
Smart TVs sending sensitive user data to Netflix and Facebook - hhs
https://www.ft.com/content/23ab2f68-d957-11e9-8f9b-77216ebe1f17
======
mikeryan
This is a pretty open secret within the industry. Geographic data can be
provided via setup (a lot of TV's ask for a zip code on setup) or usually
simply via GeoIP lookup.

Dig a bit deeper and you get into service provided by Samba TV and or Inscape
and you can find that they're sending back frames of video in a lot of cases
to track what you're watching.

This data is becoming a huge mechanism for subsidizing TV sales and the
interactivity is being looked at as a huge opportunity to recoup some of the
ad spend being lost via streaming and fewer 30 second spots.

With new TV's its time to view them as private as a browser (With less
controls).

[https://samba.tv/](https://samba.tv/)
[https://www.inscape.tv/](https://www.inscape.tv/)

~~~
obmelvin
Roku enabled TVs very clearly send back frames of what you are watching. I've
been watching YouTube casted via chromecast plugged into HDMI (NOT the built
in chromecast, I have verified multiple times) and the Roku will give me a
full width toast saying to press `*` to watch the full movie or some similar
contextual option

I was pretty put off the first time this happened. That said, I don't even
know if I looked through the settings to see if I could turn it off..

~~~
xcgfhgjbjhb
I worked on that.

It sends audio and/or video fingerprints (not frames, for privacy and
bandwidth reasons), which are matched against a fingerprint database. Whatever
people see on TV is usually 10 to 60 seconds behind the _real_ live stream at
the broadcaster (which is where the reference fingerprinting happens). GeoIP
data can be used to roughly deduce where the TV is located, in order to better
filter out false positives out of multiple matches (e.g. in the US where lots
of programming on east/west side is just shifted by ~3 hours due to time
difference).

~~~
move-on-by
Any way to turn it off? Or perhaps block a specific domain via pihole?

~~~
sjwright
Don’t let your TV access the internet at all.

Smart TV interfaces are almost uniformly worse than set top boxes (one or more
of: bad UI, slow CPU, weird quirks, few updates) so you should avoid it
anyway.

The current Apple TV (which I cite only because of familiarity) has a great
UI, every major app, and robust HDMI-CEC support so you might never have to
touch your TV’s remote again.

And Apple respects your privacy.

~~~
rodgerd
Some smart TVs will join open networks if you don't give them one. And I
expect that if 5G works as advertised you'll see surveillance capitalism
adding 5G connectivity so you no longer have control over connectivity.

~~~
sjwright
A website that catalogued the misbehaviours of the various smart TV operating
systems (and the easiest methods of defeat) would be handy here.

E.g. Some TVs will honor wifi off setting. Or alternatively setting the TV to
use the Ethernet port.

Or if it needs something on the other end, set up old underclocked Raspberry
Pi as a basic router/DHCP server that connects to nothing; power it with TV's
USB port.

If you've got a fancy router, connect it to your network with a fixed IP and
firewall deny all packets from/to its IP.

If you've got a fancy AP, set up an alternative SSID that connects to an
unused VLAN or otherwise routes to nowhere.

~~~
oger
A Pi-Hole is good to have in every household. Takes minutes to set up and
makes sure that queries to unwanted domains end up in the land of /dev/null

~~~
sjwright
A pi-hole only works against adversaries that rely upon DNS, or haven't been
coded to connect directly to "trusted" public DNS servers.

(I'm almost astonished that advertising networks haven't switched to using raw
IP addresses everywhere.)

~~~
TremendousJudge
You could probably very easily make a list of the "evil" IP addresses if that
happened

~~~
tlavoie
You can combine approaches of course. My main in-home DNS, per the DHCP
settings on the wi-fi, is a Pi-Hole. Secondary DNS is the pfSense firewall, so
nothing's dead in the water if the Raspberry Pi falls over for some reason.

The firewall has the same DNS block-lists as the Pi-Hole, but also has
subscription lists of IPs to avoid. Most of those are spammers or malware, but
can include whatever other category of malfeasance you desire.

------
throw03172019
I disabled WiFi on my Samsung TV after they were injecting ads into the home
screen. Spend $800 to get ads served in their shitty/slow UI.

~~~
lrem
An acquaintance attempted that with Kindle, by keeping it in flight mode.
After some days it popped up a message kindly asking to give it some network
access. After a few more days it simply ignored the flight mode and connected
to get fresh ads.

Edit: I've checked with my wife who has an ad supported Kindle for over a year
and keeps it in flight mode for months at a time. It never did that to her. So
either Amazon changed that a long time ago, or I've believed a lie.

