Streaming devices are also vulnerable
It sounds like Roku just might have set up the pranksters out there with the perfect way to mess with their friends, family, or significant others. Consumer Reports is clear that none of the vulnerabilities it has found would allow the hacker to spy on the user or steal any of their information. Also tested were smart TVs from LG, Sony, and Vizio. CR says that all the TVs raised privacy concerns because they collect very detailed data on the users.
Part of the data collection that CR is talking about is called automatic content recognition or ACR. That feature can be combined with other information and used to target advertising on your TV and mobile phone. Last February, Vizio was fined for collecting and selling data of this sort without the permission of its users.
Flaws found in TCL and Samsung smart TVs would allow control over volume, rapid cycling through channels, opening YouTube content or removing the TV from the Wi-Fi network. TVs using the Roku Platform had an issue with the developer APIs as well.
"Roku devices have a totally unsecured remote control API enabled by default," says Eason Goodale, Disconnect’s lead engineer. "This means that even extremely unsophisticated hackers can take control of Rokus. It’s less of a locked door and more of a see-through curtain next to a neon ‘We’re open!’ sign."
CR says that to take advantage of these hacks, the TV user
"Samsung smart TVs attempt to ensure that only authorized applications can control the television,” Goodale of Disconnect says. "Unfortunately, the mechanism they use to ensure that applications have previously been authorized is flawed. It’s as though once you unlocked your door, the door would never lock again."
Three ways to avoid these exploits include resetting the TV to factory settings and not agree to the collection of viewing data. Turn of ACR settings if you can figure out how to do that. The third is a deal breaker for most smart TV owners, turn off Wi-Fi.
Roku reached out to HotHardware with a statement regarding this issue:
"Roku takes security very seriously. There is no security risk to our customers’ accounts or to the Roku platform as stated by Consumer Reports.
Roku enables third party developers to create remote control applications that consumers can use to control their Roku devices. These applications are only accessible to those on a customer’s Wi-Fi which we recommend consumers lock.
If customers prefer, they can, turn off this feature by going to Settings>System>Advanced System Settings>External Control>Disabled. Any characterization of this feature as a vulnerability is inaccurate."