The FBI Says Your TV Is Probably Spying On You
from the watching-you-watching-me dept
Like most of the infamous “internet of things,” (IOT) smart TVs are a security and privacy dumpster fire. Numerous set vendors have already been caught hoovering up private conversations or transmitting private user data unencrypted to the cloud. One study in 2017 surmised that around 90% of smart televisions can be hacked remotely, something intelligence agencies, private contractors and other hackers are clearly eager to take full advantage of.
This week, the FBI, that bastion of sage privacy and security advice, issued a blog post out of its Portland field office warning cyber Monday shoppers that their smart TV is a little too smart, and likely watches you as much as you watch it. The post is filled with some handy tips to help you protect your privacy:
“Know exactly what features your TV has and how to control those features. Do a basic Internet search with your model number and the words ?microphone,? ?camera,? and ?privacy.? Don?t depend on the default security settings. Change passwords if you can ? and know how to turn off the microphones, cameras, and collection of personal information if possible. If you can?t turn them off, consider whether you are willing to take the risk of buying that model or using that service. If you can?t turn off a camera but want to, a simple piece of black tape over the camera eye is a back-to-basics option. Check the manufacturer?s ability to update your device with security patches. Can they do this? Have they done it in the past? Check the privacy policy for the TV manufacturer and the streaming services you use. Confirm what data they collect, how they store that data, and what they do with it.”
Granted such tips don’t really do much to fix a broken sector where privacy and security remains an afterthought. A Consumer Reports study from last year found that things aren’t really improving in the space. Government hasn’t done much to pass any meaningful privacy law for the internet era. Gadget obsessed consumers are historically oblivious or apathetic to the problem. And product makers are too busy worrying about margins and the next big product launch to spend money to upgrade past sets or improve their privacy and security practices (at least not until there’s another major scandal).
And if you’ve shopped for a TV recently, you may have noticed that it’s largely impossible to just buy a “dumb” TV set without all of the “smart” internals. More specifically, most TV vendors don’t want to sell you a bare-bones set because they want you to use their streaming services. Even more specifically, they want you to buy their sets with their specific streaming functionality because they want to spy on you and monetize your usage data.
So yeah, the FBI’s tips are great and all, but they don’t really get to the root of the market dysfunction that’s plaguing the IOT space. There are plenty of fractured entities trying to help (like Consumer Reports’ efforts to integrate an open source privacy and security standard in hardware reviews, or efforts at Princeton to make it clear what devices are actually doing on the network), but in terms of any kind of cohesive solution to the problem, there’s little to nothing on the horizon.
Comments on “The FBI Says Your TV Is Probably Spying On You”
FBI Not Using This???
These are the same guys that have no problem using domestic NSA data for parallel construction, hosting child porn on darkweb sites, and thinks encryption is a tool only used by terrorists and should be banned… How bad does TV security have to be that even the FBI says ‘yeah… that is even too much for us…’?!
Re: FBI Not Using This???
Could it be that they are upset that they don’t have access to those feeds? We already know that they are very sensitive to butt hurt. On the other hand, maybe they found out that some of them own such TV’s and are upset that THEY are being spied upon.
Re: Re: FBI Not Using This???
They do seem to hate competition.
Re: FBI Not Using This???
To be fair, this comes from the Portland office. If you check previous missives from the FBI, you’ll find that most of the ones that actually have US citizens in mind come from the Portland office.
The FBI has no problems with the west coast helping citizens while the east coast manufactures larger budgets for next year.
Re: Re: FBI Not Using This???
That’s pretty interesting. I never noticed that before. So it’s not so much that the FBI is being hypocritical; it’s just that there is more than one office that ostensibly speaks for the FBI, and the words and actions of one office don’t really fit the words and actions of another.
Re: FBI Not Using This???
Even if they were using it, now is obsolete. There are a lot of old or new ways to spy on us. Thermovision(never get old, only upgraded;), wifi waves, 4G and 5G networks, any OS on any device. Wikileaks told us many things about this, but FBI is “disclosing” an already known spying way. Such a good guys!
Re: Re: FBI Not Using This???
Well, I’m pretty sure they aren’t using our microwaves at least.
Re: FBI Not Using This???
Rite lol
Everyone is being watched, this will only get worse
Time to nuke this experiment called "human life" hahahahahaha
…and they’re jealous they don’t have that kind of warrant-free access.
Late to the Party
Solutin to "Smart TV" :
Do not connect it to the Internet. If TV wants WiFi connection, most likely, black hole it to loop back.
This comment requires disclaimer – cut ground wire (by warranty) to mic and camera.
Re: Late to the Party
I fully agree with your first point. DO NOT CONNECT.
Re: Re: Late to the Party
Item #1 will be any option to consumers. TV with all kinds of apps that are marketed as features id just "make the tablet bigger". I have Amazon TV Stick on HDMI but there is a trust level that IoT will never have. Is Amazon TV watching me? Why bother they already know everything useful business wise.
So, would a trusted device that has gets no benefit from watching people-watching-porn-and-having-sex-party? Big No. But someone who gets off sneaking into IoT lame to no security = BIG YES.
Lastly, trusted devices are not error free – it is tricky keeping wolves out. That doorbell just told the coppers teenagers are drunk on your porch.Video at eleven.
Re: Re: Re: Late to the Party
In order to make a trusted device (assuming it deserves trust and you’re not trusting an insecure piece of crap) you have to take steps to secure it like not connecting it to the internet, manually (professionally) inspecting its source code, and/or manually inspecting the source of any updates you apply to it.
