The Consumer Reports (CR) Digital Lab recently discovered a security flaw in the TiVo Stream 4K streaming media device that TiVo has now fixed after the company was notified of the issue by the nonprofit consumer research, testing, and advocacy organization.

During recent testing of various privacy and security aspects of streaming media devices, researchers at CR’s Digital Lab found that the TiVo Stream 4K transmitted user data in clear plaintext,  which could result in users’ sensitive information being intercepted. The data that was exposed included the SSID of the user’s WiFi network, as well as the city, state, and the latitudinal and longitudinal coordinates of the network's location. This could be used to pinpoint users’ actual street addresses under certain circumstances. 

“Streaming players, like many smart devices, collect and transmit sensitive data that you wouldn’t want to fall into the hands of a malicious actor. That’s why this data should be encrypted before it’s transmitted over the network,” said Ben Moskowitz, Director of Consumer Reports’ Digital Lab. “We applaud TiVo for expeditiously fixing this security vulnerability and making its devices safer for consumers.”

CR also tested the TiVo Edge DVR, which has built-in streaming capability, and noticed that it, too, was sending out unencrypted data. However, none of the information being transmitted was sensitive user data, such as IP addresses.

TiVo issued a software patch for the Stream 4K player soon after we notified the company, but CR’s testing showed that it didn't remedy the problem. However, subsequent CR testing confirmed that a second update pushed out in March did correct the issue. The device is no longer sending out unencrypted data. The Stream 4K was the only one of the 18 tested devices in CR’s streaming media player ratings that had this particular vulnerability. ​