Samsung and Roku Smart TVs Vulnerable to Hackers

Smart TVsThey are even getting into our TVs now!

Samsung and Roku Smart TVs Vulnerable to Hacking, Consumer Reports Finds

By Consumer Reports – “Consumer Reports has found that millions of smart TVs can be controlled by hackers exploiting easy-to-find security flaws.

The problems affect Samsung televisions, along with models made by TCL and other brands that use the Roku TV smart-TV platform, as well as streaming devices such as the Roku Ultra.

We found that a relatively unsophisticated hacker could change channels, play offensive content, or crank up the volume, which might be deeply unsettling to someone who didn’t understand what was happening. This could be done over the web, from thousands of miles away. (These vulnerabilities would not allow a hacker to spy on the user or steal information.)

The findings were part of a broad privacy and security evaluation, led by Consumer Reports, of smart TVs from top brands that also included LG, Sony, and Vizio.

The testing also found that all these TVs raised privacy concerns by collecting very detailed information on their users. Consumers can limit the data collection. But they have to give up a lot of the TVs’ functionality—and know the right buttons to click and settings to look for. (see below.)

Data Collection in the Living Room
This is the first time Consumer Reports has carried out a test based on our new Digital Standard, which was developed by CR and partner cybersecurity and privacy organizations to help set expectations for how manufacturers should handle privacy, security, and other digital rights.

The goal is to educate consumers on their privacy and security options and to influence manufacturers to take these concerns into consideration when developing their products.

‘The Digital Standard can be used to evaluate many products that collect data and connect to the internet,’ says Maria Rerecich, who oversees electronics testing at Consumer Reports. ‘But smart TVs were a natural place to start. These sets are growing in popularity, and they can transmit a remarkable amount of information about their users back to the TV manufacturers and their business partners.’

Smart TVs represent the lion’s share of new televisions. According to market research firm IHS Markit, 69 percent of all new sets shipped in North America in 2017 were internet-capable, and the percentage is set to rise in 2018. Eighty-two million of these sets have already found their way to consumers.

Internet connectivity brings a lot of appealing functionality to modern televisions—including the ability to stream content through popular apps such as Hulu and Netflix, as well as to find content quickly using voice commands.

But that functionality comes with substantial data collection. Smart TVs can identify every show you watch using a technology called automatic content recognition, or ACR, which we first reported on in 2015. That viewing information can be combined with other consumer information and used for targeted advertising, not only on your TV but also on mobile phones and computers. For instance, if you’re watching a particular sports event, you could see an online advertisement from a brand interested in reaching fans of that sport.

In 2017 Vizio got in trouble with federal and state regulators for collecting this kind of data without users’ knowledge or consent. The company settled with the Federal Trade Commission for $1.5 million and the state of New Jersey for $700,000. The FTC has now made it clear that companies need your permission before collecting viewing data—but consumers may not understand the details, says Justin Brookman, director of privacy and technology at Consumers Union, the policy and mobilization division of Consumer Reports.

‘For years, consumers have had their behavior tracked when they’re online or using their smartphones,’ Brookman says. ‘But I don’t think a lot of people expect their television to be watching what they do.’

And manufacturers are aiming to make smart TVs the centerpiece of consumers’ increasingly connected homes. Companies such as LG and Samsung have recently shown off sets with built-in digital assistants that let you control other smart-home devices ranging from thermostats to security cameras to washing machines to smart speakers.

In a recent Consumer Reports subscriber survey of 38,000 smart-TV owners, 51 percent were at least somewhat worried about the privacy implications of smart TVs and 62 percent were at least somewhat worried about the sets’ security practices.

What We Tested
We purchased five smart TVs from the most widely sold TV brands in the U.S. As we do for all products involved in CR’s testing program, we bought our samples through regular retail outlets.

Each set we bought used a different smart-TV platform.

Two of these were proprietary platforms. The Samsung UN49MU8000 incorporates the company’s Tizen system, and the LG 49UJ7700 uses LG’s webOS system.

The other sets make use of smart-TV platforms that are incorporated into multiple brands. The TCL 55P605 uses the Roku platform, which is also found in Hisense, Insignia, and other brands.