That includes the OS, drivers, and if you’re being really careful, making sure the circuit schematics are what you ordered.
You should not trust off the shelf consumer electronics to not be breached if someone tries.
Re: Re: Re:2 Late to the Party
FYI, in computer security, such an insecure piece of crap could be considered a "trusted" system—i.e., a system that’s relied upon to enforce a security policy (like keeping strangers away from your living-room camera and microphone). "Trustworthy" would be a better term for what you describe.
Re: Re: Re:2 Late to the Party
"In order to make a trusted device (assuming it deserves trust and you’re not trusting an insecure piece of crap) you have to take steps to secure it…"
Well…
"I am regularly asked what average Internet users can do to ensure their security. My first answer is usually, "Nothing–you’re screwed.""
The dreadful thing about IoT is that it dumps the full weight of network security on top of a toaster oven manufacturer who can’t reasonably realize just in how many ways the AP of their new toaster oven can be used to screw the end user.
That said my first advice for any item which contains a wifi AP without an actual need for it is to disabling that wifi on installation, if need be with a soldering iron.
Re: Re: Re: Late to the Party
"trusted device"
Big mistake
Re: Late to the Party
Goes to show what kind of world we live in where we have to "dumb down" our TVs manually instead of having the option. Personally all I want from my TV is to play discs and watch television. That’s it. I don’t care about it having apps, the latest up-to-date news, etc.
Guess I chalk it up to growing up in a time where a TV was just a TV instead of the dumpster fire TVs we have now.
Re: Re: Late to the Party
You do have options. You’re either into the computer monitor market, or, if you want a larger screen, the commercial display market (effectively, TVs for meeting rooms, transit schedules, etc.—usually HDMI and/or DisplayPort inputs, no TV tuner, may or may not be "smart"). The commercial displays cost more and probably don’t go on sale.
Re: Re: Re: Late to the Party
IOW, larger “dumb” TVs are more costly and/or harder to acquire than smart TVs of the same size. Otherwise, you go for a computer monitor or an older TV from a pawn shop to avoid your TV being part of the IOT.
Re: Re: Re: Late to the Party
"You do have options."
Fewer each year. It’s a question of time before your startup splash screen on the TV consists of whatever your TV’s manufacturer thought would be good advertising.
Re: Re: Re:2 Late to the Party
I’ve got a JVC smart TV and it’s not hooked up to the internet. It’s hooked up to BT Vision.
Now that thing spies on me; I’m obliged to sign in to BBC, ITV, and Channel 4 every time I want to watch something. Okay, so I only had to code in once but they know what I’m watching and when I watch it.
BBC even has the nerve to ask me to sign more people in so they can tell who is watching. I don’t do that. Still, they’re nosy toe-rags.
Re: Re: Re:3 Late to the Party
Orwell’s "telescreens" from 1984 are becoming a reality.
Re: Late to the Party
Number one all day long.
This is what I did with my TV. I never connected it to my WiFi. If I want to stream something I can either connect my computer, use my Xbox or cast to my Chromecast. (Yes I realize there are potential privacy issues with Chromecast as well but I can lock some of that down via firewall and it’s not watching or listening to me in my house, it can only see what I cast to it.)
Number 2 is not technically feasible for your average user as they would have to take apart the TV and know exactly which wires to cut or not cut.
Number 3 is rarely an option anymore as most TVs are no longer made without smart capabilities. So while technically you can find an older one without IoT, it won’t have all the new hardware and display features that AREN’T related to IoT that you may actually want. I ran into this when buying my current TV.
Re: Late to the Party
In theory, that shouldn’t affect the warranty of other TV components (by the Magnussen-Moss Warranty Act). See also Snowden’s "Going Black" video.
Re: Late to the Party
I agree with the ‘don’t connect to the internet’. The data is not passed on and no one is coming back to hack in. I’m happy with an antenna and so far, I’ve heard nothing of these smart tvs broadcasting back.
Don’t spend much tv watching time.
"a simple piece of black tape over the camera eye is a back-to-basics option. "
They will just embed the cam into the display, in multiple places, you may not be able to see them. Best to not connect it to the internet.
Re: Re:
That’s easy to say, but unless you have a Faraday cage, how do you know it’s not on the internet? They have Wifi now, and maybe a neighbor has an open access point—or some ISP-provided access point the manufacturers have purchased access to.
The FBI qualifying the tape-over-camera option with "If you can’t turn off a camera" is just silly. Few people have the expertise to confirm that the camera was actually disabled when requested, and shall remain disabled—even if, for example, the TV receives a malformed broadcast signal that triggers a buffer overflow. (Sure, if the company lies or has terrible security the FTC might hit them with a small fine and make them promise not to do it again… and maybe if a class-action is started and you didn’t waive your rights in a clickthough agreement, you’ll get five bucks off your next TV, in a decade, if you still have your receipt…)
Tape works, and one doesn’t require a PhD in computer security to demonstrate that. People are not yet complaining about TV bezels and notches such that companies are looking to hide cameras. Disable cameras, microphones, networking in software, and open up the TV and disconnect wires if you’re comfortable with that, but don’t skimp on the most effective and easiest security fix ever devised.
Re: Re: Re:
"They have Wifi now"
wifi needs an antenna, remove it.
Re: Re: Re: Re:
At wifi (i.e. microwave) frequencies, a microstrip antenna printed directly on the circuit board can be used. If hidden on an inner layer, they wouldn’t even be visible.
