Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


LG Admits Smart TVs Spied On Users

LG admits it collected information on consumers' viewing habits, promises firmware update to honor opt-out requests.

South Korean multinational LG Electronics Thursday confirmed that its smart televisions can track what consumers are watching, and that they continue to do so even after consumers select a preference that purports to deactivate that tracking.

Viewing data -- including viewing duration, real-time tracking of the selected channel, and the names of all files stored on connected USB drives and network shares -- "is collected as part of the Smart TV platform to deliver more relevant advertisements and to offer recommendations to viewers based on what other LG Smart TV owners are watching," according to a statement LG emailed to security researcher Graham Cluley.

LG promised to issue a firmware upgrade to honor consumers' opt-out preferences. It also promised to remove a feature that collected filenames and folder names on connected USB drives and network shares. "This feature, however, was never fully implemented and no personal data was ever collected or retained," said LG. "This feature will also be removed from affected LG Smart TVs with the firmware update."

[ Will Facebook's privacy tweaks never end? Here are some of the latest: 10 Most Misunderstood Facebook Privacy Facts. ]

Cluley criticized LG for failing to apologize for tracking its customers despite the company's claim that "our customers' privacy is a very important part of the Smart TV experience." He also criticized the company for creating a system that sent viewing data over the Internet in plaintext format, meaning that it could be easily intercepted. "I assume they're not sorry because they've passed up the opportunity to apologize to the consumers who may find it disturbing that their TVs were spying on their viewing habits, and the files on their USB sticks," Cluley said in a blog post.

Despite LG's promised firmware changes, consumers will likely be no wiser about how their viewing habits are being tracked or how they can stop that from happening. In addition, finding firmware updates that fix the always-on tracking problem will require users to manually check for firmware updates (menu >> network >> software updates) once they're available and ensure that the TV is connected to the network via an Ethernet cable, since LG's support site notes that wireless Internet connections are not reliable enough for firmware updates.

LG's data collection practices came to light Monday, after a security researcher known as DoctorBeet reported in a blog post that his LG smart TV was "logging USB filenames and viewing info to LG servers."

DoctorBeet started investigating what data his TV might be collecting after he found advertising displayed on its "smart" screen, along with a "creepy corporate video" -- which LC has since deleted -- that advertised LG's data collection practices to potential advertisers.

Buried in his TV's preferences menu DoctorBeet also found a "collection of watching info" setting, which was active by default. When that setting was active, it transmitted a unique device ID and name of the channel being watched. Every channel change triggered a signal to LG's servers, and overall viewing duration appeared to also be tracked. Furthermore, DoctorBeet found that the TV was also sending the names of all files that were stored on an external USB hard drive connected to the TV.

All that information continued to be transmitted even after turning the "collection of watching info" setting off, although the transmitted data did then include a special flag, meaning LG may have intended to discard the data.

One caveat, DoctorBeet noted, was that the URLs to which the TV tried to send data didn't appear to exist, because they resulted in HTTP 404 errors. "However, despite being missing at the moment, this collection URL could be implemented by LG on their server tomorrow," DoctorBeet explained, "enabling them to start transparently collecting detailed information on what media files you have stored."

DoctorBeet, who lives in Britain, emailed LG to ask why the company was insecurely collecting data on consumers' viewing habits and ignoring the opt-out setting. In response, LG's help desk told him that by using the TV, he'd agreed to certain terms and conditions and that he should take up any related complaints with the retailer that had sold him the television.

DoctorBeet's finding were corroborated Thursday by a security researcher -- posting under the name Mark -- who found that his LG television was not only tracking his viewing habits but was also cataloging and sending the names of all folders and files on networks that had been shared with the device. He also noted what appeared to be regional firmware variations in LG devices, including no option on his smart TV to disable viewing data collection.

The use of cloud technology is booming, often offering the only way to meet customers', employees', and partners' rapidly rising requirements. But IT pros are rightly nervous about a lack of visibility into the security of data in the cloud. In this Dark Reading report, "Integrating Vulnerability Management Into The Application Development Process," we put the risk in context and offer recommendations for products and practices that can increase insight -- and enterprise security. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
11/22/2013 | 4:07:14 PM
Re: Sheesh
> look for the little tag that starts "Do not remove this tag under penalty of law."

That becomes worrisome when you add technology: With some wires, the right chip, and a power source, the removal of a tag could broadcast a message and prompt enforcement. As a simple printed warning, it's more silly than troubling.
Tom Murphy
Tom Murphy,
User Rank: Apprentice
11/22/2013 | 3:54:43 PM
Re: Sheesh
Tom For T&Cs on that chair you're holding down, look for the little tag that starts "Do not remove this tag under penalty of law."  Packing materials for most chairs are also full of conditions that warn you about leaning too far back, stand on it, or do most of the other things that we all do once in a while.

 I have a ladder that warns me not to stand on the top two steps. Well, why do they have steps there?
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
11/22/2013 | 3:34:44 PM
Re: Sheesh
Terms and conditions for consumer electronics? Software really is eating the world. I look forward to licensing agreements for home furnishings and clothing.
Michael Endler
Michael Endler,
User Rank: Apprentice
11/22/2013 | 3:03:13 PM
"In response, LG's help desk told him that by using the TV, he'd agreed to certain terms and conditions and that he should take up any related complaints with the retailer that had sold him the television."

I know LG isn't the only offender here; they were just sloppy enough to get caught. But good grief, could they have provided a worse answer?

Every reporter going to CES this year now know what to harass LG about. You think 4K or OLED or some new smart TV interface will be the headline topic, LG? Well, count on every article containing at least some reference to whether customers can expect their LG TVs to spy on them.

William Welsh published an article today in IW titled "Consumer Privacy Protections Need Review, GAO Tells Congress." The timing couldn't be more apropos.

Lorna Garey
Lorna Garey,
User Rank: Ninja
11/22/2013 | 2:36:51 PM
Now all we need ...
Is to have an LG smart TV with a Kinect attached, and our TVs can not only track what we watch, they can watch us right back and report on whether we fell asleep during Letterman. Yikes.
<<   <   Page 2 / 2
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-27
WeBid 1.2.2 admin/newuser.php has an issue with password rechecking during registration because it uses a loose comparison to check the identicalness of two passwords. Two non-identical passwords can still bypass the check.
PUBLISHED: 2021-01-27
oscommerce v2.3.4.1 has a functional problem in user registration and password rechecking, where a non-identical password can bypass the checks in /catalog/admin/administrators.php and /catalog/password_reset.php
PUBLISHED: 2021-01-27
phpList 3.5.3 allows type juggling for login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters.
PUBLISHED: 2021-01-27
condor_credd in HTCondor before 8.9.11 allows Directory Traversal outside the SEC_CREDENTIAL_DIRECTORY_OAUTH directory, as demonstrated by creating a file under /etc that will later be executed by root.
PUBLISHED: 2021-01-27
HTCondor before 8.9.11 allows a user to submit a job as another user on the system, because of a flaw in the IDTOKENS authentication method.