~~~
driverdan
I had the same thing happen. I rooted my Kindle and kept it in flight mode to
avoid tracking and updates. After not using it for months I recharged it and
when I turned it on it had auto updated to the latest version, killing root.

So not only did mine exit flight mode it somehow re-enabled updates and
updated itself.

~~~
saagarjha
It's possible that it may have cleared its settings after being away from
power for that long.

~~~
driverdan
It shouldn't since settings aren't stored in volatile memory.

------
the_svd_doctor
I tried to never connect my Smart TV to anything, but I realized one day (when
someone's stuff was playing on it without me accepting any request...) it
connected an open network in my residence. The only trick that worked to
prevent it from connecting was putting the wrong password, and let it loop
forever, trying to connect. Ugly.

~~~
Godel_unicode
I have an extra SSID which has no internet access and logs all of the things
for exactly this reason.

~~~
milofeynman
What's the simple setup for something like this?

~~~
paulie_a
Ubiqti makes it really simple

Basically create a new hidden ssid and make a new rout that goes nowhere

Then enter SSID and password into the tv

You can monitor that interface too

~~~
Godel_unicode
For bonus points, mirror the traffic off to a zeek to get even more than the
ubiquiti DPI

------
dangrover
It is not clear why we should necessarily be suspicious of smart TVs based on
the findings here.

The lines seem to be blurred between what data is being sent _by the TV OS
itself_ versus a third party app that someone may have decided to use during
the period that the researchers watched outbound network connections.

If someone is using the Netflix app, this necessitates that the TV must
communicate with Netflix. How else would it work? Similarly, if you use the
YouTube app, you would definitely get some requests to Google. Surely some
developers of smart TV apps have decided to use Mixpanel or Adobe for
analytics.

The "sensitive user data" alluded to in the headline is later admitted to be,
at a minimum, "information about the device people are using, their locations,
and possibly even when they are interacting with it".

Let's unpack that. It's pretty common for every web browser to send a user
agent. Why shouldn't apps for a TV send device info to the app maker? Location
can be inferred via IP, like any network request (nothing special here). And
with any request, you of course know the time it was made (and could infer the
interaction that produced it, like opening the app).

So they've told us nothing to support the headline. Indeed, the original paper
from Northeastern notes that they did not try to inspect the data or MITM
encrypted connections, so all we know is that requests are being made to these
services during the course of operating the device and its apps. Not that the
device manufacturer itself is sending your data, unprompted, to these third
parties. So, the headline does not match the story.

Seems like university PR office must have gone a little crazy with this one.
Why is nobody on HN questioning such a sensationalist, substanceless article?

~~~
freeone3000
Because it interferes with the idea of a TV being a display. A TV should not
have apps. If it does have apps, these apps should not communicate data to the
manufacturer. It shouldn't send back data about the operating system because a
TV shouldn't have an operating system.

~~~
wodenokoto
Of course a TV should have an operating system. It needs menu's and options,
video and audio codecs, up and downscaling algorithms and many many other
things, just to be a dumb TV.

~~~
rhinoceraptor
All of those codecs and video processing are probably done in hardware
regardless of whether it has a real OS or just a microcontroller.

------
ghostpepper
I would love to update my 10 year old 1080p Philips non-smart TV to a 55" or
so 4K HDR screen but I don't want any of the smart features. Does anyone know
of any manufacturers selling high end "dumb" TVs?

For now I'm comfortable using my appleTV but I like the fact that I can
disconnect it at any time. I want a TV that will simply display whatever
signal it receives without any connectivity required.

~~~
m_eiman
I'm using an LG OLED TV (2018 model I think) with an Apple TV, and it's
working pretty much exactly like a dumb screen. I haven't connected the TV to
the network, and I control everything with the Apple TV remote - it turns on
the TV via HDMI CEC as needed, and when I turn off the Apple TV the TV turns
off too. I've also connected my home theater system via HDMI ARC to get better
sound, and CEC turns on and off the speakers too.

All I see of the LG interface during normal use is a small box in the top
right corner that says "Apple TV" on boot and "Denon available" or something
like that when the speaker systems has booted.

Also, the screen turns on quickly so there's practically no waiting for
anything.

I was thinking of getting one of those in-store displays instead of a TV, but
they don't usually have HDR.

A++++, would buy again!

~~~
TremendousJudge
I'm using a Raspi4 with Libreelec (this is kodi) and I have had pretty much a
similar experience (but with a bunch of OSS quirks of course). A nice surprise
is that I can actually control the kodi interface with my TV remote

------
amdelamar
One of the first images to appear on my Samsung TV, after purchasing and
plugging it in to the power outlet, was a prompt asking to connect to my WiFi.

They almost got me, but thankfully there was an option to skip that step. But
I'm sure they'd hook my parents and friends for sure.