Re: Re: Re:2 Re:
Yes, however that design may experience difficulties caused by the RF coupling into all the other circuits on the pwb. One would have to install said fancy pants antenna into its own enclosure making it easily identifiable. But yes, you are correct in that the manufacturers will try to hide the buggers.
Re: Re: Re:3 Re:
I don’t think they’ll be hiding them or even really trying to subvert their users’ settings by connecting when "disabled". But they’ll always be looking to cut costs, like external antennas or wifi chips; and when the software gets complicated enough, bugs happen.
Re: Re: Re:4 Re:
"I don’t think they’ll be hiding them or even really trying to subvert their users’ settings by connecting when "disabled""
What makes you think that?
Re: Re: Re:
Few smart TVs—if any—connect to the internet without user input, if only to select which access point to use. And where did you get the idea that ISPs provide backdoors like that? I mean, it’s not completely improbable, but what evidence do you have for that?
To be clear, I agree with most of what you said, but this point stuck out to me as less plausible than the others.
Re: Re: Re: Re:
Comcast-provided routers run an "Xfinity Wifi" service by default, that lets any Comcast subscriber use the connection (but under a different IP, with traffic not counting toward caps, etc.). The example was a hypothetical extension of that service.
Connecting to Wifi without user input was similarly hypothetical. But do note that even if the manufacturer has no such feature, TVs do accept over-the-air input (i.e. broadcast TV signals), and a single data-parsing bug could let people add new "features".
Re: Re: Re:2 Re:
"TVs do accept over-the-air input (i.e. broadcast TV signals), and a single data-parsing bug could let people add new "features"."
Are you claiming that over the air television broadcasts contain instruction data for the tv to modify its configuration? It is difficult to believe that all the various television manufacturers could agree on this and all use the same protocols/commands.
Re: Re: Re:3 Re:
No, although they kind of do—e.g., the channel name and number to be shown.
No, what I meant is that digital TV transmissions are MPEG streams, meaning every TV contains an MPEG parser (multiple actually—TS, H.262, AC3, etc.). Look up the vulnerability history of projects such as ffmpeg. Do you think TV manufacturers have hardened their systems as much as, say, (modern) Microsoft, e.g. by running each parser in a sandbox? I think if someone looks, they’ll find it’s more like mid-90s-Microsoft quality. Meaning an over-the-air signal could likely "own" the TV, maybe in a persistent way.
(They’d need separate exploits per model, but in all likelyhood they can send the full set with a few seconds of broadcasting. No need to persist till the FCC notices and traces the illegal transmission.)
Re: Re: Re:2 Re:
And users still had to manually tell their devices to connect to those access points. Your argument is invalid.
And is likely to remain that way. There are way too many problems that would be introduced in having a device autoconnect to ANY open, unsecured network by default.
Not really. A data parsing bug would only operate like that if it could be used to bypass security. Which would imply bad device security. Which to be clear, is pretty common, but it’s not clear that the specific security flaw needed for that is common today. There was an exploit like that discovered back in 2017 that got a decent amount of attention, but hopefully it was fixed.
Re: Re: Re:3 Re:
There’s no "argument" here. It’s a hypothetical situation that Comcast could sell similar access to TV manufacturers. They’re the lowest-rated company in America, what have they got to lose?
I don’t actually expect the TV companies to be so intentionally user-hostile. But things would go wrong. Auto-updating by default is considered best practice by many security people; maybe they’d only be connecting to download updates that fix security bugs, and some unexpected traffic gets in. Amazon Kindle has worked like this for years—it includes a cellular modem.
It’s not clear that buffer overflows are common? In embedded software, i.e., software most people don’t realize is there and most security researchers aren’t looking at?
I don’t recall ever seeing a single report of a security researcher analyzing embedded software (i.e. not phone or PC software) from a consumer device and saying "this actually looks pretty secure". To the contrary, they seem to fall over, with embarrasing bugs, with the slightest effort.
Re: Re: Re:4 Re:
And users would STILL have to manually tell their devices (TVs in this case) to connect to those networks. Your argument is still invalid.
Yes, they would. Which is why it would never happen.
Yes, but only on networks you have designated.
Again, the user would have to manually tell it to connect to the network in the first place and at that point, yes, unless you’ve properly secured your network, all manner of traffic could get passed to it. That doesn’t mean it’s all 100% malicious though.
A cellular modem is very different from WiFi. There are some similarities but a really glaring difference is a cellular modem can ONLY connect to the carrier network you bought service with. It can’t connect to any other network. And that network is broadcast over a much wider area than WiFi networks, so once it connects it pretty much just stays connected to the same network unless you lose signal.
By contrast, WiFi networks have a much more limited range and can be connected to by anyone with the proper authentication (or none if you are dumb enough to not secure it). WiFi does not automatically connect to any network in range though. That would be extremely bad for a multitude of reasons. Security and privacy not the least.
I never said that. But buffer overflows by themselves do not mean you get the access you want. Properly secured software could still experience a buffer overflow and NOT bypass security.
I’m having a hard time parsing your grammar here but just because buffer overflows are common and looked at frequently, doesn’t mean they always end up in ways to bypass security. Sometimes they just hard crash the system or are ignored.
Agreed. But that doesn’t mean that it’s hackable in a way that would allow someone to take remote control of it as discussed here. Some security flaws require physical access. Others do not.