The Sony XBR-49X800E uses a version of Google’s Android TV, a platform also found in sets from LeEco and Sharp. And the Vizio P55-E1 SmartCast TV we tested uses Chromecast, another Google platform.

We didn’t incorporate our privacy and security findings into the Consumer Reports ratings of these televisions, and all these sets except the TCL are recommended models. But Consumer Reports is planning to include privacy and security test results in a number of products’ Overall Scores in the future.

For our security assessment we worked with engineers at Disconnect, which makes privacy-enhancing software for consumers and is one of CR’s partners in developing the Digital Standard. We conducted our privacy investigation in collaboration with both Disconnect and Ranking Digital Rights, another of our Digital Standard partners. (Like most websites, ConsumerReports.org collects user data. You can get the details on our privacy policy and our approach to privacy, including our policy positions, here.)

What We Found: Security
Our security testing focused on whether basic security practices were being followed in the design of each television’s software. ‘We were just looking for good security practices,’ Rerecich says. ‘Encryption of personal or sensitive data, protection from common vulnerabilities, that sort of thing.’

We discovered flaws in sets from TCL and Samsung.

They allowed researchers to pump the volume from a whisper to blaring levels, rapidly cycle through channels, open disturbing YouTube content, or kick the TV off the WiFi network.

The exploits didn’t let us extract information from the sets or monitor what was playing. The process was crude, like someone using a remote control with their eyes closed. But to a television viewer who didn’t know what was happening, it might feel creepy, as though an intruder were lurking nearby or spying on you through the set.

The TCL vulnerability applies to devices running the Roku TV platform—including sets from other companies such Hisense, Hitachi, Insignia, Philips, RCA, and Sharp—as well as some of Roku’s own streaming media players, such as the Ultra.

The problem we found involved the application programming interface, or API, the program that lets developers make their own products work with the Roku platform. ‘Roku devices have a totally unsecured remote control API enabled by default,’ says Eason Goodale, Disconnect’s lead engineer. ‘This means that even extremely unsophisticated hackers can take control of Rokus. It’s less of a locked door and more of a see-through curtain next to a neon ‘We’re open!’ sign.’

And, it turned out we weren’t the first to notice this: The unsecured API had been discussed in online programming forums since 2015.

To become a victim of a real-world attack, a TV user would need to be using a phone or laptop running on the same WiFi network as the television, and then visit a site or download a mobile app with malicious code. That could happen, for instance, if they were tricked into clicking on a link in a phishing email or if they visited a site containing an advertisement with the code embedded.

TCL referred us to Roku for questions about data collection and this vulnerability. A Roku spokeswoman said via email, ‘There is no security risk to our customers’ accounts or the Roku platform with the use of this API,’ and pointed out that the External Control feature can be turned off in the settings. However, this will also disable control of the device through Roku’s own app.

The Samsung vulnerability was harder to spot, and it could be exploited only if the user had previously employed a remote control app on a mobile device that works with the TV, and then opened the malicious webpage using that device. ‘Samsung smart TVs attempt to ensure that only authorized applications can control the television,’ Goodale of Disconnect says. ‘Unfortunately, the mechanism they use to ensure that applications have previously been authorized is flawed. It’s as though once you unlocked your door, the door would never lock again.’

In an emailed statement, Samsung said, ‘We appreciate Consumer Reports’ alerting us to their potential concern,’ and that the company was still evaluating the issue. The company also said it would update the API to address other, less severe problems related to data security that CR uncovered. Those changes ‘will be in a 2018 update, [with timing] to be determined, but as soon as technically feasible,’ the spokesman said.

What We Found: Privacy
Every smart TV we evaluated asked for permission to collect viewing data and other kinds of information.

But we found that it’s not always easy to understand what you’re agreeing to as you proceed through the setup process. And if you decline permissions, you can lose a surprising amount of functionality. In fact, one TV requires that you accept a broad privacy policy during setup before you can use the most basic, internet-free functions, such as watching TV using an antenna.

Here are some of the key findings.

