OTPs as Second Factor
It happened again. Someone’s stealing our data without our knowledge. This time, it’s not the NSA or any other international agency of spies. This time, our televisions record what we watch and when we watch it. The Blogspot-User DoctorBeet discovered this recently.
Basically, the UK-based blogger discovered the following. Your LG Smart TV watches what you watch, sends all data – a unique TV ID, the channel you just came from and the channel you switched to, the filenames of your files on a connected USB drive – to a server, where it’s being analyzed for the purpose of better advertising.
This is made worse by the fact that all this information is sent in cleartext. So basically everyone who’s ever learned how to look at traffic on a router can see what you did. They see that you watched the video of your family at the picnic last weekend and that you then went to watch a Schwarzenegger movie but didn’t stick around for the commercial breaks because you thought it better to watch a shred of the news. They also know when you went to bed as you turned your TV off and they know when you got up to watch the daily weather report. They also know when your kids get home because suddenly, you switch from a silly dating show to cartoons. Isn’t that just a tad creepy?
But it gets worse. There’s this incredibly creepy advertising video that advertises their advertising. The video is where it gets really horrifying. Because it is targeted at advertisers and not at the end-user and thus shows a wider audience what the company that operates under the slogan “Life’s Good” really thinks.
In a calm and serene voice, LG explains that not only do end users get ads they can enjoy but advertisers get a lot in return: Detailed analysis of the clients’ behaviour. In essence, this means that your TV watches you watch commercials in addition to watching you watch TV. The video is absolutely unapologetic about LG’s spying and the treatment of customers as little but advertising revenue, despite the fact that they actually have already paid for a TV and own it. Oh yeah, did I mention this? The sending of data continues even if you turn it off in the TV’s user menu.
The truly insidious thing about this is that there’s no escaping a program like this. You can cheat Facebook by lying about your preferences, not liking every other thing and using a different Email address to sign up as well as using a fake name and lying about your personal data. This method works for pretty much any social networking site that is after your information. However, with something like a TV, you have no choice but to participate and give them your personal data. Because I don’t know about you, but I’m not going to start to deliberately watch programmes I don’t enjoy only to confuse LG’s SmartAd program.
DoctorBeet – whose real identity has been revealed by the blogger himself as Jason Huntley, independent Security Consultant from Hull – investigated and asked LG’s UK office for an explanation. LG informed him that by buying the TV, he agreed to LG’s terms and conditions and therefore to everything the TV does, including the collection of advertising data. Needless to say, Huntley was not impressed and took to the internet, made the whole thing public.
The usual ensued. Users were furious, media outlets picked up on LG’s doings and the company didn’t look too good for a bit. But then LG blew a hasty retreat. They took their creepy commercial down and the website dedicated to LG’s SmartAd program is also undergoing maintenance.
Information such as channel, TV platform, broadcast source, etc. that is collected by certain LG Smart TVs is not personal but viewing information. This information is collected as part of the Smart TV platform to deliver more relevant advertisements and to offer recommendations to viewers based on what other LG Smart TV owners are watching.
It now reads:
LG does not, or has ever, engaged in targeted advertisement using information collected from LG Smart TV owners. Information such as channel, TV platform, broadcast source, etc. that is collected by certain LG Smart TVs is not personal but viewing information. This information is collected to offer recommendations to viewers based on what other LG Smart TV owners are watching.
They also promised a firmware update that will allow users to turn off the feature. And in that turned off state, it will actually be turned off and not transmit any data. Cynics pointed out that this does not mean that they never intended to collect data. They also raised suspicion about the error message that was returned to Huntley when he monitored the data sent to LG’s servers. He got an error 404.
Jason Huntley discovered that the servers – Yes, the advertising data went to more than one server – replied with an error 404. However, by the time Huntley disclosed his news with screenshots of the traffic logs, nobody was willing to believe that LG did not collect data. A commenter quickly pointed out that the fact that the server replies with a 404 does not mean that there’s no server there, it just means that the server doesn’t know what to do with the message it received.
This paints a rather ugly picture of the newest generation of TVs. And not just the very pretty-looking models by LG. In the comments to Huntley’s initial reveal, commenters wonder about other manufacturer’s products, such as Samsung’s new televisions. This seems like a prudent idea, even though the idea that end users will have to snoop around their devices’ software before they can rest assured their privacy is maintained is nothing short of an insult.
Jason Huntley has devised a workaround to ensure that the TV does not send any data to LG’s servers. It seems prudent to either not connect the TV to the network at all or block the following URLs in your router’s configuration:
LG remained unimpressed from what all the public can tell other than trying to remove any and all trace of the SmartAd video as well as the assurance that they never have spied on their customers. As a last bit of irony, on November 18th – the day Huntley made his reveal -, LG’s US Twitter-Account retweeted this:
The whole affair proves once more that it’s not only the NSA we need to worry about. The people selling us televisions, phones and computers are just as interested in making our lives as transparent as they can. Because, you never know, they just might get some money to tell us that what we should buy. It seems only logical that customers should ask their retailers for any such catch and opt to not buy the product until there’s absolute certainty about its compliance with your desired level of privacy.
Watch out, they just might be watching you.
Update, December 16th, 2013:: The German IT-Security Blog Heise Security reports, that LG’s firmware update has fixed the following things: Filenames on USB-drives are not being transmitted at all anymore. If you turn off the feature that collects your watching data, the data is not being transmitted anymore. No information is being transmitted in cleartext anymore. Heise Security has tested the following models: 42LN5758 and 47LA6208.
Our experts will get in contact with you!
Our experts will get in contact with you!
Further articles available here