Re: Re: Re:5 Re:
Software that experiences a buffer overflow is, by definition, not properly secured. There are techniques like sandboxing that can limit the damage of an overflow, but "Internet of Things" stuff isn’t where I’d expect to find it.
Re: Re: Re:6 Re:
True. But again, that doesn’t mean necessarily mean you’re going to be able to take advantage of it to take over a system in every case. It’s entirely possible the system will just hard crash as soon as the buffer overflows. Which could cause it’s own issues but likely isn’t going to result in a hacker gaining access. You can’t access a system that is not functioning.
And besides, buffer overflows are FAR from the only way to compromise a system.
Re: Re: Re:
"That’s easy to say, but unless you have a Faraday cage, how do you know it’s not on the internet?"
Wireshark.
Seriously, although verifying that setting your TV’s wifi to "off" can be tricky, checking whether it does or does not transmit to a wifi AP is dead easy.
Re: Re: Re: Re:
If you have cable tv, your tv is always connected to the internet.
Also, if you have a digital transmitter in the proper range you can produce a signal to hack any other tv that can receive a signal.
Re: Re: Re:2 Re:
"If you have cable tv, your tv is always connected to the internet."
Is this connection via a coaxial cable or is it an ethernet cable? I was unaware of any bidirectional transmissions on coaxial cable television. When did they start doing this?
"if you have a digital transmitter in the proper range you can produce a signal to hack any other tv that can receive a signal."
The modulator would be digital, not the transmitter.
What type of hacking? Simply confusing the shit outta the poor tv?
Re: Re: Re:3 Re:
The wire became bidirectional in the mid-1990s, when cable modems gained the ability to transmit without an auxiliary phone line. For TV signals, switched digital video has been gaining popularity for upwards of a decade; the TV (or cable box) has to ask the headend to start transmitting the desired channel. If your TV has a CableCard slot it can probably transmit.
Some people here seem to think "TV" and "computer" are different things. They’re really not. Whatever exploits can be done to a computer are the type of things that could be done to a TV. Remote camera and microphone activation, abusing the Wifi (connecting back into your private network if you have it set up; running a fake access point to exploit people wanting "Free Wifi"; etc.), cryptocurrency mining, ransomware (there’s no data to encrypt, but would you know how to reflash your TV without paying them?)…
Re: Re: Re:4 Re:
That depends on what you mean. Is a smart TV a type of computer? Yes. But that doesn’t mean they operate exactly the same or are vulnerable to the same kinds of things. They have completely different types of hardware and software.
This is categorically false and not true. You cannot, for instance, exploit a Windows vulnerability on a TV that does not run Windows. Vice versa, you cannot hack a Windows PC using OTA broadcast because most Windows PCs don’t have an OTA antenna and hardware and software to receive and interpret that signal.
Require exploits specific to the hardware and software being targeted. An Android exploit may not work on iOS, which may not work on Windows.
Can take many different forms and requires many different attack vectors depending on what you are wanting to do.
Requires someone to have not properly secured their network and requires the attacker to successfully hack into it.
And is typically only done in densely populated, public areas. It’s not feasible to run a fake access point in residential suburb style areas where at best your fake AP would only be able to reach one or two houses who likely already have their own wireless router and therefore wouldn’t connect to your fake access point in the first place.
Is a thing and browser makers regularly patch their browsers when new exploits are discovered. And only affects TVs if you use the built-in web browser and your TV is connected to the internet.
Well I mean, there’s google.
But non-tech savvy users could always get their TV serviced by BestBuy, the manufacturer, a local repair shop, etc… And again, ransomware requires your TV to be connected to the internet to get it. If you don’t connect to the internet, you have nothing to worry about it. Or your TV is vulnerable to remote OTA hacking, which is possible but the chances of someone carrying out that attack against you specifically are low. And if you have your WiFi secured, they wouldn’t be able to make it do anything because they couldn’t get remote access because they couldn’t get it to connect to the internet.
Re: Re: Re:4 Re:
"The wire became bidirectional in the mid-1990s"
Maybe the cable companies were running bi-directional data between the cable modem in your home and their distribution network but I was referring to the connection between the cable modem and the television. Is this interface bi-directional? I had not heard of such a thing but it could be I suppose.
""TV" and "computer" are different things"
This is correct. They are not the same, they use different CPUs, have different OSes, but you knew that.
"Whatever exploits can be done to a computer are the type of things that could be done to a TV"
It depends upon what exactly you are talking about, most exploits used are targeting computers rather than televisions, that may change in the future however.
I doubt one could make their television perform all those tasks you have listed, some of them require resources over and above that supplied by the television manufacturers.
Re-flash your tv? Not sure all tvs use the same method, and certainly it is not easy to remotely update the firmware. But it could happen I guess.
Re: Re: Re:2 Re:
No, this is not true. Cable TV service is not the same as cable internet. While the service can be provided over the same physical line, you have to connect your cable line to a cable modem in order to get internet access. The two protocols are completely different.
Not necessarily. Yes, back in 2017 such an exploit was discovered and demonstrated. But it was an exploit that took advantage of some vulnerabilities and poor security.
That doesn’t mean that that is native functionality, or that those specific attack avenues haven’t been patched by now.
Re: Re: Re:3 Re:
No, this is not true. Cable TV service is not the same as cable internet. While the service can be provided over the same physical line, you have to connect your cable line to a cable modem in order to get internet access. The two protocols are completely different.
