Samsung's smart TVs arelistening to you

[tay]

Let's go to another room so the TV can't hear us! Samsung's smart TVs don't just respond to your commands now – they also tell a third party what you're saying while you sit in from of them.


Sharp-eyed folks have spotted Samsung's confession to that this effect in the UK privacy policy for its SmartTV range.


The section on voice recognition kicks off with the anodyne: “To provide you the Voice Recognition feature, some voice commands may be transmitted (along with information about your device, including device identifiers) to a third-party service that converts speech to text or to the extent necessary to provide the Voice Recognition features to you.”


So far, so mostly-reasonable: if a telly had enough CPU grunt to do voice recognition it could push the price into nasty territory. A cloud-assist feature is icky, but not terrifying, not least because bigger samples will probably make for bigger improvements in voice recognition.


Next comes the admission that “In addition, Samsung may collect and your device may capture voice commands and associated texts so that we can provide you with Voice Recognition features and evaluate and improve the features.”


That's far less comfortable, as it suggests Samsung can identify individuals. If it's matching MAC addresses, that's not terrifying. If it depends on logins … yikes! Samsung can identify you and the stuff you say to your tellie!
It gets worse in this final sentence:

“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”




Worse still, this all happens even if you don't turn voice recognition on, as Samsung says: “If you do not enable Voice Recognition, you will not be able to use interactive voice recognition features, although you may be able to control your TV using certain predefined voice commands. While Samsung will not collect your spoken word, Samsung may still collect associated texts and other usage data so that we can evaluate the performance of the feature and improve it.”


Samsung's responded to widespread discussion of its privacy policy be insisting the data it collects is encrypted and cannot be accessed or used by unauthorised parties.


But of course Anthem Healthcare, Target, Sony (Pictures entertainment and the Playstation arm) and myriad others have all made similar pledges about the effectiveness of their security.




more




WATCH IT WATCHING YOU WATCHING IT (Your Samsung TV that is) • The Register
​

 

[Becky_Harrison]

What are the features of the samsung smart tv? whats so good about it?

 

[Cliffy]

What are the features of the samsung smart tv? whats so good about it?

There isn't anything smart about watching TV.

 

[DaSleeper]

Y'all realise that big brother knows everything about you using a computer unless

 

[Angstrom]

Y'all realise that big brother knows everything about you using a computer unless

I don't think you should be posting pictures of our CSIS office DaSleeper

 

[Spade]

The sad truth is whenever technology allows for greater surveillance, government and industry employ that tool without a twinge of embarrassment for invading privacy or restricting freedom.
PS
Samsung is not grammatical. Shouldn't it be Sam sang?

 

[tay]

A new attack that uses terrestrial radio signals to hack a wide range of Smart TVs raises an unsettling prospect—the ability of hackers to take complete control of a large number of sets at once without having physical access to any of them.

The proof-of-concept exploit uses a low-cost transmitter to embed malicious commands into a rogue TV signal. That signal is then broadcast to nearby devices. It worked against two fully updated TV models made by Samsung. By exploiting two known security flaws in the Web browsers running in the background, the attack was able to gain highly privileged root access to the TVs. By revising the attack to target similar browser bugs found in other sets, the technique would likely work on a much wider range of TVs.

"Once a hacker has control over the TV of an end user, he can harm the user in a variety of ways," Rafael Scheel, the security consultant who publicly demonstrated the attack, told Ars. "Among many others, the TV could be used to attack further devices in the home network or to spy on the user with the TV's camera and microphone."

Scheel's exploit relies on a transmitter that's based on digital video broadcasting—terrestrial, a transmission standard that's built into the vast majority of TVs. TVs that are connected to the Internet, are currently tuned to a DVB-T-based station, support the hybrid broadcast broadband TV standard, and contain at least one critical vulnerability that can be exploited without showing any outward signs anything is amiss.

The exploit, which Scheel developed for Swiss security consulting company Oneconsult, was demonstrated in February at the European Broadcasting Union Media Cyber Security Seminar. Once completed, the attack gave Scheel the ability to remotely connect to the TV over the Internet using interfaces that allowed him to take complete control of the device. The infection was also able to survive both device reboots and factory resets. A recording of the talk is available below:


https://arstechnica.com/security/20...ode-into-broadcast-signal-no-access-required/


The demonstration opens the door to Smart TV hacks that go well beyond those that have been commonly seen so far, including this proof-of-concept exploit from 2012 and another one called Weeping Angel (Weeping Angel is described in a cache of CIA documents recently published by WikiLeaks. A key limitation with those exploits is that they require physical access to the targeted set. That not only exposes the attacker to the risk of being caught, but it also limits the number of sets that can be hacked.

Scheel's approach, by contrast, can work against many TVs at once and eliminates the need for the attacker to physically control the device. Instead, the hacker need only turn on a transmitter that's within range of a large number of sets, say, in a densely populated apartment building or from a balcony that's near a TV of interest. The approach could also be modified in ways that give it greater reach. For instance, in the event a TV station or network was compromised—for example, a more extreme version of the 2015 hack that blacked out 11 channels belonging to French broadcaster TVMonde5—the attackers could surreptitiously embed malicious code into the signal being broadcast to millions of TVs. Embedding malicious commands into broadcasts from cable or satellite providers is also theoretically possible.

The hacks underscore the risks of so-called "Internet of Things" devices, the vast majority of which are given network access and computing functionalities without being adequately secured. TVs and other Internet-connected appliances almost universally lack application sandboxing and other exploit mitigations that are a standard part of computer and mobile operating systems. Even worse, most devices run old versions of Linux and open source browsers that contain critical vulnerabilities. While patches are generally available on the Internet for the individual components, manufacturers rarely give customers a way to install them on the devices in a timely way.