~~~
farisjarrah
Next time, make a VLAN with its own Wifi, then connect the TV to that VLAN and
then what you want to do is block any incoming or outgoing network traffic to
the smart TV. If you do this then no one else can attempt to hijack or connect
to your TV and the TV wont ask you to connect it to a network, because its
already connected to a network. This worked great on my LG smart TV.

~~~
RussianCow
What is the point of doing this as opposed to just skipping that step? Does it
keep nagging you? Or are certain features disabled if you don't connect?

~~~
boring_twenties
I don't own a Smart TV, but without this step I'd be very suspicious that the
TV would silently try to connect to open wifi networks, or perhaps some kind
of hotspot like xfinity or AT&T that the manufacturer made an agreement with.

~~~
lrem
Won't they just use Ethernet over HDMI?

~~~
flukus
Oh FFS I just learned this was a thing, I can't even trust my cables anymore.

~~~
freeflight
Be aware that your ethernet cables could also be powering stuff, so that's
another cable to watch out for ;)

~~~
partialrecall
Watch out for the reverse too, ethernet over powerline is a thing!

------
siempreb
> Smart TVs sending sensitive user data to Netflix and Facebook

No way! Has that ever been news? It is the first thing that comes to mind when
some product 'needs' to be connected to the internet. Sending private data is
most likely the only reason a internet connection can be made with the device.
All the 'great' software around it is only fluff supporting to lure people
sending their private data unknowingly. Do they send microphone and camera
data home? Of course, that's the cream. Oh, and do they protect your sensitive
data well? Nah, that's not a priority, who cares..

In the past you bought a new tv, and the manufacturer was happy and treated
you with respect. Today you think you buy a tv, but tv is actually the
secondary feature, you just bought an intrusion device that collects your
private life in order to send it to the manufacturer for selling it.

I have a new x-large smart tv which I would never connect to the internet for
these reasons. I use a dedicated pc with a good graphics card that connects
through HDMI. On my couch I have a wireless mouse and keyboard. With this dead
simple setup I cannot only watch regular tv, I can of course do anything you
can think of doing on a pc. It also has become my favorite gaming setup.

I think governments should be more active to protect citizens of course. Non-
technical people are prey nowadays. I despise this new economy and I'll never
ever want to make any money of of it, I'd rather live and die poor.

~~~
gambiting
The problem is that I want to just use the netflix built-into the TV. Firing
up a separate device just to watch something seems like a waste of energy to
me, and then I probably need a separate controller for it(like, I can control
the PS4 with my TV remote, but I cannot switch it on remotely without using
the DS4).

>>I have a new x-large smart tv which I would never connect to the internet
for these reasons. I use a dedicated pc with a good graphics card that
connects through HDMI.

Assuming you use windows on it, haven't you just traded one type of telemetry
for the other?

~~~
siempreb
No. It's a linux, and there is no mic or cam connected. I use Netflix too,
works like a charm. And I can understand your temptation of using the Netflix
button on the remote control, it's one of the lures.

------
kminehart
When can I buy a TV without smart features? I don't doubt that my smart TV is
reporting some data about my usage, but I barely have a choice in the matter.

~~~
cactus2093
It's surprising to me that you can't find a single medium or high-ish end TV
without smart features, but at the same time chromecast/firetv/apple tv units
and sticks also seem to be selling very well.

Is everyone just putting up with the shitty built-in smart interface, but then
switching inputs to their separate unit of choice?

~~~
tzs
I really wish the whole home theater system was way more modular. I want:

1\. A TV that _just_ displays video from an HDMI input.

2\. An A/V amplifier that _just_ receives an HDMI A/V signal from a single
input, passes the video from that to to the TV, and does Dolby/DTS/whatever
decoding of the audio, amplifies the result, and sends it to my speakers.

3\. An HDMI switch that I can plug assorted A/V source into (FireTV, Roku, OTA
TV tuner, Blu-ray player, Cable box, etc) into, which I'll connect to the A/V
receiver.

(Actually, what I really want is for the switch to split the A/V signal into
separate audio and video on two different HDMI ports. Video goes to the TV,
audio the A/V amplifier--except now it is just an A amplifier. But I think
there may be licensing restrictions on that kind of splitting that make it so
you can only split at the step that converts to analog for the speakers).

All of the HDMI connections should support Ethernet over HDMI.

