Release date 10/05/2018
CR reported in February it had found that millions of televisions from Samsung, as well as those from brands that use the Roku TV platform, could potentially be controlled by hackers exploiting easy-to-find security flaws.
The problems were discovered during a CR-led privacy and security evaluation of five smart TV brands. This was CR’s first product test based on its new Digital Standard, which was developed by CR and partner cybersecurity and privacy organizations to help set expectations for how manufacturers should handle privacy, security, and other digital rights issues.
The growing ranks of connected products offer a host of conveniences and innovations, but they also raise serious questions about security and privacy. When we discovered these security flaws with smart TVs, we reached out to the manufacturers, and Samsung fixed the problem. This is why we developed the Digital Standard – to hold companies accountable for producing connected products that put all of our security and privacy needs first.
CR shared its findings with Samsung and the other manufacturers, and it has now confirmed that a firmware update issued by Samsung this summer fixes this vulnerability on its 2018 smart TVs. The company says it plans to roll out a similar update for 2017 TVs later this fall.
“The growing ranks of connected products offer a host of conveniences and innovations, but they also raise serious questions about security and privacy,” said Marta L. Tellado, president and CEO of Consumer Reports. “When we discovered these security flaws with smart TVs, we reached out to the manufacturers, and Samsung fixed the problem. This is why we developed the Digital Standard – to hold companies accountable for producing connected products that put all of our security and privacy needs first.”
In CR’s tests, it discovered that Samsung smart TVs, along with Roku TVs from TCL and other brands, would allow a hacker with minimal skills to change TV channels, turn up the volume, play unwanted YouTube videos, or kick the TV off a WiFi connection. This could be done remotely over the web from thousands of miles away.
The vulnerabilities would not allow a hacker to spy on a TV viewer, steal information, or monitor what was being watched.
In addition to its smart TV investigation, CR recently published its first-ever, test-based ratings of mobile peer-to-peer payment services with a focus on privacy and security.
During pilot testing for the Digital Standard in 2016, CR discovered several privacy vulnerabilities with the Glow app, a mobile app designed to help women track their menstrual cycles and fertility. After CR contacted the company, it promptly addressed the major security issues we found.
CR’s efforts to promote consumer interests in relation to privacy, security, and data practices, including the development of the Digital Standard, are made possible by its members and philanthropic investments by Ford Foundation and Craig Newmark Philanthropies. Mr. Newmark, the founder of craigslist, is a former member of CR’s Board of Directors, and his vision on the need to address the privacy and security challenges facing consumers in the digital age helped inform this new effort.