED or some new smart TV interface will be the headline topic, LG? Well, count on every article containing at least some reference to whether customers can expect their LG TVs to spy on them.

William Welsh published an article today in IW titled "Consumer Privacy Protections Need Review, GAO Tells Congress." The timing couldn't be more apropos.

 
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
11/22/2013 | 3:34:44 PM
Re: Sheesh
Terms and conditions for consumer electronics? Software really is eating the world. I look forward to licensing agreements for home furnishings and clothing.
Tom Murphy
50%
50%
Tom Murphy,
User Rank: Apprentice
11/22/2013 | 3:54:43 PM
Re: Sheesh
Tom For T&Cs on that chair you're holding down, look for the little tag that starts "Do not remove this tag under penalty of law."  Packing materials for most chairs are also full of conditions that warn you about leaning too far back, stand on it, or do most of the other things that we all do once in a while.

 I have a ladder that warns me not to stand on the top two steps. Well, why do they have steps there?
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Ninja
11/22/2013 | 4:07:14 PM
Re: Sheesh
> look for the little tag that starts "Do not remove this tag under penalty of law."

That becomes worrisome when you add technology: With some wires, the right chip, and a power source, the removal of a tag could broadcast a message and prompt enforcement. As a simple printed warning, it's more silly than troubling.
jwaters974
50%
50%
jwaters974,
User Rank: Apprentice
11/22/2013 | 8:00:13 PM
easy solution -
don't buy LG products period
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/22/2013 | 10:48:38 PM
Re: Sheesh
@Tom: The second-to-top step is for your paint can and tools.  The top step is for your beer.  ;)
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
11/23/2013 | 9:16:10 AM
Re: Sheesh
YouTube has been doing the same thing but we don't mind. And at times I have even liked it when YouTube sends me an ad to watch a 23 minute long TED Talk video in order to watch a 3 minute video that I have selected, even with the skip button I have watched their 23 minute advertisement.

I think the problem is that Smart TVs should not try to do things that the internet does, at least not at the same pace, and definitely Smart TVs should not rob my USB file names, that's something a legitimate internet company does not ever dream of doing.

So we watch YouTube and YouTube watches us, likewise we watch television and the television watches us , ok I can live with that but only if LG's Smart TVs are cheaper then say Samsung's Smart TVs.
FFrancisco
50%
50%
FFrancisco,
User Rank: Apprentice
11/23/2013 | 10:20:18 AM
Re: Sheesh
Any product that "makes recommendation based on users previous viewing preferences " is saving that info on a server somwhere. So Smart TV's as well as services are collecting data so they can provide the content the user is requesting. And yes, LG Smart TV's are considerably less expensive than Samsung Smart TV's.
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
11/23/2013 | 11:16:00 AM
Re: Sheesh
FFrancisco, yes you are right in that any service that makes recommendation is going to either have primary information or secondary information about a user.

But your last line is confusing me, yes LG and Samsung is there but then there is also Sony, Toshiba, Panasonic and not to mention so many others. Making a comparison between Classes might be possible if we isolate any two brands, but here both brands do not even have simpler Classes, and if we get into features, aesthetic design, picture quality, user interface and remote controls then it will all mount to preference.

The kind of benefits that data can provide would make a product so cheap that either everyone would be using the techniques or that the firm that is the only one using it would be at the top however, even with Samsung being the top 4 entries in a refined search that only lists LG/Samsung and Smart TV it would be unfair to say that Samsung is considerably less expensive because even the Classes do not match.   
Page 1 / 2   >   >>
Four Faces of Fraud: Identity, 'Fake' Identity, Ransomware & Digital
David Shefter, Chief Technology Officer at Ziften Technologies,  6/14/2018
Meet 'Bro': The Best-Kept Secret of Network Security
Greg Bell, CEO, Corelight,  6/14/2018
Containerized Apps: An 8-Point Security Checklist
Jai Vijayan, Freelance writer,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-9036
PUBLISHED: 2018-06-20
CheckSec Canopy 3.x before 3.0.7 has stored XSS via the Login Page Disclaimer, allowing attacks by low-privileged users against higher-privileged users.
CVE-2018-12327
PUBLISHED: 2018-06-20
Stack-based buffer overflow in ntpq and ntpdc of NTP version 4.2.8p11 allows an attacker to achieve code execution or escalate to higher privileges via a long string as the argument for an IPv4 or IPv6 command-line parameter. NOTE: It is unclear whether there are any common situations in which ntpq ...
CVE-2018-12558
PUBLISHED: 2018-06-20
The parse() method in the Email::Address module through 1.909 for Perl is vulnerable to Algorithmic complexity on specially prepared input, leading to Denial of Service. Prepared special input that caused this problem contained 30 form-field characters ("\f").
CVE-2018-6563
PUBLISHED: 2018-06-20
Multiple cross-site request forgery (CSRF) vulnerabilities in totemomail Encryption Gateway before 6.0.0_Build_371 allow remote attackers to hijack the authentication of users for requests that (1) change user settings, (2) send emails, or (3) change contact information by leveraging lack of an anti...
CVE-2018-1120
PUBLISHED: 2018-06-20
A flaw was found affecting the Linux kernel before version 4.17. By mmap()ing a FUSE-backed file onto a process's memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which makes a read() call t...