Samsung Smart TVs Don't Encrypt the Voice Data They Collect

itwbennett writes A week ago, the revelation that Samsung collects words spoken by consumers when they use the voice recognition feature in their smart TVs enraged privacy advocates, since according to Samsung's own privacy policy those words can in some cases include personal or sensitive information. Following the incident, David Lodge, a researcher with a U.K.-based security firm called Pen Test Partners, intercepted and analyzed the Internet traffic generated by a Samsung smart TV and found that Samsung does send captured voice data to a remote server using a connection on port 443, a port typically associated with encrypted HTTPS, but that the data was not encrypted. "It's not even HTTP data, it's a mix of XML and some custom binary data packet," said Lodge in a blog post.

... and this is surprising how?

[Selur]

Come on, it would have been surprised if they did encrypt the data in a decent way,...

Re:... and this is surprising how?

[Dutch+Gun]

Yeah, same here... pretty much called it in the last article about this. It's sort of unbelievable, though, in some way, that no one stops to think of security and privacy ramifications of these things though. Yet it happens time after time after time.

I wonder if it's perhaps an engineer-type mentality that gets so focused on building cool new things, they just don't stop to think about how those new things can be abused or exploited to do bad things. Like when Microsoft decided to embed scripting-type functionality in all their Office documents, and now *whee*, we've got document-based trojans. Then they had to clamp down on all that scripting. Or how Adobe turned on scripting functionality by default in PDFs, giving us a crapload of exploits for a feature very few people ever used. Result - you have to turn off scripting to stay safe when reading PDFs, and eventually browsers took it upon themselves to do it safely for you. I guess engineers don't typically think like baddies, figuring out how to use technology to hurt people or steal from them.

This is not privacy-related data they're exploiting on purpose, because it doesn't do any good from a marketing standpoint. The only other explanation is that it's just an oversight. It's not the first time, and it probably won't be the last. On the other hand, given the fact that the NSA still collects all of our traffic, and US Citizens aren't up in arms about it, maybe they're correct in calculating that most people just don't give a damn about that sort of thing outside of a vocal minority.

Re:... and this is surprising how?

[gstoddart]

It's sort of unbelievable, though, in some way, that no one stops to think of security and privacy ramifications of these things though. Yet it happens time after time after time.

Laziness. Incompetence. Greed. Lack of penalties.

The lack of penalties pretty much guarantees the other three.

When companies carry actual penalties for doing a terrible job of security, they might try harder. Until then, not a chance.

If all they have to do is say "oh, gee, we're not really sorry" and have no consequences, this will keep happening.

Which is precisely why you should assume any piece of consumer electronics which wants to connect to the internet was pushed out the door by lazy, incompetent, greedy bastards who bear no legal penalty for screwing up on security and privacy.

Because the reality is, that's probably exactly what happened.

Bring in real privacy and data security laws, or just straight up assume the product doesn't give a crap about you.

No Trust

[thegarbz]

Doesn't encryption imply some level of trust in the other party? I.e. you know who you are sending sensitive data to?

If you don't trust Samsung to receive your personal data (as I'm sure few people do) is it relevant that it's not encrypted?

Re:No Trust

[Neil+Boekend]

I like to limit the amount of people I send my private data to. Preferably to 0, but to add random hackers to it is not the right way to go.

Good enough

"It's not even HTTP data, it's a mix of XML and some custom binary data packet,"

Well, XML is more or less unreadable. That is as close to a one way encryption any commercial company will get.

Re:Out Sonying Sony?

[hcs_$reboot]

is there any major brand who are on the side of consumer/customer privacy out there anymore?

Google.

Re:So turn the mic off..

[Racemaniac]

It's even better than this, the mic apparantly is only on when you press the voice command button to make the tv listen to a voice command. The mic is only on for a short period when you ask it explicitly. Then it sends whatever you said to the speech recognition server (just like every other speech recognition system atm), and the tv will get an answer as to what it's supposed to do.

The reason they have this in their terms and conditions is because the tv doesn't know what it'll send when you push that button, so it could be personal information. They're just covering their asses. And i would never use such a system, but i'm wondering what the big value is of encrypting data that would probably just contain someone saying "channel 77" or whatever the voice commands like that are.

This is just a lot of fuss about nothing, and a lot of people complaining because the summary makes it sound far worse than it actually is...
The first article was ridiculous. Ofcourse the voice commands get sent to a third party service. That's also how siri and whatever other such systems exist work. And it's not always on, you have to request it via the remote. So there's no privacy implication at all... It's just covering their asses.
And now it's that this data, which is very very unlikely to be sensitive isn't encrypted. If the hackers want to hear people name channels and other commands from the users of said tv's... good for them.

Oh for fucks sake, people.

[wiredog]

The microphone on the TV stays off until you command it to listen. You do that by pressing a large VOICE button on the remote.