None of these should have WiFi built-in. They networking should be via
Ethernet. If I want WiFi, I'll add a WiFi access point to the home theater
LAN.

I'm not sure how Ethernet over HDMI interacts with HDMI switches. If you have,
say, a 4 input, 1 output HDMI switch, does that switch all signals, so that
you only have Ethernet between the one selected input and the output, or are
the Ethernet lines treated specially and connected like a hub, so that all
devices on both sides of the switch can communicated over Ethernet, regardless
of which input is currently selected for A/V?

If the later, then the home theater LAN can use the HDMI ports. If the former,
then all the devices need an Ethernet port.

~~~
msbarnett
You basically want to be looking at projectors, they meet all your
requirements, and they’re not generally “smart”.

------
gorbypark
Kind of off topic, but I have an older Samsung smart tv. It has an ethernet
connection, but it didn't have any option for WiFi. For a few years I had it
wired up to ethernet, and after rearranging where my router lived in the house
I didn't have a long enough ethernet cable, so I hooked up a USB WiFi dongle.
It worked great for a few months until I needed that dongle to connect a
Raspberry Pi to WiFi, so I stole it from the TV...and lo and behold the TV
still had internet access via WiFi! The only thing that I think could have
happened is that the TV had WiFi hardware but was disabled in software,
because at the time a WiFi TV was selling at a premium and this was a cheapo
one I bought from Wal-Mart. So I guess hooking up the USB dongle somehow
unlocked it. It kinda freaked me out that there was hidden WiFi hardware in
there.

 _edit_

The tv definitely phones home too, my Pi Hole blocks a few hundred attempts to
lookup log-ingestion.samsungacr.com, xpu.samsungelectronics.com and
upu.samsungelectronics.com _per day_.

------
ping_pong
This is why I (currently) trust Apple, because they appear to care about
privacy. I am not blinding myself to the possibility that this may change, but
right now this is their selling poin tto me.

~~~
slivanes
Apple cares about privacy enough to make Google their default search provider
for many billions each year. Apple pays lip service to your privacy and
obviously cares more about money just like any other corporation.

~~~
throwaway122378
You can make DuckDuckGo your default search engine on all Apple devices.

Apple is definitely a for profit business and they charge for their products
instead of subsidizing with data aggregation or theft.

~~~
bryan_w
Still doesn't change the fact that if Apple was principled on privacy, they
would refuse google's billions in spy money and wouldn't, by default, send
their customers to Google search engine to be harvested

~~~
throwaway122378
I hear ya but if DDG doubled googles offer Apple would change the default.
They are for profit and don’t hide it. Google and Facebook on the other hand
hide or at least try to hide their illegal business models

~~~
a_imho
It is not their fault the highest bidder is the shadiest of them all? That is
some weird mental gymnastics to give Apple some moral high ground.

------
isostatic
Just wait for TVs and other gadgets with built in 5g and iot sim cards that
you can’t simply “skip network” on.

~~~
favorited
I was shocked when a medical device I got had a built-in CDMA modem to send
telemetry to my insurance company. Thankfully there's an airplane mode.

~~~
abacadaba
Patient appears to not be using device, increase rates accordingly.

~~~
favorited
That's pretty much what it's for! If you don't use the modem, you need to
export usage data onto an SD card and mail it in.

Conceptually, I understand that they don't want to continue paying for a
therapy if you're not actually using the equipment. But having a wireless
modem built-in is a bridge too far.

------
p1mrx
My TV (Vizio P55-C1) doesn't have a "disconnect" option. I either need to do a
factory reset, or change passwords three times (WiFi AP to temporary, TV to
temporary, WiFi AP back to normal.)

I suppose I could just never connect it to WiFi, but then it wouldn't get
firmware updates.

~~~
dreamcompiler
TVs should be dumb enough to never need firmware updates. I realize many do,
but I consider that a design flaw.

------
dandare
I still don't understand this whole "business model". Could someone ELI5 these
three questions?

1) How exactly is this targeting information useful to advertisers? Do they
pay for targeting in order to pay for fewer ads?

2) Where is the market for "user data"? How do you sell your blog visitor's
data?

