Samsung smart TVs may be uploading your voice commands without encryption

19 Feb 2015

As the fallout continues over Samsung’s Smart TV privacy policy, certain models of the Korean company’s devices apparently don’t encrypt data acquired from customers yet.

Older models of their Smart TVs are uploading their owners’ voices to the internet in an un-encrypted form.

The new models, which ironically enough sparked the security storm earlier this month when the privacy policies were finally read by consumers, are grand and there’s nothing to worry about there, it says.

“Samsung takes consumer privacy very seriously and our products are designed with privacy in mind,” the company said in a statement seen by the BBC.

“Our latest Smart TV models are equipped with data encryption and a software update will soon be available for download on other models.”

Digging up dirt

This is as a response to some fairly straightforward digging by David Lodge of Pen Test Partners, a UK security firm. Lodge borrowed a Samsung Smart TV and started messing around, trying to find out what it tracks and what it doesn’t.

Essentially Lodge found that the TV only uploads your voice after you have initiated the relationship between consumer and TV, but that it does send internet-based queries on to third parties, as per the policy, really.

However after a bit of clever hacking, he could access the commands he gave to Samsung, saying: “there’s plenty to suggest that interesting data is making its way on to the interwebs from your TV.”

Samsung TV hack

David Lodge of Pen Test Partners discovered his verbal communication with his Samsung Smart TV were not encrypted. Here, he said ‘Samsung’ and the TV tried understanding his accent.

The TV he borrowed was from colleague Ken Munro, who found the issue to be very serious.

“Intercepting those communications could be done over wi-fi by neighbours and/or hackers outside your house, if you use the wireless feature of the TV to hook up to the internet,” he said to the BBC.

“It could also be carried out by your ISP, and by anyone else that has access to internet backbones. I’m thinking governments, law enforcement.

“This is an easy problem to solve. The communications should be encrypted using SSL just like other sensitive internet communications are.”

Samsung Smart TV image, via Shutterstock

Gordon Hunt was a journalist with Silicon Republic