Slashdot Mirror

← Back to Stories (view on slashdot.org)

Samsung Smart TVs Don't Encrypt the Voice Data They Collect

Posted by samzenpus on from the even-worse dept.

itwbennett writes A week ago, the revelation that Samsung collects words spoken by consumers when they use the voice recognition feature in their smart TVs enraged privacy advocates, since according to Samsung's own privacy policy those words can in some cases include personal or sensitive information. Following the incident, David Lodge, a researcher with a U.K.-based security firm called Pen Test Partners, intercepted and analyzed the Internet traffic generated by a Samsung smart TV and found that Samsung does send captured voice data to a remote server using a connection on port 443, a port typically associated with encrypted HTTPS, but that the data was not encrypted. "It's not even HTTP data, it's a mix of XML and some custom binary data packet," said Lodge in a blog post.

10 of 153 comments (clear)

  1. ... and this is surprising how? by Selur · · Score: 5, Insightful

    Come on, it would have been surprised if they did encrypt the data in a decent way,...

    1. Re:... and this is surprising how? by gstoddart · · Score: 4, Insightful

      It's sort of unbelievable, though, in some way, that no one stops to think of security and privacy ramifications of these things though. Yet it happens time after time after time.

      Laziness. Incompetence. Greed. Lack of penalties.

      The lack of penalties pretty much guarantees the other three.

      When companies carry actual penalties for doing a terrible job of security, they might try harder. Until then, not a chance.

      If all they have to do is say "oh, gee, we're not really sorry" and have no consequences, this will keep happening.

      Which is precisely why you should assume any piece of consumer electronics which wants to connect to the internet was pushed out the door by lazy, incompetent, greedy bastards who bear no legal penalty for screwing up on security and privacy.

      Because the reality is, that's probably exactly what happened.

      Bring in real privacy and data security laws, or just straight up assume the product doesn't give a crap about you.

      --
      Lost at C:>. Found at C.
    2. Re:... and this is surprising how? by gstoddart · · Score: 3, Insightful

      But it's not a secret. You know when you buy one of these your voice is going to be transmitted over the internets for analysis.

      Does your average TV owner know this? Is it explicitly marked on the package?

      Because until they announced they might be sending your voice to third parties, I'm betting your average consumer had no frickin' idea that was happening.

      The only potential violation of privacy here would be the ability for a third party to intercept the unencrypted data on someone

      Well, first they broadcast it in the clear, and then they're giving it to a third party to do the work.

      Everything about this system, from end to end, is more or less designed to violate your privacy.

      Because the "security" is pretty much non-existent.

      Corporations need to have huge penalties for implementing "security" like a bunch of lazy chimps. If they aren't, then people should be well informed that the security of their product was, in fact, written by a bunch of lazy, indifferent chimps.

      --
      Lost at C:>. Found at C.
    3. Re:... and this is surprising how? by dimeglio · · Score: 3, Insightful

      your voice is going to be transmitted over the internets for analysis.

      Why would a normal consumer assume that? He's talking to the TV, not chatting with someone using Skype.

      --
      Views expressed do not necessarily reflect those of the author.
    4. Re:... and this is surprising how? by Charliemopps · · Score: 3, Insightful

      There is no legal obligation to encrypt.
      There is no culpability if the data is lost.
      It costs time and money to secure it.

      Why would they bother?

  2. No Trust by thegarbz · · Score: 4, Insightful

    Doesn't encryption imply some level of trust in the other party? I.e. you know who you are sending sensitive data to?

    If you don't trust Samsung to receive your personal data (as I'm sure few people do) is it relevant that it's not encrypted?

    1. Re:No Trust by Neil+Boekend · · Score: 4, Insightful

      I like to limit the amount of people I send my private data to. Preferably to 0, but to add random hackers to it is not the right way to go.

      --
      Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
  3. Out Sonying Sony? by EzInKy · · Score: 3, Insightful

    Is this really what Samsung wants to do? I've been steering everyone I know away from Sony products for more than a decade now, and what I suggest when they ask what brand they can trust I have always told them Samsung. I ask you, is there any major brand who are on the side of consumer/customer privacy out there anymore?

    --
    Time is what keeps everything from happening all at once.
  4. Re:New term by SuperKendall · · Score: 3, Insightful

    Forget the NSA, this can be super handy for the garden variety creep or stalker. Many remotes these days use some kind of wireless connection - so if I had a sniffer listening to network traffic from the house I could remotely trigger the remote's microphone key even from outside fire up listen mode...

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  5. Re:Terms by Anonymous Coward · · Score: 3, Insightful

    > To be fair, what kind of words are likely to be sent [...]

    I think you don't know how this works. If it is similar to Siri and however its Android twin is called, there ain't remotely enough processing oomph (and memory) in the TV's embedded to make any sense of your mumblings and map them to commands like "put channel 11". So anything going on in the room is packed up and sent to "Teh Cloud" to make any sense of it. Being your dog whining, your husband yelling at you or your daughter phoning the boyfriend.

    How anyone thinks *that* is a good idea escapes me, but well -- there are folks which buy a dedicated machine for that. I repeat: the spied-upon are paying hard-earned cash for this. I can't wrap my little head around that.