Cable TV service is just another protocol that runs on the internet now. The internet doesn’t have just one protocol World Wide Web, FTP and bittorrent are also different protocols.
*Not necessarily. Yes, back in 2017 such an exploit was discovered and demonstrated. But it was an exploit that took advantage of some vulnerabilities and poor security.
That doesn’t mean that that is native functionality, or that those specific attack avenues haven’t been patched by now.*
You have no idea what you are talking about. You can’t patch it. It’s just transmitting a signal to a device with a transmitter you don’t have a license for. It can’t be patched.
Re: Re: Re:4 Re:
[Citation needed.]
Yes, actually I do.
Yes, you can. Manufacturers patch their device firmware all the time. Not as often or as thoroughly as they should but it is done. Just because a device can receive a signal, doesn’t mean it can be remotely hacked or controlled. That remote signal has to take advantage of features or vulnerabilities programmed into the operating system firmware of the device. That firmware can be patched.
If that was all that was required for a device to be hacked then we should stop using any and all wireless devices because there is absolutely no way to secure them. You’re quite literally wrong.
See above.
Re: Re: Re:5 Re:
I hate arguing with people that make shit up.
Re: Re: Re:6 Re:
You’re free to provide links proving me wrong. I provided one of my own that directly contradicts your argument.
I’ll wait.
Re: Re: Re:3 Re:
Not in 2019. Modern cable systems transmit most or all channels in digital form, and their cable boxes are effectively modems (especially when using Switched Digital Video).
Also at this year’s DEF CON.
You must be writing from the distant future. In 2019, IoT security was… still not so great.
Re: Re: Re:4 Re:
[Citation needed.]
Digital form is not the internet.
But not internet modems. There’s a big difference there.
Link please.
You can still have absolutely crap security and your device not be able to be remotely hacked. Now note that I did say that I HOPED the manufacturers had patched that vulnerability, especially with all the media attention it received, but I didn’t say they had for sure. And hopefully newer models use a version of firmware and applications that do not have the same vulnerabilities.
Re: Re: Re:5 Re:
DEF CON 2019
Try the "video and slides" directory, "DEF CON 27 Conference – Pedro Cabrera Camara – SDR Against Smart TVs URL and Channel Injection Attacks.mp4". They’re attacking the "interactive TV" features there, running Javascript to trigger fake dialog boxes to social-engineer people. Not exactly an exploit. But they are sending full MPEG streams over the air, so it’s a first step to more interesting attacks.
Some TVs/cableboxes really are speaking internet protocols over DOCSIS for their control channels or even video. See Switched IP video.
They probably did, but reactive security is a whack-a-mole game. They’ll patch specific vulnerabilities, and the few people in the country who update TV firmware regularly will get those updates. And then another exploit will be found, because few people avoid certain brands of TVs due to bad security.
Re: Re: Re:6 Re:
Yes, I did some reading up on it. Basically you get a drone close enough to broadcast a more powerful signal than the local stations so the TV receives the drone’s broadcast instead (because TVs will receive whatever signal is strongest). But that’s all. The entire hack relies on the user taking an action.
So? Again, to actually take control of your TV, the drone would have to stay in the vicinity and/or force it to connect to an unsecured network. The drone has limited flight time and would be easily spotted and there’s no guarantee there would be an unsecured network available, unless you live in an apartment complex where lots of WiFi networks are within range and may or may not be secured.
And none of that equals "the internet". Just because the box speaks internet protocols, doesn’t mean your TV has access to the internet over that coax cable plugged into it. Same goes for accessing cable TV from your computer. You have to have the appropriate box for the appropriate content and they do not cross. One box might do both but it’s only going to send cable signals to your TV and internet signals to your computer. The two are not compatible.
Yes, but if they patched that flaw then it is no longer available to use. Not all flaws are identical.
This is valid.
Also valid. But that doesn’t mean that exploit will be the exact same thing of remote control. This happens all the time in the IT world. Exploits are discovered all the time but they range from a minor nuisance that is unlikely to ever be encountered to emergency level remote control with minimal effort. Not everything is on that one end of the spectrum.
Re: Re: Re:2 Re:
"If you have cable tv, your tv is always connected to the internet."
Makes a good case for not having cable, then.
And no, the usual cable-type TV is just straight visual and audio input which happens to be over an optic line. Kept that way, ironically, by a number of vested interests who felt as long as they could hold the consumer hostage to their schedules they’d have a similar grip over their consumer’s interests. The same people who went to war so heavily against the VCR, incidentally.
That said cable CAN carry other data doesn’t change the fact that the normal plug only has a direct connection to audio and video displays. Or so it used to be. HDMI carrying programming instructions would be…interesting.
Re: Re: Re: Re:
You’d have to be running Wireshark at the exact moment the TV is transmitting to see it (and on the right Wifi channel). For all we know, such a thing could happen overnight once a week and be done in a minute.
Re: Re: Re:2 Re:
You have a point about it potentially happening very occasionally and potentially missing it that way.
I’m not sure what you’re getting at with the WiFi channel though. Wireshark and network routing doesn’t care about WiFi channels when it comes to capturing data. You can either run it at the router/firewall level, where it will capture EVERYTHING that passes through it, or you can mirror that port and capture all the traffic sent/received on that port. Either case is completely irrespective of WiFi channel.
Re: Re: Re:3 Re:
See the list of wifi channels. To receive Wifi data, the system running Wireshark would have to be tuned to the correct channel (or a channel that’s close enough). If you record at your router, you’re only capturing traffic going through your Wifi network, which doesn’t rule out the TV using other Wifi networks. (It seems unlikely, but if you’re paranoid enough to run Wireshark you probably want to be sure.)
