February 20, 2015 weblog
Samsung smart TVs subject of blog on traffic intercept findings
Does your Samsung TV listen to you? That is the question that was posed on Monday, February 16, by David Lodge in a Pen Test Partners blog. This is a UK-based security company. Sure, the smart TVs have a voice command facility enabled by saying something or the default "Hi TV." What interested Lodge was "a bit of a privacy concern - can Samsung listen in on you whilst you're sat on the sofa watching TV? The easiest way is to intercept some traffic from a TV and see what it's trying to do." Lodge went ahead to do his research. To intercept the traffic he used a TP-Link switch which was able to mirror traffic from one port to another, allowing him to transparently intercept the traffic. From there he could record its handshake as it joined the network and attempted to make a few voice requests in different ways. Lodge said that "This was all recorded in Wireshark and saved as a PCAP for later analysis." (Wireshark is a network protocol analyzer that lets you see what's happening on your network. It lets you capture and interactively browse traffic running on a computer network. It runs on most platforms including Windows, OS X, Linux, and Unix. Network professionals, security experts and developers use this regularly.)
What did Lodge find and conclude? Does the TV listen to you? The answer, he said, is "not unless you ask it to." At the moment, he said, it only listens to audio when you say "Hi TV". Does it send your audio to a third party? Lodge said sometimes. "When you say "Hi TV" it will listen for some simple things, such as volume up and volume down, that it does on TV, anything more complex, such as a web search it will pass to a third party." The Register explained how such spoken web search requests are piped to a company to analyze and turn into query results sent back to the TVs. "A specific server receives data from the televisions in plaintext, and replies with unencrypted responses," said John Leyden.
Looking at the contents of a stream, Lodge did not see SSL encrypted data. "It's not even HTTP data," he wrote, but instead "a mix of XML and some custom binary data packet."
Leo Kelion, technology desk editor, BBC News, reported that Samsung acknowledged some smart TV models were uploading owners' voices to the Internet in unencrypted form. Samsung told the BBC it planned to release new code that would encrypt voice commands for the user's protection. "Our latest Smart TV models are equipped with data encryption and a software update will soon be available for download on other models." The Register similarly reported on a Samsung response. "Since the publication of this story, Samsung has been in touch to say: "Samsung takes consumer privacy very seriously and our products are designed with privacy in mind. Our latest Smart TV models are equipped with data encryption and a software update will soon be available for download on other models."
Earlier, on February 10, Samsung had issued this statement: "You can control your Smart TV, and use many of its features, with voice commands. If you enable Voice Recognition, you can interact with your Smart TV using your voice. To provide you the Voice Recognition feature, some interactive voice commands may be transmitted (along with information about your device, including device identifiers) to a third-party service provider (currently, Nuance Communications, Inc.) that converts your interactive voice commands to text and to the extent necessary to provide the Voice Recognition features to you. In addition, Samsung may collect and your device may capture voice commands and associated texts so that we can provide you with Voice Recognition features and evaluate and improve the features. Samsung will collect your interactive voice commands only when you make a specific search request to the Smart TV by clicking the activation button either on the remote control or on your screen and speaking into the microphone on the remote control. If you do not enable Voice Recognition, you will not be able to use interactive voice recognition features, although you may be able to control your TV using certain predefined voice commands. You may disable Voice Recognition data collection at any time by visiting the 'settings' menu. However, this may prevent you from using some of the Voice Recognition features."
© 2015 Tech Xplore