Closeup of a Samsung TV

Earlier this year, a Consumer Reports investigation into smart TV privacy and security found that millions of televisions from Samsung, as well as those from brands that use the Roku TV platform, could potentially be controlled by hackers exploiting easy-to-find security flaws.

Samsung recently addressed the problem with a firmware update to 2018 TVs, and Consumer Reports has confirmed that the vulnerability has been eliminated. Samsung says it plans to roll out a similar update for 2017 smart TVs later this fall.

“As we know that consumers value data security as much as their viewing experience, our Privacy and Security teams continue to evaluate the safety of the online experience in our products,” a Samsung spokesperson told CR by email.

Consumer Reports found the problem during a broad evaluation of privacy and security practices in the smart-TV platforms used by five major TV brands: LG, Samsung, Sony, TCL, and Vizio.

Other Privacy and Security Articles

This was the first product test based on the Digital Standard, which was developed by CR and partner cybersecurity and privacy organizations to help set expectations for how manufacturers should handle privacy, security, and other digital rights issues. The Digital Standard was introduced in 2017.

“Smart TVs were a natural place to start this kind of testing,” says Maria Rerecich, who oversees electronics testing at Consumer Reports. “These sets are growing in popularity, contain new interactivity technology like microphones and AI, and they can transmit a remarkable amount of information about their users back to the TV manufacturers and their business partners.”

The Problem

In our tests, we discovered that Samsung smart TVs, along with Roku TVs from TCL and other brands, would allow a hacker with minimal skills to change TV channels, turn up the volume, play unwanted YouTube videos, or kick the TV off a WiFi connection. This could be done over the web from thousands of miles away.

The vulnerabilities would not allow a hacker to spy on a TV viewer, steal information, or monitor what was being watched.

“I’d characterize this vulnerability as of low risk to consumers, but the fact that it was so easy to find was troubling,” says Robert Richter, who heads privacy and security testing at Consumer Reports. “It’s indicative of a problem where security in consumer electronics doesn’t get as much consistent attention as it should. I do think that’s starting to change.”

For the initial security testing, we used 2017 televisions from each of the brands.

We also checked 2018 TVs from Samsung once they became available. The details of the software vulnerability had changed somewhat. But in TVs from both years, the attack involved a user going to a web page with a smartphone or laptop, which would then direct the device to send out commands to the television over WiFi.

To conduct our testing, we constructed a web page that wasn’t exposed to the public. But in a real-world scenario, someone could be vulnerable to such an attack if they clicked on a link in an innocent-looking email sent by a hacker.

Samsung's Fix

Samsung’s update fixed a security flaw in a part of the TV’s software called an API, or application programming interface. Basically, an API lets two applications—on computers, online, or built into devices such as TVs—talk to each other.

“Once we updated the 2018 Samsung smart TVs in our labs with the new firmware, we were no longer able to exploit the flaw,” says Cody Feng, project leader for security and privacy testing at Consumer Reports.

When you use the official Samsung SmartThings app to control your TV, any command to raise the volume, change channels, and so on travels to Samsung servers through the internet and then back to your television.

But with the old firmware, the Samsung TVs would also obey commands received directly from devices on a home’s WiFi network without going through Samsung’s servers. That opened the door to the kind of attack we were able to carry out in our labs.

Now that door is locked.

Earlier this summer, Samsung introduced a firmware update fixing other security problems found by Consumer Reports, such as Google searches being conducted without standard encryption.

Roku OS Update Coming

We reached out to Roku to see whether it had addressed a similar problem on its platform, which likewise could allow a hacker to remotely take control of a television. This problem was also related to an unsecured API.

When CR first reported on our findings last February, Roku said the API didn’t present a security risk to customers and pointed out that external control of a Roku TV could be turned off in Settings. But this would also disable control of the device through Roku’s app.  

When we contacted the company for this article, a spokesperson said by email: “The Roku feature called Control by Mobile App benefits millions of users by granting access to Roku’s highly rated mobile app and third-party apps that are used to control Roku TVs and players. This feature does not expose any user data and does not pose any data security risk to our customers.”

However, the company says that an upcoming firmware update, Roku OS 8.2, will block third-party apps while allowing people to use the official Roku mobile app for Roku TVs. And, the company said, the change will come to Roku streaming players in Roku OS 9.0 later this fall.

“Responses like these are great,” Richter says. “It shows that the community of manufacturers is responding to increased consumer interest in privacy and security.”