TiVo Fixes Security Flaw in Stream 4K Streaming Device

Consumer Reports found TiVo's dedicated streaming player was sending unencrypted user data

By James K. Willcox
Senior Home & Tech Editor

April 26, 2021

Just like smart TVs, streaming players can capture a lot of important information about you and your network, and then send it across the internet. Because the information could be of use to criminals, it’s standard practice to encrypt this data while it’s in transit.

But during recent testing of the privacy and security of several streaming media devices, Consumer Reports’ Digital Lab found that TiVo’s dedicated streaming player, the TiVo Stream 4K, wasn’t encrypting the data it sent out. The information could be read by anyone able to intercept it. The TiVo was the only one of the 18 devices in our streaming media player ratings with this problem.

TiVo Releases Software Update

We notified TiVo of the problems in March, and the company quickly agreed to fix the problem. “The weakness identified by Consumer Reports, attributable to a third-party application’s transmission of certain data, has now been addressed,” a TiVo spokesperson said via email.

“We are taking this opportunity to proactively review device activity with our other partners and determine if similar weaknesses exist, and will correspondingly address any new issues which might arise from that investigation,” the spokesperson said.

We decided to check the TiVo Edge DVR for the same problem, and found that it, too, was sending out unencrypted data. However, the information didn’t include user data such as IP addresses, and we don’t judge it to be a risk to consumers.

TiVo issued a software patch for the Stream 4K player soon after we notified the company, but our testing showed that it didn’t remedy the problem. However, Consumer Reports’ testing confirmed that a second update pushed at the end of March did correct it. The device is no longer sending out unencrypted data.

The good news is that if you own a TiVo Stream 4K player, you don’t need to do anything. The company says that a new version of the software is already available and has been pushed out as an update to all TiVo Stream 4K users.

New Privacy, Security Scores in Ratings

This is the first time Consumer Reports has added data privacy and security scores for all the streaming players we test. We already incorporate privacy and security testing into our ratings of password managers, wireless routers, TVs, video doorbells, and some other product categories, and we’re adding more every year.

Like all the products that Consumer Reports tests and rates, all the streaming devices were purchased at retail stores. We evaluated the various ways streaming device brands collect, use, and share consumer data, how well they protect it, and how transparent the companies are about their data practices. We also judge companies by how they handle security procedures, such as encrypting all user communications by default, enabling automatic security updates, and protecting against known security vulnerabilities.

James K. Willcox

James K. Willcox leads Consumer Reports’ coverage of TVs, streaming media services and devices, broadband internet service, and the digital divide. He's also a homeowner covering several home improvement categories, including power washers and decking. A veteran journalist, Willcox has written for Business Week, Cargo, Maxim, Men’s Journal, Popular Science, Rolling Stone, Sound & Vision, and others. At home, he’s often bent over his workbench building guitars or cranking out music on his 7.2-channel home theater sound system.