Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

LG Admits Smart TVs Spied On Users

LG admits it collected information on consumers' viewing habits, promises firmware update to honor opt-out requests.

South Korean multinational LG Electronics Thursday confirmed that its smart televisions can track what consumers are watching, and that they continue to do so even after consumers select a preference that purports to deactivate that tracking.

Viewing data -- including viewing duration, real-time tracking of the selected channel, and the names of all files stored on connected USB drives and network shares -- "is collected as part of the Smart TV platform to deliver more relevant advertisements and to offer recommendations to viewers based on what other LG Smart TV owners are watching," according to a statement LG emailed to security researcher Graham Cluley.

LG promised to issue a firmware upgrade to honor consumers' opt-out preferences. It also promised to remove a feature that collected filenames and folder names on connected USB drives and network shares. "This feature, however, was never fully implemented and no personal data was ever collected or retained," said LG. "This feature will also be removed from affected LG Smart TVs with the firmware update."

[ Will Facebook's privacy tweaks never end? Here are some of the latest: 10 Most Misunderstood Facebook Privacy Facts. ]

Cluley criticized LG for failing to apologize for tracking its customers despite the company's claim that "our customers' privacy is a very important part of the Smart TV experience." He also criticized the company for creating a system that sent viewing data over the Internet in plaintext format, meaning that it could be easily intercepted. "I assume they're not sorry because they've passed up the opportunity to apologize to the consumers who may find it disturbing that their TVs were spying on their viewing habits, and the files on their USB sticks," Cluley said in a blog post.

Despite LG's promised firmware changes, consumers will likely be no wiser about how their viewing habits are being tracked or how they can stop that from happening. In addition, finding firmware updates that fix the always-on tracking problem will require users to manually check for firmware updates (menu >> network >> software updates) once they're available and ensure that the TV is connected to the network via an Ethernet cable, since LG's support site notes that wireless Internet connections are not reliable enough for firmware updates.

LG's data collection practices came to light Monday, after a security researcher known as DoctorBeet reported in a blog post that his LG smart TV was "logging USB filenames and viewing info to LG servers."

DoctorBeet started investigating what data his TV might be collecting after he found advertising displayed on its "smart" screen, along with a "creepy corporate video" -- which LC has since deleted -- that advertised LG's data collection practices to potential advertisers.

Buried in his TV's preferences menu DoctorBeet also found a "collection of watching info" setting, which was active by default. When that setting was active, it transmitted a unique device ID and name of the channel being watched. Every channel change triggered a signal to LG's servers, and overall viewing duration appeared to also be tracked. Furthermore, DoctorBeet found that the TV was also sending the names of all files that were stored on an external USB hard drive connected to the TV.

All that information continued to be transmitted even after turning the "collection of watching info" setting off, although the transmitted data did then include a special flag, meaning LG may have intended to discard the data.

One caveat, DoctorBeet noted, was that the URLs to which the TV tried to send data didn't appear to exist, because they resulted in HTTP 404 errors. "However, despite being missing at the moment, this collection URL could be implemented by LG on their server tomorrow," DoctorBeet explained, "enabling them to start transparently collecting detailed information on what media files you have stored."

DoctorBeet, who lives in Britain, emailed LG to ask why the company was insecurely collecting data on consumers' viewing habits and ignoring the opt-out setting. In response, LG's help desk told him that by using the TV, he'd agreed to certain terms and conditions and that he should take up any related complaints with the retailer that had sold him the television.

DoctorBeet's finding were corroborated Thursday by a security researcher -- posting under the name Mark -- who found that his LG television was not only tracking his viewing habits but was also cataloging and sending the names of all folders and files on networks that had been shared with the device. He also noted what appeared to be regional firmware variations in LG devices, including no option on his smart TV to disable viewing data collection.

