Samsung and Roku Smart TVs Vulnerable To Hacking, Consumer Reports Finds

An anonymous reader quotes a report from Consumer Reports: Consumer Reports has found that millions of smart TVs can be controlled by hackers exploiting easy-to-find security flaws. The problems affect Samsung televisions, along with models made by TCL and other brands that use the Roku TV smart-TV platform, as well as streaming devices such as the Roku Ultra. We found that a relatively unsophisticated hacker could change channels, play offensive content, or crank up the volume, which might be deeply unsettling to someone who didn't understand what was happening. This could be done over the web, from thousands of miles away. (These vulnerabilities would not allow a hacker to spy on the user or steal information.) The findings were part of a broad privacy and security evaluation, led by Consumer Reports, of smart TVs from top brands that also included LG, Sony, and Vizio. The testing also found that all these TVs raised privacy concerns by collecting very detailed information on their users. Consumers can limit the data collection. But they have to give up a lot of the TVs' functionality -- and know the right buttons to click and settings to look for.

From Roku

https://blog.roku.com/consumer-reports-got-wrong

Gary Ellison - February 7, 2018

Consumer Reports issued a report saying that Roku TVs and players are vulnerable to hacking. This is a mischaracterization of a feature. It is unfortunate that the feature was reported in this way. We want to assure our customers that there is no security risk.

Roku enables third-party developers to create remote control applications that consumers can use to control their Roku products. This is achieved through the use of an open interface that Roku designed and published. There is no security risk to our customers’ accounts or the Roku platform with the use of this API. In addition, consumers can turn off this feature on their Roku player or Roku TV by going to Settings>System>Advanced System Settings>External Control>Disabled.

In addition the article discusses the use of ACR (Automatic Content Recognition). We took a different approach from other companies to ensure consumers have the choice to opt-in. ACR is not enabled by default on Roku TVs. Consumers must activate it. And if they choose to use the feature it can be disabled at any time. To disable consumers have to uncheck Settings > Privacy > Smart TV experience > Use info from TV inputs.

We take the security of our platform and the privacy of our users very seriously.

Happy Streaming!

Re: From Roku

[JackieBrown]

So you want them to close their API and lock down what 3rd part developers can do? This is an opt in as well, not opt out.

Next, more bitching that you can root your android phone and install possibly dangerous 3rd party apps. Followed by google making it hard to root and then people bitching that it is their phone to do what they want

Re: From Roku

[UnknowingFool]

No what the rebuttal misconstrues and gets wrong from Consumer Reports criticism is not that Roku has an API for 3rd party developers but that the API itself is unsecured.

The problem we found involved the application programming interface, or API, the program that lets developers make their own products work with the Roku platform. “Roku devices have a totally unsecured remote control API enabled by default,” says Eason Goodale, Disconnect’s lead engineer. “This means that even extremely unsophisticated hackers can take control of Rokus. It’s less of a locked door and more of a see-through curtain next to a neon ‘We’re open!’ sign.” And, it turned out we weren’t the first to notice this: The unsecured API had been discussed in online programming forums since 2015.

Also the advice given by Roku is already addressed in the article. Disabling External Control will prevent hacking however it also disables Roku's own app.

A Roku spokeswoman said via email, “There is no security risk to our customers’ accounts or the Roku platform with the use of this API,” and pointed out that the External Control feature can be turned off in the settings. However, this will also disable control of the device through Roku’s own app.

you have to be in the same network

[OppMan29]

in order to control the Roku TV....if you are already in my WiFi network I'm sure that turning up the volume on the tv is not what im worry about..

Bullshit.

[msauve]

They're like lots of IOT devices - wide open on the local network for nefarious things like cranking up the volume. Not so much for the exaggerated claim that it can be done from the Internet. That's not happening unless you went out of your way to specifically configure your NAT gateway to allow incoming connections to your TV, in which case it's your own damn fault.

Sure, Roku and some others (a number of AVRs come to mind) and have no security, but in practical terms, it's only a matter of annoyance.

Reminds me on the time Consumer's Report dinged VW for only having a single turn signal "blinker" indicator on the dashboard, instead of two (showing left/right). Only an idiot CR reviewer wouldn't remember which way they wanted to turn and need a reminder.