Voice Data Uploaded By Samsung Smart TVs Is Unencrypted, Company Vows To Fix Issue
To clarify things, Samsung in a blog post trumpeted the usual company rhetoric about taking your privacy seriously and all that jazz, then proceeded to stick its foot in its mouth.
"We employ industry-standard security safeguards and practices, including data encryption, to secure consumers' personal information and prevent unauthorized collection or use," Samsung halfway fibbed.
The truth, as discovered by Ken Munro and David Lodge from security outfit Pen Test Partners, is that some Samsung Smart TVs aren't in fact using encryption at all when transmitting voice commands.
"What we see here is not SSL encrypted data. It’s not even HTTP data, it's a mix of XML and some custom binary data packet," Pen Test Partners explained in a blog post. " The sneaky swines; they’re using 443/tcp to tunnel data over; most likely because a lot of standard firewall configurations allow 80 and 443 out of the network. I don’t understand why they don’t encapsulate it in HTTP(S) though.
Anyway, what we can see is it sending a load of information over the wire about the TV, I can see its MAC address and the version of the OS in use."
This means hackers wouldn't even need to listen to the recordings to know what you're saying, they could just read the intercepted text. And if you have a nosy neighbor who's tech savvy, he could accomplish this over Wi-Fi -- no need to hack to the destination server.
We don't want to make a mountain out of a molehill here, and Samsung has said that it's working to introduce encryption on its older TV models that don't already have it. But it's a little unsettling that the missteps seem to be adding up.