Home > Computing > Who’s watching what you’re watching?…

Who’s watching what you’re watching? Avast finds vulnerabilities in Vizio smart TVs

avast finds potential vulnerabilities in vizio smart tvs reference series event
Jeffrey Van Camp/Digital Trends

Security researchers at Avast have demonstrated a number of vulnerabilities and potential attacks against Vizio smart TVs, including intercepting data that displays a person’s viewing habits.

Under the wide umbrella of the Internet of things and smart homes, Avast began to pull apart the security of a Vizio smart TV and found that it was susceptible to man-in-the-middle attacks due to HTTPS certificates that were not being validated.

Avast discovered that the TV was constantly accessing tvinteractive.tv, a website run by a company called Cognitive Networks. The service appears to gather a timestamp that reports what someone is watching and when, and then sends that info to the content provider or advertisers. Avast even discovered that the TV would accept a forged certificate when connecting to the site as it does not fully validate the HTTPS certificate. Instead it just validates the checksum at the end of the data being transferred.

Essentially, the HTTPS certificate is what makes a connection secure, validating the information and telling the sender what a site actually is. Without it, a hacker could potentially steal the information. Carrying out a man-in-the-middle attack in which it impersonated the tvinteractive.tv with forged HTTPS credentials, Avast was able to crack the data that was being sent and view it.


Related: Vizio’s flagship Reference Series are the ultra-yachts of 4K TVs, and you can buy them now

“This data is the fingerprint of what you’re watching being sent through the Internet to Cognitive Networks. This data is sent regardless of whether you agree to the privacy policy and terms of service when first configuring the TV,” said the researchers.

The data is more like a snapshot of pixels rather than a clear view of what you are watching. Here’s an example from Avast. Vizio has a way of deactivating this tracking through the following commands: Menu -> Reset & Admin -> Smart Interactivity -> OFF.

Avast has dubbed its discovery as a possible attack vector into a person’s home network. It’s just the latest evidence that shows how a smart TV can make your local network vulnerable, and Avast claims that it could be a possible means to display content remotely on someone else’s TV.

“Further investigation is needed to demonstrate a proof of concept; however, this appears to be a potential attack vector for remotely displaying unwanted material on a person’s TV,” said Avast.

Vizio has patched these vulnerabilities and says the update will install automatically, but there is still no report on whether this update has been successfully delivered to all TV owners yet.