Oversharing by design. Race through your TV’s setup, agreeing to everything, and a constant stream of viewing data will be collected through automatic content recognition. The technology identifies every show you play on the TV—including cable, over-the-air broadcasts, streaming services, and even DVDs and Blu-ray discs—and sends the data to the TV maker or one of its business partners, or both.

ACR helps the TV recommend other shows you might want to watch. But it’s also used for targeting ads to you and your family, and for other marketing purposes. And you can’t easily review or delete this data later.

Your data or your internet. You can limit data collection, but you’ll lose functionality. Specifically, if you pay close attention, you can turn off ACR monitoring while still agreeing to a set’s basic privacy policy. But that may keep you from getting recommendations (‘You liked ‘Westworld.’ Have you checked out ‘Godless’?’) And even the basic privacy policies may ask for the right to collect information on your location, which streaming apps you click on, and more.

If you say no to these basic policies, the sets revert to old-fashioned dumb TVs: You can hook up a cable box or an antenna, but you won’t be able to stream anything from Amazon, Netflix, or other web-based services.

All-or-nothing privacy policy. The Sony television was the only one that required you to agree to a privacy policy and terms of service to complete the setup of the TV.

The set uses Google’s Android TV platform, and consumers have to click yes to Google agreements, even if they don’t plan to connect to the internet. That could be a frustrating thing to discover only after you’d bought the big-screen TV at the store, lugged it home, and maybe mounted it to a wall. Even though you can’t skip the Google privacy policy, you can say no to the user agreements from Sony itself and from Samba TV, a provider of ACR technology.

And, Sony said in an emailed statement, ‘If a customer has any concerns about sharing information with Google/Android [they] need not connect their smart TV to the Internet or to Android servers to use the device as a television, for example, using cable or over-the-air broadcast signals.’

What Consumers Can Do
You could just buy an old-fashioned ‘dumb’ TV, without built-in streaming capabilities, but these are becoming harder to find. Of the nearly 200 midsized and large sets in Consumer Reports’ ratings, only 16 aren’t smart TVs. And those are 2017 models—in 2018 we expect to see even fewer internet-free televisions.

If you do buy a new smart TV, decide whether you want to block the collection of viewing data. If so, pay close attention during setup. There, you can agree to the basic privacy policy and terms of service—which still triggers a significant amount of data collection—while declining ACR.

And, if you already have a smart TV but would like to restrict data collection, you can do the following:

Reset the TV to factory settings. Then, as you go through the setup process, say yes to the most basic privacy policies and terms of service but don’t agree to the collection of viewing data.

Turn off ACR using the settings. These settings are typically buried three or four menus deep—but we’ve compiled directions for you. ‘And,’ Brookman says, ‘if you can’t figure it out, call customer support and make them walk you through it.’ That will have the added benefit of letting companies know that you care about your privacy.

Turn off the TV’s WiFi connection. Do this, though, and you essentially don’t have a smart TV anymore. You’ll need to add a separate streaming media device to get web-based content. And, you won’t be surprised to hear, those devices may have their own expansive data collection practices.

Editor’s Note: An earlier version of this story incorrectly stated that Vizio settled a case about consumer viewing data with the FTC for $1.5 million and the state of New Jersey for $2.2 million. The settlement with New Jersey was for $700,000.”

Chromecast on VLC 3.0!

VLC 3.0What we have waited so long for, Chromecast on VLC, is finally here!

VLC 3.0 lands on Android, Chrome OS, and other platforms with Chromecast support in tow

9to5 Google – By: Ben Schoon – “VLC is one of the most used media programs on the planet, and today it’s getting its first major update in nearly 2 years. VLC 3.0 is available now, and it’s going to be available on all major platforms at once with some big features in tow.

VLC 3.0 is the first concurrent release the player has ever had across all its supported platforms including Android, Chrome OS, Android TV, Linux, macOS, iOS, Apple TV, and Windows.

This new update features over 1,500 bug fixes, support for HDR, 360-degree video, optimization for the iPhone X, hardware accelerated decoding, and the big one, support for Google’s Chromecast.

