• United States



LG Smart TV spying, owner claims his USB filenames posted on LG servers

Nov 19, 20135 mins
Data and Information SecurityDLP SoftwareMicrosoft

A new LG Smart TV owner claimed that LG collects info from connected devices, like USBs, and uploads it to LG servers, even when collection of info is turned off; LG claims it's part of the Terms and Conditions.

If you pay attention to surveillance over smart TVs, then you’ve heard a lot about Samsung Smart TV spying; but now LG Smart TVs are in the crosshairs thanks to one owner who discovered LG is purportedly uploading his personal filenames from a USB drive to LG servers.

RELATED: 12 creepy new robots that could take over the world

After viewing ads on the LG Smart landing screen, DoctorBeet did some digging and found a “creepy corporate video” for LG Smart Ads, which claims to have an “intelligent platform” that analyzes users’ favorite programs, search keywords and online behavior to best serve targeted ads; successful ads on LG Smart TV home page have been “proven by customer eye tracking tests.”

He found a “Collection of watching info” option in the settings. Collection is on by default, but even after turning collection “off” and running traffic analysis, DoctorBeet discovered, “It turns out that viewing information appears to be being sent regardless of whether this option is set to On or Off.”

According to DoctorBeet:

This information appears to be sent back unencrypted and in the clear to LG every time you change channel, even if you have gone to the trouble of changing the setting above to switch collection of viewing information off.ones stored on my external USB hard drive. To demonstrate this, I created a mock avi file and copied it to a USB stick.

It was at this point, I made an even more disturbing find within the packet data dumps. I noticed filenames were being posted to LG’s servers and that these filenames were

He named it “midget porn” so the filename would be easier to spot and spot it he did. Furthermore, he said, “My wife was shocked to see our children’s names being transmitted in the name of a Christmas video file that we had watched from USB.”

DoctorBeet wrote LG UK about the data collection, but LG passed it off as accepted in LG’s Terms and Conditions, something that Samsung previously did. Samsung’s 2012 LED HDTVs reportedly had a “built-in, internally wired HD camera, twin microphones, face tracking and speech recognition.” Samsung responded to TV spying allegations of “facial recognition software, active camera watching, and microphones listening” by stating, “it reserves ‘the right to share all Personal Data and non-Personal Data with’ all app partners who will use it as they see fit’.”

LG’s response to DoctorBeet, in part, states:

The advice we have been given is that unfortunately as you accepted the Terms and Conditions on your TV, your concerns would be best directed to the retailer. We understand you feel you should have been made aware of these T’s and C’s at the point of sale, and for obvious reasons LG are unable to pass comment on their actions.

I reached out to LG Smart Ads with privacy-invasion questions of my own, but instead of answering any specific question, LG AD Lounge only said, “Dear Ms Smith, We always value your opinions.” At least they didn’t try to give a quote about respecting or caring about users’ privacy. That’s a bit of a pet peeve of mine when companies do that. Do not hand customers a bucket of perfumed manure and expect us to accept it as anything other than a pile of crap.

The security firm ReVuln previously found a zero day hole in Samsung Smart TVs that “could give an attacker the ability to access any file available on the remote device, as well as external devices (such as USB drives) connected to the TV.” Although this is not an attacker, but a corporation, after asking about it, ReVuln replied:

Smart TVs are posing many risks for the privacy of the users and this situation is currently common to most of the brands. What may seem an useful feature like downloading content, apps and information can be used as a strategy to collect some of our information and habits for specific advertising.

I also reached out to iSec Partners due to Aaron Grattafiori and Josh Yavor’s “The Outer Limits: Hacking the Samsung Smart TV” presentation at Black Hat. There was no response before publishing.

Korea University security researcher SeungJin Lee warned that if you own a Smart TV, “Do not allow your TV to see your bed.” He gave a similar warning during his Black Hat presentation, that Smart TVs are the ‘perfect target’ for spying on you. Lee was still able to spy on people, via their Smart TVs when the TV is “turned off.”

Regarding data collection and LG Smart TVs, this may possibly be illegal in the UK thanks to EU privacy and data laws. And for the U.S.? “That has class action lawsuit written all over it,” Hillkiwi commented on the subreddit privacy. “Just wait until their server is hacked and we get the titles of the porn our politicians and celebrities watch. Also wait until the MPAA get a whiff of this and uses it to prove people watched pirated videos based on their names.”

Like this? Here’s more posts:

  • Hollywood’s anti-piracy propaganda turned into K-12 curriculum in California
  • How Microsoft invented, or invisibly runs, almost everything
  • Microsoft cybersecurity report warns users about the evils of clinging to XP
  • IE zero-day attack delivers malware into memory then poofs on reboot
  • CryptoLocker crooks charge 10 Bitcoins for second-chance decryption service
  • That’s no poltergeist invading your privacy: Spooky spying hacks make homes seem haunted
  • Porn-surfing corporate bosses infect networks, then keep data breaches a secret
  • Microsoft warns of zero-day attack, graphics vulnerability exploited through Word
  • Captain Justice: Epic legal trolling reply to govt’s motion to ban the word ‘government’
  • Battling against zero-day exploit black market, Microsoft expands $100,000 bug bounty
  • 2013 top words, phrases & names include ‘drones’, ‘surveillance’, ‘NSA’, ‘fail’, ‘404’

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.