Re: Re: Re:4 Re:
Nothing in that link refutes anything I have said. Wireshark sniffing data over your network couldn’t care less about what WiFi channel it’s on. At some point all the data has to pass through your router/firewall, which is a physical device. If you do your capture there, you capture it all. Port mirroring is similar.
At this point I’m fairly certain you have no idea how Wireshark works. Yes, you can put it in monitor and promiscuous mode and try and sniff the airwaves, but since it all has to route out through hardware at some point, why not just do it there and be sure you got everything?
The only time you may want to try and sniff the airwaves would be if your hypothetical scenario were true and manufacturers had the TV auto-connect to any unsecured WiFi signal in range. However, TV manufacturers don’t do this and you would know whether or not there were unsecured SSIDs in range for it to connect to or not. So the whole point of sniffing the airwaves is irrelevant.
No, actually you’re capturing ALL the traffic going through your entire network.
Which would only be the case if your hypothetical scenario of TVs auto-connecting to any unsecured WiFi network were true and you had unsecured WiFi networks in range. Manufacturers don’t do this so the whole thing is moot.
No. It’s not just unlikely, it’s more than likely illegal and a HUGE privacy and security nightmare, not just for end users but for manufacturers as well. There’s no way in hell they are going to risk that.
Consider: your neighbor Joe has an unsecured WiFi network. You buy a (non-existent) smart TV that auto-connects to any unsecured WiFi network. Your network is secured. Your TV auto-connects to Joe’s network and starts passing traffic. Said traffic ups Joe’s data usage, maybe causing him to go over his data cap or just sucking up available bandwidth. Joe starts doing some investigating. Eventually he finds an unknown device on his network and discovers it’s your TV. Now Joe is pissed. He sues you and the manufacturer for unlawful use of his WiFi. Other customers find out and throw an absolute fit, security researchers go apoplectic, and the FTC fines the manufacturer.
Now, it could play out differently than that but the end result is going to be costing the manufacturer a crap ton of money in legal fees and/or fines and SEVERE customer reputation damage. Nobody is going to buy that kind of TV.
Re: Re: Re:5 Re:
…is what I’ve been saying about "smart TVs" and "internet of things" devices for some years now. I do hope you’re right, and manufacturers won’t try anything too shady. But, then, I thought that would have prevented them from putting microphones and cameras into TVs at all. And they’ve already been caught tracking what people watch, and transmitting that without encryption.
Re: Re: Re:6 Re:
To my knowledge none of the smart TVs and IOT devices are straight up illegal. Recording audio and video without notifying the end users of it is but with proper notification it is not. And bad security is not illegal either; it’s just a very bad idea.
The privacy and security nightmare though absolutely.
Take off your tin foil.
In addition to the legal, privacy, and security issues I named above, it would make it significantly more difficult for an end user to connect their TV to their own network if they actually wanted to. Which is something the manufacturers WANT you to do so they aren’t going to put something in place that’s going to severely hamper your efforts to do that.
Why? That was inevitable. Voice controlling your devices has been a concept long before it was even possible. Done properly it’s not even close to a privacy and security nightmare. Many devices benefit from having voice controls. There’s nothing inherently wrong with it, just how it’s executed.
Yes, which is a huge problem but also irrelevant to the topic. It’s also not illegal either.
Re: Re: Re:4 Re:
"See the list of wifi channels. To receive Wifi data, the system running Wireshark would have to be tuned to the correct channel (or a channel that’s close enough)."
No. You haven’t the faintest frigging clue how packet sniffing works, do you?
Wireshark set to listen over wifi will listen in on ANY channel the antenna it’s using can catch. So every conceivable channel of wifi is covered, and then some.
Wireshark set to sniff packets over cable will intercept ANY packet. That’s how it works.
"It seems unlikely, but if you’re paranoid enough to run Wireshark you probably want to be sure."
Wireshark is used and run by tens of thousands of linux enthusiasts, every security enthusiast, and just about every network engineer who ever had to configure wifi AP’s from scratch.
And since IoT first started I guarantee you that every application supplied with bluetooth/wifi WILL be under constant wireshark monitoring by a few hundred people, worldwide.
Re: Re: Re:2 Re:
"You’d have to be running Wireshark at the exact moment the TV is transmitting"
Yes, that is how many use network monitoring tools. The tool is run 24/7 and admin periodically reviews the logs/alerts.
I suppose one could limit what the tool monitors, but it is not necessary.
Re: Re: Re:2 Re:
"You’d have to be running Wireshark at the exact moment the TV is transmitting to see it (and on the right Wifi channel)."
Err…let me introduce you to something called a "log file".
The necessary program and script is literally a one-click-run setup you could run straight off a raspberry pi.
And let me assure you that right now, as we speak, there are hundreds, if not thousands of security enthusiasts who have such setups standing around actively monitoring every IoT-prepped utility you could think of, in the hopes they’ll find evidence of just such maneuvers. It’s how shit works on the open source segment of IT.
Re: Re:
My wife talks to her Amazon TV but it is not voice activated – press and hold button down then talk. Microphone in TV needs is always listening for keyword. I disabled Alexa option in Amazon TV. Bugging my living room or any place in my house is crazy.
Copper mesh on sale? Class? Anyone?