3) How much is the data worth? Some equivalent to CPM? Could you monetize your
blog not by showing ads but by selling user information?

~~~
nabla9
>Do they pay for targeting in order to pay for fewer ads?

Yes. There can be more and smaller advertisers when you can tailor ads to the
market. Nontargeted advertising is economic only for biggest brands.

Data that is collected sparsely can help to identify interests and match ads
to users. Geographic location helps to match adds from your local market to
the blog the user is currently reading, for example.

Continuously collected information can be used to direct and predict behavior.
The user matches profile of stressed person. People under stress have low
impulse control, show them ads for products that are typical impulse
purchases. S

>Where is the market for "user data"? How do you sell your blog visitor's
data?

You don't. You add common trackers to your site and receive income from ads
trough them.

> Could you monetize your blog not by showing ads but by selling user
> information?

No. This does not work in small scale. Single blogger can't create much value
by selling data directly. Google or Facebook do that.

------
abstractbarista
I couldn't find info in the article about the whether LG (WebOS) Smart TV's
still do this even if you opt-out of all the "Channel Plus" and other sketchy
advertising/user-tracking features in the menu.

I guess it's time to fire up Wireshark. I love these TV's because they can be
integrated with home automation like Home Assistant. But maybe it's time to
put it on a VLAN with no access to the WAN.

------
fitzroy
PSA: If you mostly like to watch movies and/or cinematic TV (with the lights
off, or in a dimly lit room), consider a home theater projector instead of a
TV. In a dark room (even with white walls) the image is fanatic in cinema
mode, and nearly as good (and quite a bit brighter) in "living room" mode.
Best of all, they have absolutely zero "smart" features.

I bought an Epson PowerLite Home Cinema 8345 Projector refurbished for around
$470 a couple years ago to replace my 720p Panasonic AX200U. The Epsons have a
solid warranty and will easily project a 100"\+ image in a dark room on a
basic (<$200) screen. The bulbs work out to about 10 cents/hour of usage.

This 3100 is basically the newer (and better) version of mine for $684, and
the one I'd get if I was buying today. [https://epson.com/Clearance-
Center/Home-Entertainment/Home-C...](https://epson.com/Clearance-Center/Home-
Entertainment/Home-Cinema-3100-Full-HD-1080p-3LCD-Projector---
Refurbished/p/V11H800020-N)

------
neonate
[http://archive.is/vB4XC](http://archive.is/vB4XC)

------
sys_64738
Did anybody really believe that data wasn't being sent to ad companies like
Facebook? Our default position should be to assume it is so until it is proven
otherwise.

------
squarefoot
I wouldn't be that hard to make a small firewall to put in between the TV and
the Internet, with rules that block unwanted traffic - or better, block it and
inject fake data - while allowing normal use of the TV.

This cheap SBC comes to mind, there's a very similar one from OrangePI too.
[https://www.friendlyarm.com/index.php?route=product/product&...](https://www.friendlyarm.com/index.php?route=product/product&product_id=248)

It would be nice having say a version for traveling with laptops etc if we
don't trust the hotel connection and one to protect from being spied by the
SmartTVs, where changing from one to the other requires nothing more than
swapping an SD and reboot.

~~~
natmaka
How will it detect unwanted (spying) traffic from legitimate operations
(software update...)? Moreover it is a moving target, as the firmware can, at
some point in time, use another endpoint (especially after an update).

~~~
squarefoot
"How will it detect unwanted (spying) traffic from legitimate operations
(software update...)?"

That would be harder, especially true in case of encrypted traffic.

"Moreover it is a moving target, as the firmware can, at some point in time,
use another endpoint (especially after an update)."

This one might be easier to fight than the former. Upgradabe black lists might
be a solution, not unlike some antispam software work: the firewall software
downloads weekly/daily from a central server (1) a list of all legit/evil
addresses and checks where the TV attempts to connect against that list, then
filters traffic as required.

(1) I would assume we would trust a centralized server for this purpose as
much as we would trust a server holding spam and malware sites.

~~~
natmaka
Each firmware update may come with a large list of endpoints. They also may
use the very same servers (IP addresses) in order to spy and also for the
updates or legitimate apps.

For the customer eager to benefit from a connection to the Internet it may be
a lost battle, he will be spied on.

------
beamatronic
You can make a Smart TV into a dumb TV by simply not allowing it to connect to
the Internet, ever.

~~~
boring_twenties
In a hn thread the other day, someone told me their TV will simply connect to
any open wifi networks it comes across, just to phone home. I couldn't get the
brand or model out of them, though.