The use of cloud technology is booming, often offering the only way to meet customers', employees', and partners' rapidly rising requirements. But IT pros are rightly nervous about a lack of visibility into the security of data in the cloud. In this Dark Reading report, "Integrating Vulnerability Management Into The Application Development Process," we put the risk in context and offer recommendations for products and practices that can increase insight -- and enterprise security. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
11/22/2013 | 2:36:51 PM
Now all we need ...
Is to have an LG smart TV with a Kinect attached, and our TVs can not only track what we watch, they can watch us right back and report on whether we fell asleep during Letterman. Yikes.
Michael Endler
50%
50%
Michael Endler,
User Rank: Apprentice
11/22/2013 | 3:03:13 PM
Sheesh
"In response, LG's help desk told him that by using the TV, he'd agreed to certain terms and conditions and that he should take up any related complaints with the retailer that had sold him the television."

I know LG isn't the only offender here; they were just sloppy enough to get caught. But good grief, could they have provided a worse answer?

Every reporter going to CES this year now know what to harass LG about. You think 4K or OLED or some new smart TV interface will be the headline topic, LG? Well, count on every article containing at least some reference to whether customers can expect their LG TVs to spy on them.

William Welsh published an article today in IW titled "Consumer Privacy Protections Need Review, GAO Tells Congress." The timing couldn't be more apropos.

 
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
11/22/2013 | 3:34:44 PM
Re: Sheesh
Terms and conditions for consumer electronics? Software really is eating the world. I look forward to licensing agreements for home furnishings and clothing.
Tom Murphy
50%
50%
Tom Murphy,
User Rank: Apprentice
11/22/2013 | 3:54:43 PM
Re: Sheesh
Tom For T&Cs on that chair you're holding down, look for the little tag that starts "Do not remove this tag under penalty of law."  Packing materials for most chairs are also full of conditions that warn you about leaning too far back, stand on it, or do most of the other things that we all do once in a while.

 I have a ladder that warns me not to stand on the top two steps. Well, why do they have steps there?
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Ninja
11/22/2013 | 4:07:14 PM
Re: Sheesh
> look for the little tag that starts "Do not remove this tag under penalty of law."

That becomes worrisome when you add technology: With some wires, the right chip, and a power source, the removal of a tag could broadcast a message and prompt enforcement. As a simple printed warning, it's more silly than troubling.
jwaters974
50%
50%
jwaters974,
User Rank: Apprentice
11/22/2013 | 8:00:13 PM
easy solution -
don't buy LG products period
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/22/2013 | 10:48:38 PM
Re: Sheesh
@Tom: The second-to-top step is for your paint can and tools.  The top step is for your beer.  ;)
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
11/23/2013 | 9:16:10 AM
Re: Sheesh
YouTube has been doing the same thing but we don't mind. And at times I have even liked it when YouTube sends me an ad to watch a 23 minute long TED Talk video in order to watch a 3 minute video that I have selected, even with the skip button I have watched their 23 minute advertisement.

I think the problem is that Smart TVs should not try to do things that the internet does, at least not at the same pace, and definitely Smart TVs should not rob my USB file names, that's something a legitimate internet company does not ever dream of doing.

So we watch YouTube and YouTube watches us, likewise we watch television and the television watches us , ok I can live with that but only if LG's Smart TVs are cheaper then say Samsung's Smart TVs.
FFrancisco
50%
50%
FFrancisco,
User Rank: Apprentice
11/23/2013 | 10:20:18 AM
Re: Sheesh
Any product that "makes recommendation based on users previous viewing preferences " is saving that info on a server somwhere. So Smart TV's as well as services are collecting data so they can provide the content the user is requesting. And yes, LG Smart TV's are considerably less expensive than Samsung Smart TV's.
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
11/23/2013 | 11:16:00 AM
Re: Sheesh
FFrancisco, yes you are right in that any service that makes recommendation is going to either have primary information or secondary information about a user.

But your last line is confusing me, yes LG and Samsung is there but then there is also Sony, Toshiba, Panasonic and not to mention so many others. Making a comparison between Classes might be possible if we isolate any two brands, but here both brands do not even have simpler Classes, and if we get into features, aesthetic design, picture quality, user interface and remote controls then it will all mount to preference.

The kind of benefits that data can provide would make a product so cheap that either everyone would be using the techniques or that the firm that is the only one using it would be at the top however, even with Samsung being the top 4 entries in a refined search that only lists LG/Samsung and Smart TV it would be unfair to say that Samsung is considerably less expensive because even the Classes do not match.   
Page 1 / 2   >   >>
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.