Voice Data Uploaded By Samsung Smart TVs Is Unencrypted, Company Vows To Fix Issue

Samsung has confirmed that some of its slightly older Smart TV models are currently uploading recorded voice communication without any form of encryption to protect the user's privacy. This goes against what Samsung stated in a recent blog post clarifying the limited circumstances in which voice commands are recorded and transmitted to a server.

Backtracking a moment, the web freaked out when it was discovered that Samsung's Smart TVs were seemingly eavesdropping on living room conversations. The truth wasn't quite as nefarious, though a supplement to Samsung's privacy policy did reveal that some voice commands could be transmitted to a third-party service to convert the speech to text, in part to improve the service.

To clarify things, Samsung in a blog post trumpeted the usual company rhetoric about taking your privacy seriously and all that jazz, then proceeded to stick its foot in its mouth.

Samsung Smart TV

"We employ industry-standard security safeguards and practices, including data encryption, to secure consumers' personal information and prevent unauthorized collection or use," Samsung halfway fibbed.

The truth, as discovered by Ken Munro and David Lodge from security outfit Pen Test Partners, is that some Samsung Smart TVs aren't in fact using encryption at all when transmitting voice commands.

"What we see here is not SSL encrypted data. It’s not even HTTP data, it's a mix of XML and some custom binary data packet," Pen Test Partners explained in a
blog post. " The sneaky swines; they’re using 443/tcp to tunnel data over; most likely because a lot of standard firewall configurations allow 80 and 443 out of the network. I don’t understand why they don’t encapsulate it in HTTP(S) though.

Anyway, what we can see is it sending a load of information over the wire about the TV, I can see its MAC address and the version of the OS in use."

This means hackers wouldn't even need to listen to the recordings to know what you're saying, they could just read the intercepted text. And if you have a nosy neighbor who's tech savvy, he could accomplish this over Wi-Fi -- no need to hack to the destination server.

We don't want to make a mountain out of a molehill here, and Samsung has said that it's working to introduce encryption on its older TV models that don't already have it. But it's a little unsettling that the 
missteps seem to be adding up.