VLC users haven’t been quiet over the years in expressing their desire for this functionality, and after briefly showing up in a beta update last month, the functionality is now official. Unfortunately for some, this functionality is limited to the Android app only, but that includes support for Chromebooks and Samsung’s DeX environment.

As you’d expect, Chromecast support on VLC allows you to play native media on your big screen with the tap of a button, with ‘formats not supported natively’ even working with this functionality. It’s a welcome addition, no doubt, and one you can easily try out now by downloading the update via Google Play.

VLC explains in another post why Chromecast support took as long to arrive as it did, but it really comes down to the fact that Google’s streaming platform is meant for just that, streaming. Local files were never supposed to work properly with it, despite the attempts we’ve seen over the years. Video formats also proved to be a challenge.

…Chromecast only supports very few codecs number, let’s say h264. Google ensures that your video is encoded in h264 format on youtube.com, so streaming is simple. With VLC, you have media of any format. So VLC has to be a http server like youtube.com, and provide the video in a Chromecast compatible format. And of course in real time, which is challenging on Android because phones are less powerful than computers.

VLC v3.0 is available now on Google Play, and for other platforms, you can head over to VLC’s site for the respective download links.”

VLC Player Download!

To use your Chromecast to play from VLC 3.0, in VLC select “Playback,” then “Renderer” and then choose your Chromecast device. Cool!

Tablo DVR Now Supported on Samsung TVs

Tablo DVRs Now Support Samsung Smart TVs

Cord Cutters News – By: Luke Bouma – “Today Nuvyyo, the maker of Tablo DVRs, announced a new native app for Samsung smart TVs that run the TIZEN OS and are built from 2015 to today.

‘Tablo offers the widest breadth of fully functional DVR app support of any over-the-air TV solution on the market,’ said Grant Hall, CEO at Nuvyyo, the makers of Tablo. ‘Now more than ever, Tablo gives cord cutters the opportunity to enjoy their favorite TV programs including network dramas, comedies, news, and sports like the Olympics from channels like NBC, ABC, CBS, and Fox, on any screen, anytime, anywhere—including Samsung TIZEN Smart TVs.’

You will no longer need a separate streaming player to access your OTA DVR if you use Tablo with a Samsung smart TV. Now you will be able to access DVR recordings, live TV, and pause, play, and rewind live TV natively on Samsung smart Tvs.

Samsung smart TVs join a growing list of devices the Tablo DVR will work with including Roku, Fire TV, Apple TV, Android TV, Android, iOS, laptops, and desktop PCs.”

Google Begins YouTubeTV Feed on Roku

YouTubeTV on RokuIt took a while, but it is finally here! If you are a YouTubeTV subscriber, you can now watch on your Roku.

YouTube’s live TV starts streaming on Roku devices

Engadget – By: Jon Fingas – “Google is living up to its promise of making native YouTube TV apps available for the media hub of your choice. You can now add a YouTube TV channel on ‘select’ Roku devices, giving you the service’s usual range of live broadcasts, a cloud DVR and the other perks of the cord cutter service. There isn’t any mention of Roku-specific features, but the allure is really the freedom to watch in your living room using a device explicitly meant for a laid-back viewing experience.

There’s no mention of how close the Apple TV app might be. However, Google had promised both that and the Roku app in early 2018. The chances are that you won’t have to wait long to watch however you like. That’s crucial for a live TV offering that’s growing quickly, but still has a small-enough base that added support could be a big deal.”

300,000 in Less Than a Year for YouTube TV

Cord Cutters flock to YouTube TV!

YouTube TVYouTube TV reportedly has 300,000 paying subscribers less than a year in

9to5Google – By: Abner Li – “Since its full launch in April, YouTube has been actively expanding its cord-cutting live television service with new cities, apps, and features. A new report today claims that YouTube TV has amassed just over 300,000 paying subscribers.

CNBC acquired the figure from a source as part of a broader piece detailing live TV services. The report also notes that Hulu with Live TV — which launched a month later with more channels, on-demand library, and features a number of upgrade options — has about 450,000 subscribers.

