'Consumer Reports' Says Roku, Samsung Smart TVs Have Security Vulnerabilities

Feb 7, 2018
Originally published on February 7, 2018 4:50 pm

Roku devices and Samsung smart TVs have easy-to-exploit security vulnerabilities, according to testing carried out by Consumer Reports.

"We found that a relatively unsophisticated hacker could change channels, play offensive content, or crank up the volume," the magazine says. "This could be done over the web, from thousands of miles away."

Consumer Reports points out that suddenly having channels change could be confusing or even frightening to someone who was unaware of why it was happening.

A smart TV is highly customizable and allows users to watch Internet-based sites like Netflix or Hulu on their televisions; however, the access to the Internet exposes them to hackers more than older TVs.

Consumer Reports found vulnerabilities in a TCL TV model using the Roku system, and they say it is also present in other models running the Roku platform. This is how the hackers could get in, according to Consumer Reports:

"The problem we found involved the application programming interface, or API, the program that lets developers make their own products work with the Roku platform. 'Roku devices have a totally unsecured remote control API enabled by default,' says Eason Goodale, Disconnect's lead engineer. 'This means that even extremely unsophisticated hackers can take control of Rokus. It's less of a locked door and more of a see-through curtain next to a neon "We're open!" sign.'

"To become a victim of a real-world attack, a TV user would need to be using a phone or laptop running on the same WiFi network as the television, and then visit a site or download a mobile app with malicious code. That could happen, for instance, if they were tricked into clicking on a link in a phishing email or if they visited a site containing an advertisement with the code embedded."

In a blog post, Roku's Gary Ellison describes the Consumer Reports study as a "mischaracterization of a feature." He says the application programming interface can be turned off "by going to Settings>System>Advanced System Settings>External Control>Disabled."

Ellison says there is "no security risk." However, company spokeswoman Tricia Mifsud tells NPR that "a consumer could click on something that exposes their computer," and the remote control app does allow for changing the volume or channel. At the same time, she stresses that this can cause limited damage — "there is no security risk to a customer's account or to the Roku platform."

The apparent Samsung security gap "was harder to spot," Consumer Reports says. "It could be exploited only if the user had previously employed a remote control app on a mobile device that works with the TV, and then opened the malicious webpage using that device."

Samsung tells the publication that it is evaluating the situation.

This was part of a broader evaluation by Consumer Reports of a number of top smart TVs. The watchdog also raised concerns about how much information was being collected about users.

It said that "every smart TV we evaluated asked for permission to collect viewing data and other kinds of information." However, the process by which people agree is often murky, Consumer Reports says, and it often leads to less functionality.

Last year, Vizio, a major smart TV producer, agreed to pay $2.2 million in a settlement over data it collected on 11 million TVs without consent.

You can read the full report — as well as tips on how to protect your security and privacy — at this link.

Copyright 2018 NPR. To see more, visit http://www.npr.org/.