Vizio smart TV ignored users’ privacy decisions and opened up attack vector
Thu 12 Nov 2015
Whilst investigating whether it’s possible to gain access to a standard user’s home network and usage data by hacking a smart TV, researchers from security company Avast found that not only was it possible, but also that the Vizio smart television that they were observing was actually broadcasting user activity to a third party – without concern for whether the user agreed to privacy policies upon set-up of the device.
The controversy with this new procedure, called ‘Smart Interactivity’, is that it is automatically enabled upon setup of each new Vizio Smart TV, with users needing to manually opt out of the service. The Avast team found that Smart Interactivity actually set up a potential attack vector into home and office networks that share IP addresses with the device.
The company goes on to declare that it will combine viewing data with demographic information obtained from third parties to ‘enhance’ viewing data, which is then shared with media and data analytics companies.
The Avast team found that the Vizio smart TV has an HTTPS connection to tvinteractive.tv, a domain belonging to Cognitive Networks, acquired by Vizio and rebranded as Inscape. Cognitive Networks provides a service that relays user access fingerprints to content providers or advertisers, who then return a link to display on screen. While the information that was relayed to tv.interactive.tv was encrypted, the team at Avast was able to intercept it by simulating a man-in-the-middle (MITM) attack .
By changing the protocol from HTTPS to HTTP the researchers were able to watch the output being transmitted. In doing so they verified that the Vizio smart TV was indeed forwarding information on what was displayed on the TV and receiving information back from Cognitive Networks.
As if the idea that information on what you’re watching is already being forwarded to a third party (again, without regard to any agreement to terms and services) wasn’t bad enough, the team also determined that this comprised a potential attack vector into the home network through the Smart TV. The TV in question had a default setting that accessed a control server without verifying its authenticity, allowing an attacker to gain access without opening any incoming ports.
Avast did note, however, that ‘Vizio successfully resolved these issues upon being notified of our findings.’ Good news, surely; but up until notification of those findings, user privacy has been compromised, and networks have been vulnerable to outside influence. If you currently use a Vizio Smart TV you can turn off Smart Interactivity through User Controls.