How Samsung's Smart Tvs spy on their customers

After the news that Samsung's Smart TVs monitor uses voice recognition and sends that information to third parties, the company said that protecting user data is taken seriously, follows best practices, and they would never share any data with third parties that are not trusted. The latest research on the matter shows that Samsung TVs don't just send what users say, the information is transmitted unsecured, in unencrypted plain text without even using secure Hypertext Transfer Protocol.

Security researchers say that TVs exchange information with the server through the Port 443, which is left open by default in the majority of today's routers, using a mix of XML and some binary data packet.

The messages are pretty easy to read. As an example, the TV can report that it heard ‘œSamsung’, ‘œSamson’ or ‘œSamsong’. Also, it gives some degree of ‘œconfidence’ but it's not clear if the figures are percentages or some other data format. If they are confidence figures, it could mean that the device was basically certain it heard ‘œSamsung’, but it might have been ‘œSamson’ or ‘œSamsong’.

During the research, the specialists noted that the company's network may have leaked one of its own IP addresses. They also found that there is a potential for updating a hacked firmware that could capture and transmit more data.

How much will cost this corporate misconduct?

The only good news from the research analysis is that Samsung Smart TV listens only what users are saying after they tell it to do so. The standard command to activate this function is ‘œHi TV!’. This is a good thing, but there is always the possibility that a hack by a third party could modify the TV firmware to listen and transmit much more data.

This case exposed a problem that is wider in the computer industry. Samsung stated that they handle user privacy very seriously, by using industry-standard security practices. The analysis revealed that it's completely untrue. The Korean manufacturer does not apply industry standard best practices. It does not transmit data over HTTPS and the voice commands are sent unencrypted in plain text. The company has been shipping security flawed devices for months while using connectivity as a major selling point. There has been great discontent over the years regarding how little thought users place on their personal security and privacy. Corporations are continuously seeking new ways to siphon information, deceit about their security practices and basically face no consequences. Even in this position, people are hard to convince that securing their own data is critically important. The problem is not that an unfortunate Samsung employee told the wrong thing, but that big companies have nearly no reason to actually protect consumers data.

When Microsoft decided to focus on security, the company made a huge step. They spent millions into the operating system development only to delay the OS launch cycle in order to fix Windows XP. The result was a very slow series of updates. Today there are many debates over which is the ‘œmost’ secure operating system, but there is no arguing that Microsoft succeeded to effectively improve its OS security by making a long-term engagement.

Unless Samsung and other vendors make the same commitments in order to provide secure devices, such problems are very likely to reoccur.