Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


LG Admits Smart TVs Spied On Users

LG admits it collected information on consumers' viewing habits, promises firmware update to honor opt-out requests.

South Korean multinational LG Electronics Thursday confirmed that its smart televisions can track what consumers are watching, and that they continue to do so even after consumers select a preference that purports to deactivate that tracking.

Viewing data -- including viewing duration, real-time tracking of the selected channel, and the names of all files stored on connected USB drives and network shares -- "is collected as part of the Smart TV platform to deliver more relevant advertisements and to offer recommendations to viewers based on what other LG Smart TV owners are watching," according to a statement LG emailed to security researcher Graham Cluley.

LG promised to issue a firmware upgrade to honor consumers' opt-out preferences. It also promised to remove a feature that collected filenames and folder names on connected USB drives and network shares. "This feature, however, was never fully implemented and no personal data was ever collected or retained," said LG. "This feature will also be removed from affected LG Smart TVs with the firmware update."

[ Will Facebook's privacy tweaks never end? Here are some of the latest: 10 Most Misunderstood Facebook Privacy Facts. ]

Cluley criticized LG for failing to apologize for tracking its customers despite the company's claim that "our customers' privacy is a very important part of the Smart TV experience." He also criticized the company for creating a system that sent viewing data over the Internet in plaintext format, meaning that it could be easily intercepted. "I assume they're not sorry because they've passed up the opportunity to apologize to the consumers who may find it disturbing that their TVs were spying on their viewing habits, and the files on their USB sticks," Cluley said in a blog post.

Despite LG's promised firmware changes, consumers will likely be no wiser about how their viewing habits are being tracked or how they can stop that from happening. In addition, finding firmware updates that fix the always-on tracking problem will require users to manually check for firmware updates (menu >> network >> software updates) once they're available and ensure that the TV is connected to the network via an Ethernet cable, since LG's support site notes that wireless Internet connections are not reliable enough for firmware updates.

LG's data collection practices came to light Monday, after a security researcher known as DoctorBeet reported in a blog post that his LG smart TV was "logging USB filenames and viewing info to LG servers."

DoctorBeet started investigating what data his TV might be collecting after he found advertising displayed on its "smart" screen, along with a "creepy corporate video" -- which LC has since deleted -- that advertised LG's data collection practices to potential advertisers.

Buried in his TV's preferences menu DoctorBeet also found a "collection of watching info" setting, which was active by default. When that setting was active, it transmitted a unique device ID and name of the channel being watched. Every channel change triggered a signal to LG's servers, and overall viewing duration appeared to also be tracked. Furthermore, DoctorBeet found that the TV was also sending the names of all files that were stored on an external USB hard drive connected to the TV.

All that information continued to be transmitted even after turning the "collection of watching info" setting off, although the transmitted data did then include a special flag, meaning LG may have intended to discard the data.

One caveat, DoctorBeet noted, was that the URLs to which the TV tried to send data didn't appear to exist, because they resulted in HTTP 404 errors. "However, despite being missing at the moment, this collection URL could be implemented by LG on their server tomorrow," DoctorBeet explained, "enabling them to start transparently collecting detailed information on what media files you have stored."

DoctorBeet, who lives in Britain, emailed LG to ask why the company was insecurely collecting data on consumers' viewing habits and ignoring the opt-out setting. In response, LG's help desk told him that by using the TV, he'd agreed to certain terms and conditions and that he should take up any related complaints with the retailer that had sold him the television.

DoctorBeet's finding were corroborated Thursday by a security researcher -- posting under the name Mark -- who found that his LG television was not only tracking his viewing habits but was also cataloging and sending the names of all folders and files on networks that had been shared with the device. He also noted what appeared to be regional firmware variations in LG devices, including no option on his smart TV to disable viewing data collection.

The use of cloud technology is booming, often offering the only way to meet customers', employees', and partners' rapidly rising requirements. But IT pros are rightly nervous about a lack of visibility into the security of data in the cloud. In this Dark Reading report, "Integrating Vulnerability Management Into The Application Development Process," we put the risk in context and offer recommendations for products and practices that can increase insight -- and enterprise security. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
11/22/2013 | 4:07:14 PM
Re: Sheesh
> look for the little tag that starts "Do not remove this tag under penalty of law."

That becomes worrisome when you add technology: With some wires, the right chip, and a power source, the removal of a tag could broadcast a message and prompt enforcement. As a simple printed warning, it's more silly than troubling.
Tom Murphy
Tom Murphy,
User Rank: Apprentice
11/22/2013 | 3:54:43 PM
Re: Sheesh
Tom For T&Cs on that chair you're holding down, look for the little tag that starts "Do not remove this tag under penalty of law."  Packing materials for most chairs are also full of conditions that warn you about leaning too far back, stand on it, or do most of the other things that we all do once in a while.

 I have a ladder that warns me not to stand on the top two steps. Well, why do they have steps there?
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
11/22/2013 | 3:34:44 PM
Re: Sheesh
Terms and conditions for consumer electronics? Software really is eating the world. I look forward to licensing agreements for home furnishings and clothing.
Michael Endler
Michael Endler,
User Rank: Apprentice
11/22/2013 | 3:03:13 PM
"In response, LG's help desk told him that by using the TV, he'd agreed to certain terms and conditions and that he should take up any related complaints with the retailer that had sold him the television."

I know LG isn't the only offender here; they were just sloppy enough to get caught. But good grief, could they have provided a worse answer?

Every reporter going to CES this year now know what to harass LG about. You think 4K or OLED or some new smart TV interface will be the headline topic, LG? Well, count on every article containing at least some reference to whether customers can expect their LG TVs to spy on them.

William Welsh published an article today in IW titled "Consumer Privacy Protections Need Review, GAO Tells Congress." The timing couldn't be more apropos.

Lorna Garey
Lorna Garey,
User Rank: Ninja
11/22/2013 | 2:36:51 PM
Now all we need ...
Is to have an LG smart TV with a Kinect attached, and our TVs can not only track what we watch, they can watch us right back and report on whether we fell asleep during Letterman. Yikes.
<<   <   Page 2 / 2
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-05
IBM Worklight/MobileFoundation does not properly invalidate session cookies when a user logs out of a session, which could allow another user to gain unauthorized access to a user's session. IBM X-Force ID: 175211.
PUBLISHED: 2020-06-05
IBM WebSphere Application Server Network Deployment 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. IBM X-Force ID: 181228.
PUBLISHED: 2020-06-05
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to obtain sensitive information with a specially-crafted sequence of serialized objects. IBM X-Force ID: 181230.
PUBLISHED: 2020-06-05
IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects. IBM X-Force ID: 181231.
PUBLISHED: 2020-06-05
A vulnerability in the improper handling of symbolic links in Bitdefender Antivirus Free can allow an unprivileged user to substitute a quarantined file, and restore it to a privileged location.&Atilde;&sbquo;&Acirc;&nbsp;This issue affects Bitdefender Antivirus Free versions prior to