02:18 PM

LG Admits Smart TVs Spied On Users

LG admits it collected information on consumers' viewing habits, promises firmware update to honor opt-out requests.

South Korean multinational LG Electronics Thursday confirmed that its smart televisions can track what consumers are watching, and that they continue to do so even after consumers select a preference that purports to deactivate that tracking.

Viewing data -- including viewing duration, real-time tracking of the selected channel, and the names of all files stored on connected USB drives and network shares -- "is collected as part of the Smart TV platform to deliver more relevant advertisements and to offer recommendations to viewers based on what other LG Smart TV owners are watching," according to a statement LG emailed to security researcher Graham Cluley.

LG promised to issue a firmware upgrade to honor consumers' opt-out preferences. It also promised to remove a feature that collected filenames and folder names on connected USB drives and network shares. "This feature, however, was never fully implemented and no personal data was ever collected or retained," said LG. "This feature will also be removed from affected LG Smart TVs with the firmware update."

[ Will Facebook's privacy tweaks never end? Here are some of the latest: 10 Most Misunderstood Facebook Privacy Facts. ]

Cluley criticized LG for failing to apologize for tracking its customers despite the company's claim that "our customers' privacy is a very important part of the Smart TV experience." He also criticized the company for creating a system that sent viewing data over the Internet in plaintext format, meaning that it could be easily intercepted. "I assume they're not sorry because they've passed up the opportunity to apologize to the consumers who may find it disturbing that their TVs were spying on their viewing habits, and the files on their USB sticks," Cluley said in a blog post.

Despite LG's promised firmware changes, consumers will likely be no wiser about how their viewing habits are being tracked or how they can stop that from happening. In addition, finding firmware updates that fix the always-on tracking problem will require users to manually check for firmware updates (menu >> network >> software updates) once they're available and ensure that the TV is connected to the network via an Ethernet cable, since LG's support site notes that wireless Internet connections are not reliable enough for firmware updates.

LG's data collection practices came to light Monday, after a security researcher known as DoctorBeet reported in a blog post that his LG smart TV was "logging USB filenames and viewing info to LG servers."

DoctorBeet started investigating what data his TV might be collecting after he found advertising displayed on its "smart" screen, along with a "creepy corporate video" -- which LC has since deleted -- that advertised LG's data collection practices to potential advertisers.

Buried in his TV's preferences menu DoctorBeet also found a "collection of watching info" setting, which was active by default. When that setting was active, it transmitted a unique device ID and name of the channel being watched. Every channel change triggered a signal to LG's servers, and overall viewing duration appeared to also be tracked. Furthermore, DoctorBeet found that the TV was also sending the names of all files that were stored on an external USB hard drive connected to the TV.

All that information continued to be transmitted even after turning the "collection of watching info" setting off, although the transmitted data did then include a special flag, meaning LG may have intended to discard the data.

One caveat, DoctorBeet noted, was that the URLs to which the TV tried to send data didn't appear to exist, because they resulted in HTTP 404 errors. "However, despite being missing at the moment, this collection URL could be implemented by LG on their server tomorrow," DoctorBeet explained, "enabling them to start transparently collecting detailed information on what media files you have stored."

DoctorBeet, who lives in Britain, emailed LG to ask why the company was insecurely collecting data on consumers' viewing habits and ignoring the opt-out setting. In response, LG's help desk told him that by using the TV, he'd agreed to certain terms and conditions and that he should take up any related complaints with the retailer that had sold him the television.

DoctorBeet's finding were corroborated Thursday by a security researcher -- posting under the name Mark -- who found that his LG television was not only tracking his viewing habits but was also cataloging and sending the names of all folders and files on networks that had been shared with the device. He also noted what appeared to be regional firmware variations in LG devices, including no option on his smart TV to disable viewing data collection.

The use of cloud technology is booming, often offering the only way to meet customers', employees', and partners' rapidly rising requirements. But IT pros are rightly nervous about a lack of visibility into the security of data in the cloud. In this Dark Reading report, "Integrating Vulnerability Management Into The Application Development Process," we put the risk in context and offer recommendations for products and practices that can increase insight -- and enterprise security. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
11/22/2013 | 4:07:14 PM
Re: Sheesh
> look for the little tag that starts "Do not remove this tag under penalty of law."

That becomes worrisome when you add technology: With some wires, the right chip, and a power source, the removal of a tag could broadcast a message and prompt enforcement. As a simple printed warning, it's more silly than troubling.
Tom Murphy
Tom Murphy,
User Rank: Apprentice
11/22/2013 | 3:54:43 PM
Re: Sheesh
Tom For T&Cs on that chair you're holding down, look for the little tag that starts "Do not remove this tag under penalty of law."  Packing materials for most chairs are also full of conditions that warn you about leaning too far back, stand on it, or do most of the other things that we all do once in a while.

 I have a ladder that warns me not to stand on the top two steps. Well, why do they have steps there?
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
11/22/2013 | 3:34:44 PM
Re: Sheesh
Terms and conditions for consumer electronics? Software really is eating the world. I look forward to licensing agreements for home furnishings and clothing.
Michael Endler
Michael Endler,
User Rank: Apprentice
11/22/2013 | 3:03:13 PM
"In response, LG's help desk told him that by using the TV, he'd agreed to certain terms and conditions and that he should take up any related complaints with the retailer that had sold him the television."

I know LG isn't the only offender here; they were just sloppy enough to get caught. But good grief, could they have provided a worse answer?

Every reporter going to CES this year now know what to harass LG about. You think 4K or OLED or some new smart TV interface will be the headline topic, LG? Well, count on every article containing at least some reference to whether customers can expect their LG TVs to spy on them.

William Welsh published an article today in IW titled "Consumer Privacy Protections Need Review, GAO Tells Congress." The timing couldn't be more apropos.

Lorna Garey
Lorna Garey,
User Rank: Ninja
11/22/2013 | 2:36:51 PM
Now all we need ...
Is to have an LG smart TV with a Kinect attached, and our TVs can not only track what we watch, they can watch us right back and report on whether we fell asleep during Letterman. Yikes.
<<   <   Page 2 / 2
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.