~~~
beamatronic
That’s awful. We need to find out that brand.

~~~
boring_twenties
Well, there's another guy now saying the same thing in this thread, too:
[https://news.ycombinator.com/item?id=21010777](https://news.ycombinator.com/item?id=21010777)

Also on this thread is the supposition that eventually TVs will just have
their own cellular data connections:
[https://news.ycombinator.com/item?id=21010790](https://news.ycombinator.com/item?id=21010790)

Sickening, really.

------
SiVal
(I'm asking because I don't know. It's not advocacy. I have NONE of this
equipment currently.) So, if I get gigabit cable internet and want to buy a 4K
tv and plug it in for streaming Netflix, Amazon Prime, YouTube, etc. (no
broadcast, no WiFi to reduce bandwidth), is the solution to leave the WiFi off
on TV setup (or give it a bad password to avoid opportunistic connection) and
to plug the ethernet cable coming out of the cable modem into an Apple TV
and/or Roku instead of into the TV, getting all of my programming thru wires
coming out of these secondary boxes?

~~~
banana_giraffe
Generally yes. In my (accidental) experience, don't give it a bad WiFi key,
it'll just complain. Just leave it disconnected. Honestly, given the
unnecessary updates, ads, and just horrid UI that WiFi brought me on my TV,
I'd suggest leaving it offline even if you don't care about the privacy
issues.

Oh, and WiFi won't change how much bandwidth you're using. And given the low
(compared to Bluray) bitrate of 4k content on the streaming services, you
probably don't need gigabit.

And, it's not for everyone, but I personally like just hooking up a small PC
(Intel's NUC works well here) and using that instead of AppleTV or Roku.

------
kungito
Does this happen with Chromecast as well? I'm totally fine with disconnecting
my tv since I only use it via Chromecast anyways. Smart tv makes no sense to
me simce they are all 10x shittier than Chromecast

~~~
mrweasel
The spying is one thing, but you're right: SmartTVs doesn't make sense,
because the software sucks.

If Sony, Phillips or some other manufacture made a SmartTV with software that
rivalled the AppleTV, or even just a Chromecast, then it would make some sense
to save the money from the AppleTV and buy a better TV.

The thing is that all of the SmartTVs I tried are slow and confusing. You're
better off buying a cheaper TV and getting the $200 AppleTV HD.

If you factor in the cost of developing shitty software, then maybe there
would be more profit in just release a new dumb TV.

------
ubermonkey
I am really baffled that anyone with a clue would enable "smart" behavior from
a consumer electronics product like a TV (ie, one from a company not known for
privacy and security).

Our TV is old enough that it's not smart. We mostly watch things from the
AppleTV on it, plus some from our very small cable package/DVR.

Choosing a set-top-box vendor you trust (and for us, that's Apple) gives you
everything you'd get by trusting Samsung or Vizio, right? What even turn ON
the network features of the TV?

------
dehrmann
Ex-spotifier here. I'm only somewhat familiar with this, it's been a while,
and I'm not speaking for Spotify, but I wouldn't be surprised if the data is
being sent for speaker/remote control device discovery. It's probably the same
for Google and Chromecast.

Knowing what else gets collected online, this isn't a big concern for me. I'm
more worried about these devices not having great security and not getting
security updates for their entire life.

------
tibbon
My LG C8, which I've done anything on with apps aside from installing Amazon,
Youtube and Netflix (which I hope are "safe" and "reputable") is frequently
trying to connect out with what appears to be a rootkit in Googling:

> Threat Management Alert 1: A Network Trojan was Detected. Signature ET
> MALWARE Misspelled Mozilla User-Agent (Mozila). From: 192.168.1.x:46372, to:
> 23.52.164.68:80, protocol: TCP

My firewall picks this up, otherwise I'd never know it.

~~~
Godel_unicode
That's a really loose signature, it's just a misspelling which is actually
pretty common in low-qa software that talks to the internet.

The dst IP in your alert is an akamai one according to centralops.

------
vxxzy
I’ve had great luck blocking SmartTVs with a PiHole and a custom list. Also
adding regex blacklists like “samsungtv” and “roku” seems to help. Granted, I
sometimes disable to block to install updates and apps - but it seems to work.
My next move is to start whitelisting destination IPs for smart devices and
putting them on their own SSID/VLAN.

~~~
U8dcN7vx
In-application DNS resolution (e.g., DoH aka DNS over HTTPS) will defeat a
PiHole. Will anyone bother

------
mirimir
I will never buy a "smart TV". For one thing, I don't have much use for any
TV. What I have is a large display attached to a media server. It doesn't have
Internet access, except when I need to update packages. If there's something
that I want to watch on it, I just use a DVD, or get a copy of the file.

------
jacobwilliamroy
I every now and then I have to have this conversation with my mum and dad:
"the TV will occasionally ask you to tell it your name, where you live, your
birthday etc. Don't tell it ANYTHING. They can't make you."

I wish the people who make my parents' TV would stop trying to trick them into
doxing themselves.

------
ChuckMcM
Which is why I have firewall rules _inside_ my freakin' house which prevent
things from sending packets outside. It really is annoying. If you allow DNS
and ping it seems the TV won't constantly complain that it doesn't have an
internet connection.

------
Johnny555
Does anyone publish a set of firewall rules (pfSense would be ideal) that
allows Netflix, Hulu, etc to work with a Roku or Smart TV while blocking
things like facebook?

I understand that Netflix is going to track me when I'm a Netflix subscriber,
but why should Facebook do it?

