Slashdot Mirror

← Back to Stories (view on slashdot.org)

Samsung Smart TVs Don't Encrypt the Voice Data They Collect

Posted by samzenpus on from the even-worse dept.

itwbennett writes A week ago, the revelation that Samsung collects words spoken by consumers when they use the voice recognition feature in their smart TVs enraged privacy advocates, since according to Samsung's own privacy policy those words can in some cases include personal or sensitive information. Following the incident, David Lodge, a researcher with a U.K.-based security firm called Pen Test Partners, intercepted and analyzed the Internet traffic generated by a Samsung smart TV and found that Samsung does send captured voice data to a remote server using a connection on port 443, a port typically associated with encrypted HTTPS, but that the data was not encrypted. "It's not even HTTP data, it's a mix of XML and some custom binary data packet," said Lodge in a blog post.

4 of 153 comments (clear)

  1. ... and this is surprising how? by Selur · · Score: 5, Insightful

    Come on, it would have been surprised if they did encrypt the data in a decent way,...

    1. Re:... and this is surprising how? by gstoddart · · Score: 4, Insightful

      It's sort of unbelievable, though, in some way, that no one stops to think of security and privacy ramifications of these things though. Yet it happens time after time after time.

      Laziness. Incompetence. Greed. Lack of penalties.

      The lack of penalties pretty much guarantees the other three.

      When companies carry actual penalties for doing a terrible job of security, they might try harder. Until then, not a chance.

      If all they have to do is say "oh, gee, we're not really sorry" and have no consequences, this will keep happening.

      Which is precisely why you should assume any piece of consumer electronics which wants to connect to the internet was pushed out the door by lazy, incompetent, greedy bastards who bear no legal penalty for screwing up on security and privacy.

      Because the reality is, that's probably exactly what happened.

      Bring in real privacy and data security laws, or just straight up assume the product doesn't give a crap about you.

      --
      Lost at C:>. Found at C.
  2. No Trust by thegarbz · · Score: 4, Insightful

    Doesn't encryption imply some level of trust in the other party? I.e. you know who you are sending sensitive data to?

    If you don't trust Samsung to receive your personal data (as I'm sure few people do) is it relevant that it's not encrypted?

    1. Re:No Trust by Neil+Boekend · · Score: 4, Insightful

      I like to limit the amount of people I send my private data to. Preferably to 0, but to add random hackers to it is not the right way to go.

      --
      Well, I might have a way, but it only works on a semi spherical planet in a vacuum.