Be careful what you say to your smart TV. Not only are some models listening to you, but due to the way their fancy voice control systems are operated, sneaky hackers could be, too.
Which? research has revealed that some smart TVs from Samsung and Panasonic are transmitting voice searches unencrypted over the internet.
Shockingly, we were able to pull the actual audio out of the raw data drawn from Samsung models (you can even listen to it below). This means if you haven’t secured your wi-fi and if someone’s eavesdropping on your network, they could hear what you say to your TV.
TV reviews – see expertly tested TVs, including smart and non-smart models.
Targeted adverts and unencrypted voice searches
Last year, we conducted research into tracking and monitoring done by smart TVs from Samsung, LG, Sony and Panasonic. By delving into smart-TV T&Cs, we found manufacturers can snoop on the programmes you watch and the websites you visit in order to produce targeted recommendations and advertising.
At the time, we found most data collected by manufacturers was transmitted encrypted, meanng it’s hidden from hackers who might want to monitor how you use your smart TV and the internet.
However, some clever folks discovered that Samsung’s voice search feature – known as ‘automatic speech recognition’ (ASR) – was transmitting and receiving data to a third party provider (Nuance Mobility) on TCP port 443. This port usually carries encrypted data, but in this case the data wasn’t actually encrypted by Samsung.
Could someone listen to what you say to your TV?
With the help of Jason Huntley – who broke the original story about smart TV tracking back in 2013 – we went back to our original data and confirmed that unencrypted voice searches were being transmitted by Samsung. We ran a voice search for ‘panama hats’ and you can see this term unencrypted in the data below.
We found that not only was the above practice occurring on Samsung smart TVs (both 2013 and 2014 models), but also on Panasonic sets. Only LG smart TVs we tested actually encrypted the voice searches on TCP port 443 (the Sony TVs we looked at did not have voice control). These findings do not account for any 2015 TVs as we’ve not tested those yet.
What was even more shocking, however, was that Jason was able to pluck out the actual audio file containing our voice search from both Samsung sets and play it back.
If your home wi-fi is unsecured, hackers can use the same techniques we used in our research to monitor internet chatter on your connected devices, including smart TVs.
Although unlikely, this monitoring could leave you vulnerable to them eavesdropping what you say to your TV. This could, for example, enable them to build up a profile of your likes and dislikes, and then use this for phishing or vishing (voice phishing) activities.
What the brands told us
Samsung said that following ‘recent concerns’ over the encryption of data used for its voice recognition feature, it deployed a software update on 11 March on ‘smart TV models that raised such concern’.
This should have extended to all Samsung smart TVs by the end of March, so as long as your TV has the latest software updates it should no longer be an issue – we’ll be re-testing the TVs in question as soon as possible to check Samsung has met its promises. Most Samsung TVs should update automatically, or ask you for permission to update, but if you’re concerned you can download the update direct from Samsung’s support website.
It added: ‘We take consumer privacy very seriously and our TVs are designed with privacy in mind. If at any time we identify a potential vulnerability, we act promptly to investigate and resolve the issue.’
Panasonic told us that its TVs don’t ‘constantly monitor conversations’, but it advises users not to ‘include any personal information in the voice commands’. It admitted that voice data is sent unencrypted, but the firm is now taking action to address that. We’ll continue to liaise with Panasonic to ensure they also address this issue.
Panasonic added: ‘The voice data is not sent in raw format, but the transmission is not encrypted. So for further securing the data, we are now preparing to update the software to encrypt the transmission. As soon as it becomes available, we will update the software.’