The TV that David Lodge tested is a 2.5 year-old UE46ES8000, not the latest model. Samsung is now saying that its latest televisions are encrypted and that it’s just older devices that lack the feature. Exactly what qualifies as an “older” device is unclear — the UE46ES8000 was a high-end device at launch, with a price tag of £1500-2000 (review sites vary on this figure), or $2300-$3000.
When news broke that Samsung’s Smart TVs actively monitor what users say and transmit that information to third parties, the company snapped into action with the usual reassurances that it takes user data seriously, follows best practices, and would never, ever, share information with untrusted third parties or individuals. It’s taken a bit over a week for such reassurances to unravel — new research shows that Samsung TVs don’t just transmit what you say, it sends that information in unencrypted plaintext without even bothering to use HTTPS.
According to security researcher David Lodge, the TV communicates with the server over Port 443 (left open in most routers by default) using what he describes as “a mix of XML and some binary data packet.” The real money shot is what the TV transmits to the server, as shown below:
The code isn’t hard to read. The TV is reporting that it either heard the word “Samsung,” “Samson,” or “Samsong.” It’s not clear if the “confidence” figures are percentages or represent some other data format — if they’re confidence figures, it would mean the TV was virtually certain it heard Samsung, thought it might have heard Samson, and didn’t think Samsong was very likely at all.
Lodge’s research is only just beginning, he notes that Nuance’s network may have leaked one of its own IP addresses, and that there’s definite potential here for a hacked firmware update to capture and transmit more data.
The cost of corporate malfeasance
There was one piece of good news in Lodge’s analysis — the Samsung Smart TV only listens to what you say after you tell it to do so (the default command is “Hi TV!” This is a good thing as far as it goes, though it’s always possible that a third party hack could modify the TV to listen and transmit far more data.
Lodge’s research has exposed a deeper problem in the entire computing industry — one that stretched far beyond Samsung. It was barely a week ago that Samsung told CNET that “Samsung takes consumer privacy very seriously. In all of our Smart TVs we employ industry-standard security safeguards and practices, including data encryption, to secure consumers’ personal information and prevent unauthorized collection or use.” (Emphasis added).
We now know that’s completely untrue. Samsung doesn’t employ industry standard best practices, it doesn’t even connect via HTTPS for its data transmission. It transmits voice commands in plaintext. It doesn’t matter if this was intended behavior or an unintentional bug; the Korean manufacturer has been shipping devices with a significant security flaw for months while marketing connectivity as a major selling point. A great deal of ink has been spilled over the years bemoaning how little emphasis most users place on their personal privacy and security. It’s hard to convince people that securing their own information is critically important when corporations are actively inventing new ways to siphon information, lie about their own security practices, and face virtually no consequences for doing so.
The problem is not that a hapless Samsung spokesperson told CNET the wrong thing. The problem is that corporations have virtually no incentive to actually, meaningfully protect customer data. When data breaches occur, the cost of those breaches are born by banks and credit card companies, not the likes of Samsung or Target.
There are no easy solutions to these problems. When Bill Gates decided to make security a major focus of future Microsoft development, the words “Windows” and “security” were a contradiction in terms. The company made a huge pivot, poured millions into OS development, and delayed its entire OS launch cycle to fix Windows XP. The result? An achingly slow series of improvements. Arguments over which operating system is “most” secure still rage to this day, but there’s no arguing that Microsoft’s long-term commitment to security dramatically improved the state of its operating systems.
Until Samsung and other IT vendors make similar commitments to securing their devices, problems like this will continue to occur. Absent sustained consumer outcry, it’s an open question whether they’ll ever care enough to bother.
No comments:
Post a Comment