The company issued a firmware update for its LG 42LN575V model television sets, which were the subject of scrutiny last week after a UK-based technology consultant using the handle “DoctorBeet” discovered that his LG television was transmitting information about his viewing habits to company servers without his consent.
The blogger, “DoctorBeet” (aka Jason Huntley, of Yorkshire, England) first wrote about his discovery on November 18, setting off a small firestorm of controversy. An analysis by Huntley uncovered a number of sketchy or outright illegal data harvesting behaviors. Among them:
- His LG television sent information on which channels he viewed to an LG-owned web domain. (The domain in question was not in service at the time.)
- The LG television relayed information on media files viewed on the device to its servers in the “cloud” in cleartext, making them susceptible to snooping and man-in-the-middle attacks.
- The television sent information regardless of whether a (default-on) option, “Collection of watching info” was enabled or disabled on the set.
Caught with its hand in the ‘user data’ cookie jar, LG initially told Huntley that the data harvesting was allowable under the “Terms and Conditions” agreement and designed to allow advertisers to deliver more “relevant advertisements” and disputing the notion that viewing habits constituted “personal information.”
[For more on smart TV security read: “Samsung Smart TV Like a Web App Riddled With Vulnerabilities.“]
“Information such as channel, TV platform, broadcast source, etc. that is collected by certain LG Smart TVs is not personal but viewing information,” the company told the web site TrustedReviews.com. “This information is collected as part of the Smart TV platform to deliver more relevant advertisements and to offer recommendations to viewers based on what other LG Smart TV owners are watching.”
Feeling the heat from the public, LG subsequently backtracked: promising to fix the broken “Collection of watching info” option and assuring customers in a subsequent statement that it “does not, or has ever, engaged in targeted advertisement using information collected from LG Smart TV owners.” (Of course, given that the SmartTV features were not fully implemented, the company could be correct in that statement, while omitting its intention to do exactly what it denied doing – once it got the technology right.)
LG did not respond to a request for comment from The Security Ledger. However, other sources claim that the firmware update appears to have fixed the issue with involuntary data collection. Writing to The Security Ledger via Twitter, Huntley (“DoctorBeet”) said he had been told by other LG owners that the check box option for “Collection of watching info” did stop data transmissions when it was turned “off.”
However, the company will face more scrutiny for features that capture the names of external media files viewed on its TVs was intended to snoop on customers. That behavior was part of an as-yet-unrealized feature for using web searches to harvest metadata on programs that are being viewed on its TVs.
After badly playing its hand, LG is catching heat from industry watchers like Graham Cluley for its argument that information on what television shows its customers watch and your behavior while watching them, as well as data on what other digital media you consume isn’t “personal information.” That takes a rather narrow view of what constitutes “personal information,” many argue.
Problems with Internet-connected home appliances and consumer devices are increasingly the stuff of headlines.
At the last Black Hat Briefings conference in Las Vegas, for example, researchers warned that “smart” TVs from Samsung were riddled with trivial web application vulnerabilities that could render them vulnerable to remote hackers. That warning followed the work of other researchers who had discovered vulnerabilities that could, potentially, turn Samsung TVs equipped with webcams into devices capable of spying on their owners.