The TiVo Stream 4K streaming device against a red background

Just like smart TVs, streaming players can capture a lot of important information about you and your network, and then send it across the internet. Because the information could be of use to criminals, it’s standard practice to encrypt this data while it’s in transit. 

But during recent testing of the privacy and security of several streaming media devices, Consumer Reports’ Digital Lab found that TiVo’s dedicated streaming player, the TiVo Stream 4K, wasn’t encrypting the data it sent out. The information could be read by anyone able to intercept it. The TiVo was the only one of the 18 devices in our streaming media player ratings with this problem.

More on Security & Privacy

Among the user information that was exposed were the SSID—short for service set identifier, basically your network’s name—along with the city and state where your home network is located, and its longitude and latitude coordinates. This could be used to pinpoint your street address under certain conditions.

According to Steve Blair, who conducts privacy and security testing at CR, that TiVo Stream 4K flaw could leave users open to security vulnerabilities. “An attacker—for example, a malicious app that has access to the user’s network—could utilize this information in conjunction with other available data to create an even more invasive attack,” Blair says. 

TiVo Releases Software Update

We notified TiVo of the problems in March, and the company quickly agreed to fix the problem. “The weakness identified by Consumer Reports, attributable to a third-party application’s transmission of certain data, has now been addressed,” a TiVo spokesperson said via email.

“We are taking this opportunity to proactively review device activity with our other partners and determine if similar weaknesses exist, and will correspondingly address any new issues which might arise from that investigation,” the spokesperson said.

We decided to check the TiVo Edge DVR for the same problem, and found that it, too, was sending out unencrypted data. However, the information didn’t include user data such as IP addresses, and we don’t judge it to be a risk to consumers.

TiVo issued a software patch for the Stream 4K player soon after we notified the company, but our testing showed that it didn’t remedy the problem. However, Consumer Reports’ testing confirmed that a second update pushed at the end of March did correct it. The device is no longer sending out unencrypted data. 

The good news is that if you own a TiVo Stream 4K player, you don’t need to do anything. The company says that a new version of the software is already available and has been pushed out as an update to all TiVo Stream 4K users.

New Privacy, Security Scores in Ratings

This is the first time Consumer Reports has added data privacy and security scores for all the streaming players we test. We already incorporate privacy and security testing into our ratings of password managers, wireless routers, TVs, video doorbells, and some other product categories, and we’re adding more every year.

Like all the products that Consumer Reports tests and rates, all the streaming devices were purchased at retail stores. We evaluated the various ways streaming device brands collect, use, and share consumer data, how well they protect it, and how transparent the companies are about their data practices. We also judge companies by how they handle security procedures, such as encrypting all user communications by default, enabling automatic security updates, and protecting against known security vulnerabilities.