~~~
ignoramous
On an Android smart TV, I run a DNS changer and point it to local pi-hole to
block trackers and ads aggressively. Not sure if it ends up cleaning up
everything but I do see 15% of the DNS queries pi-holed.

------
rrsx
[https://www.washingtonpost.com/technology/2019/09/18/you-
wat...](https://www.washingtonpost.com/technology/2019/09/18/you-watch-tv-
your-tv-watches-back/)

------
phy6
I blocked these URLs on my router, and my Samsung TV went into a setup mode,
eventually switching languages into German.

config.samsungads.com samsungacr.com samsungads.com samsungcloudsolution.com
samsungcloudsolution.net samsungotn.net samsungtvads.com

------
jamiepenney
Is there a manufacturer that is better in this regard? I assume Samsung would
be the worst.

------
taurath
I wonder - how prevalent is this in vehicles now? My car probably knows where
I am, what podcasts I listen to, my daily routine, all sorts of things. It can
connect via 3g without me knowing it and send all sorts of usage data.

This is why regulation is IMPORTANT. A whole industry can decide this is their
business model, an industry where competitors can't really get in, and
consumers are screwed. Well just don't drive a car, just don't use a tv is not
a valid argument.

------
user56785678
My LG TV webOS YouTube app, generates some hard to hear sounds when menus and
content is navigated. Even thought I am not logged in in YouTube app, I
suspect they can be captured by an Android device nearby and correlated with
that device user. The apps that have the login data already can share whatever
they like. There was a story some years ago when even shared local media names
were shared by some TVs. If you have a device connected to network, you can be
sure it will share whatever it can, malice intent or not.

------
everdrive
For years, we've been avoiding this whole problem. We have a dumb TV hooked up
to a computer. The computer doesn't even have a fancy couch-friendly interface
installed. It's just a computer. And therefore, it literally plays all media
we want, and if we prefer, it blocks ads and plays music too. The computer
doesn't spy on us because we control it, and websites only spy on us to the
degree that we're unable to prevent. (pihole, ublock, etc)

------
kevindong
The next time that Apple comes out with a new model of their Apple TV 4K
(likely next month), I plan on buying one and completely disconnecting my
smart TV from the internet.

My TV's UI is incredibly laggy and Vizio forces upon me a barely tolerable UI
with the first two rows on the main page consisting of unhideable suggestions
on what I should watch---even content that I cannot watch since I'm not
subscribed to every service.

------
Libre___
My TV is completely airgapped now for privacy reasons, but I really wish there
was a way to replace the OS running on it.

I used to be(and still am) a big fan of the Smart TV concept, seeing as
there's a whole quad core ARM SoC built into my TV that might as well take the
streaming duty instead of having an extra HTPC or Chromecast lying outside of
it.

------
geggam
I am starting to think I should block all traffic out of my home network and
force everything to go through a proxy server where I can manage all outbound
traffic.

The number of devices I have plugged into my home network is astonishing and
the chatter / discovery they do to each other is interesting to watch.

Zero trust model for everything ... I guess ?

------
bsenftner
It's been this way for a while. That is why I get 4K Monitors, not a "smart
TV". If a monitor has anything beyond a hdmi jack, I skip it.

Cars are going this way too. The current model year has all car manufacturers
producing these ruined vehicles. Hold what you got, or buy used until this
bullshit is regulated away.

------
myle
Stallman has been telling for a while that "smart" devices mean devices that
spy on you.

------
cityzen
I went in to my router to block my Samsung TV last night and thought it was
cute that instead of using the device name I set it was using "localhost". I
guess these companies will go to any extreme to steal your info.

------
kevin_thibedeau
Android phones talk to Facebook too even if you don't have an account or any
of their apps.

~~~
huhtenberg
Source?