The latter figures come as Hulu earlier this month announced that the Live TV service, along with its Netflix streaming library competitor, has about 17 million users. We do not have a similar figure from YouTube, with Red rumored to only have 1.5 million subscribers as of November 2016.

Both online offerings pale in comparison to services offered by traditional satellite television providers. AT&T’s DirecTV Now has 1 million paying users as of last month, while Dish’s Sling TV is estimated to have more than 2 million.

YouTube TV costs $35 per month and offers 52 channels, including the big four broadcast networks and an assortment of other cable channels. The subscription includes six user accounts featuring unlimited DVR, with apps for the web, iOS, Android, streaming boxes, and smart TVs. As of last month, it is available in 84 markets across the country.”

Google Breaks YouTube on FireTV… Again!

YouTube IssuesThe crazy feud continues!

Google briefly broke Amazon’s workaround for YouTube on Fire TV

The Verge – By Chris Welch – “Google and Amazon aren’t getting any closer to ending their bitter feud. In fact, today the user-hostile fight between them is only getting worse. YouTube briefly appeared to have blocked the Silk web browser on Fire TV from displaying the TV-optimized interface normally shown on large screens. As a result, trying to navigate YouTube and watch videos became a usability nightmare on Amazon’s popular streaming products.

We confirmed the TV interface wasn’t working around 5:00PM ET; by around 6PM, the TV interface had returned. Amazon declined to comment; Google didn’t immediately respond to a request for comment.

While the TV interface was unavailable, YouTube on the Fire TV was basically a desktop computer experience. To control it, you had to browse around with the Fire TV remote (not exactly simple), play a video, then click to maximize it to fill the screen. Firefox for Fire TV was blocked from showing the TV-optimized view, as well.

This temporary change follows Google’s decision to remove YouTube from Fire TV altogether late last month, which was the company’s most aggressive move yet in its ongoing spat with Amazon. Google has criticized Amazon for refusing to sell its products or build Chromecast support into Prime Video on Android. Amazon began to address those complaints on December 14th by claiming it would restore sales of the Chromecast. Over a month later, Google’s streaming gadgets remain unavailable. (The Apple TV, which had also been kicked off Amazon.com for years, is shipping as promised.) Amazon has given no indication that it intends to sell Google Home, a rival to its own Echo smart speaker.

A faint glimmer of hope that tensions might cool between the two came in December when Google said it was holding ‘productive’ talks with Amazon about keeping YouTube around and not taking out this feud on their mutual customers.

Enough already.”

Tech Turf Wars: Second Volley!

Cannon ShotThe Tech Turf Wars continue as Microsoft excludes Google Chrome from the Microsoft store within Windows; these guys are getting serious! And frankly it’s a little annoying! We ought to be able to make her own decisions as to what products we run and which ones are available! So Amazon, Google, Microsoft… Get off our backs!

Microsoft removes Google’s Chrome installer from the Windows Store

The Verge – By: Tom Warren – “Google published a Chrome app in the Windows Store earlier today, which just directed users to a download link to install the browser. Microsoft isn’t impressed with Google’s obvious snub of the Windows Store, and it’s taking action. ‘We have removed the Google Chrome Installer App from Microsoft Store, as it violates our Microsoft Store policies,’ says a Microsoft spokesperson in a statement to The Verge.

Citing the need to ensure apps ‘provide unique and distinct value,’ Microsoft says ‘we welcome Google to build a Microsoft Store browser app compliant with our Microsoft Store policies.’ That’s an invitation that Google is unlikely to accept. There are many reasons Google won’t likely bring Chrome to the Windows Store, but the primary reason is probably related to Microsoft’s Windows 10 S restrictions. Windows Store apps that browse the web must use HTML and JavaScript engines provided by Windows 10, and Google’s Chrome browser uses its own Blink rendering engine. Google would have to create a special Chrome app that would adhere to Microsoft’s Store policies.

Most Windows 10 machines don’t run Windows 10 S, so Google probably won’t create a special version just to get its browser listed in the Windows Store. Google can’t just package its existing desktop app into a Centennial Windows Store app, either. Microsoft is explicit about any store apps having to use the Edge rendering engine.