Re: Re: Re:
And those stupid tv remote controllers that you have to talk to, what a piss poor excuse for requiring a live microphone. What kind of silly assed excuse will they come up with for a webcam requirement?
Re: Re: Re: Re:
Prevention of unauthorized public performances. Here in 2024, the Disney+ licensing terms require the feature, and anyone viewing such a performance will be banned from the service and from Disney parks.
Re: Re: Re:2 Re:
"Prevention of unauthorized public performances."
Is this where we all remember Microsoft’s xbox "kinect" add-on which turned out to have the built-in capability to count the people in front of the monitor and was launched with the initial requirement of always being plugged in.
Discontinued now, but that’s the usual fate for gadgets for which the market isn’t quite ready yet. Thanks to the internet of things though, the idea of having an always-on and connected webcamera in your living room might not sting the public that hard anymore…
Re: Re: Re:3 Re:
Remember when MS said their next Xbox would support no physical media, and people revolted? MS were just ahead of their time. Now we have Google Stadia, and I don’t think people care much about the lack of physical media. They don’t trust Google to run it, but Steam is popular.
Re: Re: Re:4 Re:
"Remember when MS said their next Xbox would support no physical media, and people revolted? MS were just ahead of their time. Now we have Google Stadia, and I don’t think people care much about the lack of physical media."
Well, yes and then again, no.
Torrent traffic hasn’t decreased noticeably and I know for a fact that my principle of never installing the DRM version of software isn’t exactly rare.
Steam’s DRM is unobtrusive and can be hacked by boilerplate templating so no wonder steam does fine. Stadia, otoh, is another beast. I very much doubt game streaming will ever truly catch on to the point where even console makers will feel threatened.
Not connecting them to the internet will only work until the manufacturers decide to have them connect to any unsecured network on their own. Better option might be to buy cheap router and connect all IoT devices to it, and just not connect the router to the internet.
Re: Re:
Disconnect the antenna
Re: Re: Re:
Not in consumer reality. First off nobody is going to take brand new TV apart in order to look something that does not look like antenna on a car or something.
And special tools are no cheap. So, new cottage industry Make My TV Stupid†®
Re: Re: Re: Re:
"nobody is going to take brand new TV apart in order to look something"
Hello, My name is nobody and I have taken wifi antennas out of devices thus ensuring there is no wifi connectivity. In addition, I disabled any and all relevant options in configuration of said device. I accomplished this without the use of any special tools.
Do not sell the average consumer short some of them know what a wifi antenna looks like.
Yes, I agree that there will be some demand for making devices secure.
Re: Re: Re:2 Re:
I would not consider most average consumers to be both the type to take an electronic device apart unless it stops working properly and be able to recognized every WiFi antenna as distinct from other antennas and disconnect it without affecting other, non-internet features. It’s also less likely that they would do something that could plausibly affect the warranty or have some permanent effect on the TV. Now, would it be that far above average? No. Could an average consumer do it? Absolutely, at least in most cases. However, we’re talking about what the average consumer is likely, willing, and able to do to a perfectly functional TV to protect their privacy. Tape across the camera? Sure. Disconnect it from the internet via the internal software (or choose not to connect it in the first place)? Perhaps. Disassemble it to remove the WiFi antenna, likely in a manner which you cannot fix later? Not so much.
Also, in this materialistic society with a large focus on consumerism full of people who demand others fix their problems, I’d expect a lot of average consumers to get a new TV that lacks the option or ignore what they can do to protect their own privacy.
Re: Re: Re:3 Re:
TV manufacturers will, if not already, discontinue the model numbers that do not have internet connectivity.
I have no data in support, but I try to give people the benefit of the doubt when possible. Based upon the percentage of folks who connect crap to their lan I guess they are ignorant and maybe lazy. -idk.
Re: Re: Re:4 Re:
Almost all working TVs are internet cable. There have been a few that don’t take outside signals but nearly every single TV ever manufactured can connect to the internet.
Re: Re: Re:5 Re:
"Almost all working TVs are internet cable."
I think that most people when discussing internet connected televisions are referring to use of the category 5 ethernet connection rather than the coaxial connection. There is a huge difference between these two interfaces. If you wanted to surf the internet from your tv I doubt the coaxial interface would be capable whereas the ethernet would.
Re: Re: Re:6 Re:
You’re technically correct but I just wanted to clarify something.
Technically cable TV and internet can be served up over the same physical coax cable, but you need completely different hardware to make use of the two services. A cable modem for internet and a set top box for cable TV. You can’t access internet over the coax port on your TV, for example.
Just as an additional note, most smart TVs use WiFi, not ethernet for internet connectivity. It still requires a cable modem and a wireless router but just wanted to clarify.
Re: Re: Re:7 Re:
agreed
Most smart tvs have both ethernet and wifi, it is up to the user to decide which gets enabled/disabled.
Re: Re: Re:5 Re:
That was supposed to be "internet capable"
Re: Re:
And this is why you should ALWAYS password protect your WiFi network.
Granted if you live in a place like an apartment where you might have a bunch of networks in range and your neighbors didn’t secure theirs, then this obviously is a moot point.
However, I’m betting it’s unlikely manufacturers will set it up to auto-connect to any unsecured network. That could create a whole host of problems that would land them in real hot water, real fast. Not to mention it would make it much more difficult for the actual owner of the TV to hook it up to their secured network if they so chose.