~~~
lern_too_spel
If you run an app that uses Facebook libraries. This is true on iOS, the web,
and any other platform as well.

~~~
_verandaguy
This feels less like an Android issue than it is a Facebook issue (which I say
without implicitly defending Google's privacy-breach record).

------
ck425
Do they send data from games consoles? I watch TV entirely through my PS4,
with the actual smart TV not hooked up to my wifi. I presume that would stop
TV companies from getting my data, but then again Sony might sell it
themselves.

------
decoyworker
There is a simple way around this- never connect these to your LAN. I don't
need the features, I don't need the data collection, and I certainly do not
need the extra security footprint.

------
aussieguy1234
I use Kodi on a Rasbperry pi. There is a plugin for Netflix (which I dont use
due to the content restrictions they have in Australia thanks to the Foxtel
monopoly). Problem solved.

------
duxup
I've made a point to not enable or connect my smart TV to any network. I'd
rather use services over other devices anyway.

Granted there are plenty of other ways to get that data.

------
robinduckett
Worked in this industry for years. It didn't really feel right at the time.
Adverts on volume buttons. Frames of video sent to third parties. Etc

------
excalibur
But why would anybody NOT want a smart TV? /s

------
switch007
Spy TVs are nothing compared to Spy energy meters.

They will bring in a new era of surge-based pricing, which will eliminate all
tariff comparisons as it will be impossible to compare.

Higher pricing is already starting with non-spy tariffs being more expensive
than spy tariffs.

If you happen to buy a home with one, and want the spy meter removed, you are
at the mercy of the supplier and they will embark on a campaign against you to
keep it. The lies will soon start saying they have no analogue meters in stock
etc.

------
FairKing
I think is must be possible to shutdown the smart TV OS and watch your TV box
with Libreelec via HDMI instead.

------
jeffk_teh_haxor
What if the communication is benign? What if the TV is simply refreshing a
list of recommendations? Everybody - including this forum - is so primed to
read nefarious motives into basically anything a computer can do now. Soon
we're not going to be able to write a single "hello world" app w/o having to
fill out a ream of EU paperwork and get licensed and bonded in advance.

~~~
partialrecall
"Recommendations" is just newspeak for advertising. I don't want my TV doing
that.

Here is a novel idea: if your shit is so great for users, not contrary to
their interests, why don't you ask them to opt-in?

------
JohnFen
Not just to Netflix and Facebook. This is why I don't, and won't ever, own a
smart TV.

------
zerop
I have assumed any device around me is sending my data somewhere not intended.
Period.

------
chiefalchemist
Odd. Most of the discussion here is about the TV and the collection, few seem
interested in where that data is being sent? Has the shameless nature of
Netflix's and FB's privacy invasions been normalized? Ironic given that
Snowden's book dropped this week.

------
sunstone
Smart TV's are only for stupid people. If you have one, unplug it from the
internet, this removes the smartness. Add back your own smartness with a "NUC"
kind of computer. Now you have a dumb TV and a smart owner.

------
dzonga
when I wanted a 4K, I made sure it wasn't a smartTv for the reasons outlined
in the article and comments. hard to find, but walmart had their own dumb 4k
tv

------
anotherrobot
Guess what. Apple tv NOT on the list..spend the 150$

~~~
gundmc
But the Apple TV doesn't have a screen and it's hard to find a decent "Dumb"
TV to even hook up a Roku/Apple TV/Chromecast to these days.

------
bxio
Get yourself a Pi-hole. Block all phone home attempts. [https://pi-
hole.net/](https://pi-hole.net/)

~~~
drdrey
It can't possibly block all phone home attempts. How would the Netflix or
YouTube apps work on those devices if network traffic to those respective
third-parties were blocked?

------
hootbootscoot
Gee who would have seen that coming...

~~~
hootbootscoot
Might as well buy an Alexa, LOL...

At this point, people have to wonder what benefits the IOT fabric provides
THEM versus what benefits it provides the vendor or configurator/bundler...

Of far greater concern is the pile of unpatched linuces these crapware
bloatware "embedded linux" devices tend to be equipped with. It's an entry
vector...

or hardcoded "admin:admin" login credentials...

------
abacadaba
Any AOSP android tv boxes out there?

------
shoaibakbar
and we don't answer out names to unknown phone calls made by our friends :P

------
api
Just assume almost everything is a data grab and you will be right more often
than wrong.

------
homerhomer
no surprise here, but is my pi-hole blocking this crap?

------
rb666
Kodi > SmartTV

------
dngray
[https://archive.is/jOJ3R](https://archive.is/jOJ3R) link to archived version
of article. FT usually hides things behind a metered paywall.

------
woopdedoo
time to get a dreambox with a keylist

------
etxm
Great!

------
metafunctor
Do these TVs have different default settings for the EU market (GDPR)? If not,
this seems like a great way to get slapped with handsome fines for GDRP
noncompliance...

------
throwaway122378
Can we breakup Facebook and put their executives on trial already?

