TVs have long had remote controls. The early models required line-of-sight controls and infrared signals. The TV would stay in a standby mode until the remote zapped a particular sequence of light to wake it up. Later this advanced to wireless controls (if the TV was Internet connected) and, now, voice control where a hard coded phrase – "On TV" – must be spoken to wake up and turn on the device.
Ideally these phrases are unique, however you can imagine a scenario where someone might say in the presence of a smart TV "I saw that Samsung 6S on TV last week." On TV it is. The device is now listening. The question is, how long has it been listening?
In the spring of 2015 security researchers Ken Munro and David Lodge studied whether voice-activated Samsung TVs were listening in on all conversations in the room. They found that the TV models they looked at were in fact not recording when the TV was off and did not start to record the conversation in the room until the wake up phrase was spoken. What happened next, however, surprised them.
Apparently Samsung not only records the entire subsequent conversation – in case you want to change the channel or increase or decrease the volume – it also sends the conversation, unencrypted to a remote server. That's because the commands don't just go to your TV, they go to the remote server and back out again to your TV.
Not only is it sent to Samsung, but to Nuance, the company that automatically transcribes the spoken command into words. Now that's now two companies that have a transcript of your conversation in the front of the TV –that is until you say "TV Off."
Let's say you are watching the premiere of latest season of Game of Thrones. The phone rings, and it’s a business call. Because you are alone, you take the call, but as long as the TV is on, it is capturing your side of the conversation, waiting so patiently for you to utter the next TV command it can use. That business call is now sent to servers at Samsung and Nuance.
You can turn off this feature, and sacrifice the convenience of talking at your TV. For the Samsung PN60F8500, and similar products, go into the Settings menu, select Smart Features and then under Voice Recognition select Off.
When contacted by the researchers, Samsung said that such eavesdropping scenarios are spelled out in the privacy agreement which most of us never read. However, in the future, Samsung says all its TV communications will be encrypted. Unfortunately, as of December 2015, most of its TVs are not yet protected.
And it's not just Samsung. LG smart TVs have also been found to send data over the Internet. When a viewer changes channel, something called "Collection of watching info," which is enabled by default, sends a log back to LG. The enterprise danger here is that even the names of files stored on any USB drive you may have connect to your LG television are sent as well. While the names might not be as bad as leaking the contents of the files, having the "Quantum Project" name out in the wild could be a problem for some enterprises.
And it is not just smart TVs. Amazon Echo does more than control your TV channels, it also allows you to order items by saying what you want. Accordingly, Echo responds to more voice commands than your smart TV. Knowing this, Amazon does at least provide ways to periodically delete all conversations. Perhaps the easiest way to clear your conversations is to open the Amazon Echo app > Settings > History > Tap Individual Recording > Delete. You can also login to your account on Amazon.com, and from Account Settings click on Your Devices > Amazon Echo > Delete.
New devices aren't your only threat; anything with a microphone works. Around 2013 Google started what's called "hotwording," where a simple voice command on your laptop or smartphone activates the listening mode within Chrome. This is what provides the Google Now experience on your Android phone. Others have followed suit, for example Apple's Siri, Microsoft's Cortana, and Amazon's Alexa.
That means your phone, your traditional PC, or that standalone device on your coffee table all contain back-end, in the Cloud services designed to respond to voice commands such as "Siri, where's the closest sushi restaurant?" It also means these devices all listen. And, if that doesn't concern you enough, know that the searches conducted by these services are recorded and saved indefinitely.
Next time you need to take a business call at home, you might want to go outside—it'll be more private.
Robert Vamosi is a CISSP and award-winning journalist. He is also the author of When Gadgets Betray Us: The Dark Side of Our Infatuation With New Technologies (Basic Books).
Data Protection Security Audit Checklist
Are you ready for your next security audit? Our checklist has 12 questions to help you prepare.
Related ArticlesFrench Data Protection Authority Fines Retailer 250,000 Euros
Optical Center, a French retailer of sunglasses, was fined €250,000 by CNIL, the French data protection authority, for failing to secure the data of customers who placed orders through its site.Hilton Was Fined $700K for a Data Breach. Under GDPR It Would Be $420M
Consider $2 per lost record versus $1,200 per lost record. That’s the difference between what Hilton will pay to New York State versus what it will pay to EU regulators once the GDPR takes effect in May.Accountability the Next Step in Data Protection
The UK’s Information Commissioner stressed in a speech on Monday that nearly one year into GDPR, the regulation is at a critical stage.