The Verge understands Google created this installer app to combat the fake Chrome apps that can be found in the Windows Store, a problem Microsoft has been trying to address for years. Google’s workaround has now been removed from the Windows Store, so Windows 10 users will have to continue using Microsoft Edge to access the download site for Chrome if they want to access Google’s browser.

This isn’t the first time Microsoft and Google have battled over browsers or platforms. Both companies fought over a YouTube app for Windows Phone, Microsoft targeted Google with ‘Scroogled’ commercials, and Microsoft has also criticized Chrome’s battery usage. We’ve reached out to Google to see if this is a battle that will continue, but the company is not commenting on the removal.”

Looking For Last Minute Techie Gifts?

Roku UltraAs you may know I have an Amazon fire TV stick, a Roku Ultra, a Google Chromecast, and the generic Android video streamer. So, I’m not hurting when it comes to video streaming devices! I can highly recommend both the Roku and the Fire TV stick! For most folks either one of these will be a good choice for Christmas presents if you have folks that don’t yet have these technologies. If you’re looking for a good price on a casual streamer I would recommend the Google Chromecast… It doesn’t have all the options of the Roku or the FireTV stick, but it works really well to cast video from your laptop or computer, or even your phone or tablet, to your TV!

Either way, as last-minute gifts, a streaming device is a good choice!

The best TVs and media streamers to give as gifts

Engadget – “Unless the person on your list already owns a smart TV, media streamers are almost fool-proof as far as gift ideas go, and they’re reasonably affordable too. We put several in our holiday gift guide, including the Apple TV 4K at the high end and the Roku Ultra, which is nearly half the price. Rounding out the list, we recommend this universal remote from Logitech (though the company’s cheaper models are solid, too). And, if you have the means to gift a TV (whether to yourself or someone else), we included two models in different price ranges.”

Amazon vs. Google: Turf Wars!

Turf WarsFrom the Tablo newsletter:

“This has been the week of beefs between tech companies in the cord cutting world.

Beef #1: Early in the week, cord cutters were noting the Amazon Video app still hadn’t appeared on the Apple TV, despite the announcement six months ago that it would. The next day Amazon’s app magically appeared in Apple’s App Store! Beef #1 ended.

Beef #2: Google is also in a multi-faceted tussle with Amazon. Amazon does not carry Google hardware products like Chromecast and doesn’t allow its Prime Video service to be cast to the popular dongle. In retaliation, Google is yanking support for YouTube (which it owns) on all Amazon devices. Unlike beef #1, there is no resolution in sight for this one and cord cutters are stuck in the middle.

Meanwhile, market leader Roku – which has taken a ‘Switzerland-style’ open approach to content – is sitting back with a smile.

If you’re interested in learning more about these turf wars, theories on their origins, and how they affect cord cutters, TechHive has an excellent rundown.”

Dr. Bill.TV #421 – Audio – “The Great Adventure with Fading Lights Edition!”

Hackers exploit Word vulnerability, BIG Cyber Monday, CloudBerry Backup 5.8, Holiday shoppers buy phones, a county in Georgia builds a spaceport, Linux Mint 18.3 ‘Sylvia.’ Amazon’s Silk Browser for FireTV, GSotW: BOOTICE, simple hack for MacOS High Sierra

Links that pertain to this Netcast:

TechPodcasts Network

International Association of Internet Broadcasters

Blubrry Network

Dr. Bill Bailey.NET

Bluestacks Android Emulator

TerrariumTV Facebook Page

How to Install TerrariumTV on Bluestacks Android Emulator

BOOTICE Web Site


Start the Video Netcast in the Blubrry Video Player above by
clicking on the “Play” Button in the center of the screen.

(Click on the buttons below to Stream the Netcast in your “format of choice”)








Streaming MP3 Audio

Streaming Ogg Audio

Download M4V Download WebM Download MP3 Download Ogg
(Right-Click on any link above, and select “Save As…” to save the Netcast on your PC.)

You may also watch the Dr. Bill.TV Show on these services!

 

Dr. Bill.TV on YouTube Dr. Bill.TV on Vimeo

 


1 3 4 5 6 7 10