Re: Re: Re:
My bet is that when it happens, it will be "by accident". Because they integrated some gigantic ball of software, maybe Android, and they’ve got some auto-connect feature just to gather network statistics or maybe set the clock, and the firewall rules that were supposed to stop other access broke without anyone noticing…
Re: Re:
That is why I said WiFi will probably be the method used. Most IoT prefers the any kind of connection, even no password hotel wifi.
An old Apple airport can be configured to accept any intranet (inside firewall) connection and not let do anything but wait forever.
My sister, mother will not do this. It is outside their reality — they would not know what to do. Assumes the TV is just a TV with features.
Naaaaw...
BWAHAHAHA… No, my TV isn’t spying on me. You know how I know…? You better sit down for this: it’s a CRT unit. From twenty or so years ago. And at the rate it’s getting used recently, it’s going to last another forty…
Re: Naaaaw...
Side note, it is not easy to create a large format cathode ray tube for television.
Re: Re: Naaaaw...
Side side note, the 16:9 aspect ratio was developed because it was the widest screen cathode ray tube that could be practically produced at the time, not because it related to a wide screen movie in any way.
I just remembered the last time I had to move a big CRT. I swear the center of gravity was about an inch in from that enormous layer of glass.
Re: Re: Re: Naaaaw...
Sounds about accurate, the unit is effectively immovable. The day I have to move it to a service shop is the day I replace it (then again, I did fix it at home before – PSU chip literally exploded for some reason). So it’s most likely effectively limited by the lifespan of the CRT. In the mean time: you only need huge screens if you sit far from them – this one is big enough to watch from a bed’s length, even if it’s only 4:3…
Re: Re: Re:2 Naaaaw...
When that day approaches, post an online ad for a spyware-free TV. Free to whoever can come to your house and remove it without your help.
Re: Re: Re: Naaaaw...
Yes, blowing the glass was not easy but I was thinking about the problems encountered at the edges of the display when trying to maintain a rectangular image.
Re: Naaaaw...
A CRT does make it easier to snoop what you are watching via van eck phreaking to snoop on you. Granted that is a niche technique and it has no memory to it.
Smart TV in dumb mode
My TV isn’t even connected to my network, so LG probably thinks it fell off the face of the earth.
Unfortunately the gap between using technology and understanding how the technology works has increased to the point that we have a world of technical illiterates at the mercy of the fewer number of people who care about how things work. The idea that anything connected to the internet that has a camera and microphone in it should have been immediately suspect to anyone, but apparently, most people equate technology with not having to think. How stupid must people be to not have seen the obvious implications of this? Pretty fucking stupid.
Re: Re:
"a world of technical illiterates at the mercy of the fewer number of people who care about how things work."
at the mercy of the fewer number of people who will do anything for money
Re: Re: Re:
Are you replacing the original quote or adding to it?
In other words, who is at the mercy of the money-grubbers? The technical illiterates, or the ones who care how things work?
Re: Re: Re: Re:
The ones who care … usually are not money grubbers
It is safe to assume that anything with an internet connection and closed source software in it is sending behavioural data back home. It is standard now.
And let us not forget that the Patriot Act permits the government to secretly compel US companies to hand it all over without question.
Don’t worry, unless you are an investigative journalist, whistleblower, political rival, or some unfortunate that gets in the way of someone that matters, you should be fine.
Nothing to hide…
Just don’t turn your TV off. That shit looks suspicious.
Re: Re:
"you should be fine"
Should be, but not.
The better to protect you, Little Red Riding Hood
Somehow I am not hearing FBI protecting citizens, I am hearing the FBI say, "Let the buyer beware."
Re: The better to protect you, Little Red Riding Hood
The FBI doesn’t run its own semiconductor fabs. It can’t do much about it.
So what?
The problem is not a spying SmartTV. Even if it was, pulling the plug and using a streaming device will solve the problem.
The problem is a spying FBI: not only have then been drumming for both authorization and technical ability to spy on everybody, anytime. The FBI has also been caught repeatedly using the information for framing and entrapping innocents.
While TV-Manufacturers may collect information to improve their products or to sell advertisements, the FBI uses information to destroy people’s careers, even lives.
Which, btw, raises the question where the FBI’s sudden concern for our privacy comes from …
Re: So what?
They found out their TV’s are spying on them too?
Re: So what?
Cynically, the TVs are spying for PRC and not USA.
Probably, cyber defence is big business now and it is not entirely corrupted by politics. It is recognised that identity theft and other cyber crime is facilitated by bad security on these devices. There are people paid in the agencies to address cyber threats (as best they can, under the circumstances).
The FBI is not a monolith. There are departments in it that legitimately do good work. The are some departments that do mostly bad work that have some legitimately good actors. Same for most government agencies.
My view is that the problem is primarily corrupt, deeply politicised leadership in these agencies, installed by completely corrupt political leadership.
Re: Re: So what?
The crime some in the industry like to call Identity Theft is really just fraud perpetrated upon some business using someone else’s identity.
The term Cyber Crime is quite nebulous and I suppose could refer to just about anything deemed a crime so long as the internet was involved in some way.
I think you will find that corruption makes the world go ’round.
fox /hen
The fox warning the henhouse that eggs are fragile.
That's why i choose prime video instead
i don’t think TV’s really spying on us! Because i have smart tv and most of time I watch tv series online.
There are many video streaming services from which you can watch any tv shows securely and for free.
So, keep calm! FBI don’t have that much time to look for each persons daily life activity.
For more security, cover your television with clothes.
haha 🙂
The FBI doesn’t want people to watch TV.