Millions of smart TVs sitting in family living rooms are vulnerable to hackers taking control and could be tracking the household’s personal viewing habits much more closely than their owners realize, according to a new Consumer Reports investigation.
The non-profit consumer product testing organization examined five of the top smart TVs on the market and found that in several of them, “a relatively unsophisticated hacker” could conduct remote hijinks like cranking the volume to a roar, knocking the TV off the Wi-Fi network, quickly changing channels or forcing it to play objectionable YouTube content.
The vulnerability was found in sets such as Samsung, TCL, and devices using the Roku TV platform, which can include brands like Philips, RCA, Hisense, Hitachi, Insignia, and Sharp, along with some of Roku’s own streaming players.
ACR helps the TV recommend other shows you might enjoy watching, but can also be used to target your families with advertising. The data can also be combined with other aspects of your personal information to help build profiles on your behaviour that are sold to other marketers.
“For years, consumers have had their behaviour tracked when they’re online or using their smartphones,” Justin Brookman, director of privacy and technology at Consumers Union, the advocacy arm of Consumer Reports, said. “But I don’t think a lot of people expect their television to be watching what they do.”
The smart TVs typically ask for users’ permission during initial setup to collect their viewing data, while also warning they may miss out on some functionality, like being told if they watch one show they may also enjoy another, if they decline. Unaware or impatient consumers may breeze through the setup without reading or understanding what they’re agreeing to.
“Our Smart TVs include a number of features that combine data security with the best possible user experience,” a Samsung spokesperson told NBC News in an emailed statement. “Before collecting any information from consumers, we always ask for their consent, and we make every effort to ensure that data is handled with the utmost care.”
In a statement on their blog, Roku said that Consumer Reports’s story was “a mischaracterization of a feature” and “there is no security risk.”