LG Smart TV Caught Collecting Data On Files Stored On Connected USB Drives
The growing presence of “smart” devices, each one requiring a connection to the outside world, is a bit alarming (Samsung TV zero day exploit, anyone?). The territory still remains largely uncharted and device manufacturers are still pretty much free to decide just how much data these devices will cough up when phoning home.
A blogger (and developer and Linux enthusiast) going by the name of DoctorBeet noticed his newly-purchased LG Smart TV was displaying ads on the “home” screen. He dug around and found more info on an LG corporate page that described the process in cheery let’s-sell-some-ads tones.
LG Smart Ad analyses users favourite programs, online behaviour, search keywords and other information to offer relevant ads to target audiences. For example, LG Smart Ad can feature sharp suits to men, or alluring cosmetics and fragrances to women.
The endearingly sexist sales pitch attempting to sell other pitchmen on LG’s “smart” ad platform/TV makes it pretty clear that LG’s TV is very interested in any “interactions” you have with your device.
What the sales pitch failed to make clear is that LG will be grabbing this behavioral data no matter what.
In fact, there is an option in the system settings called “Collection of watching info:” which is set ON by default. This setting requires the user to scroll down to see it and, unlike most other settings, contains no “balloon help” to describe what it does…
At this point, I decided to do some traffic analysis to see what was being sent. It turns out that viewing information appears to be being sent regardless of whether this option is set to On or Off.
Not only was LG sucking up viewer data, it was sending the data on each interaction completely unencrypted. This isn’t necessarily a huge problem if the data collection was limited to the channel watched and for what length of time. But as the increasingly creepy sales pitch above points out, LG also wants “search keywords” and a potentially unlimited amount of “other information.”
At this point, LG already has a bit of privacy problem. Sending data on channel selection is one thing. Collecting and sending unencrypted web data like search terms is quite another. And it gets even worse.