Why are current smart TVs still dumb enough to be hacked?

“Scanning your computer for malware viruses is important to keep it running smoothly. This also is true for your QLED TV if it’s connected to Wi-Fi!”

On June 17, this seemingly helpful tip shared by Samsung’s USA support account on Twitter touched off a massive reaction among the tech press and consumers alike: Virus scans on a TV? Sadly, the threat is very real, and many of us have simply chosen to ignore it. Samsung deleted the tweet hours after it was sent out, but the fact remains: Our smart TVs aren’t doing enough to protect us from potentially malicious attacks that could compromise our security and plunder our personal data. Here’s what you need to know to keep yourself as safe as possible.

Can smart TVs be hacked into?

In short, yes. The fact is that any device that is connected to the internet, or even just to your home router over Wi-Fi, is at risk of being accessed by an intruder. We tend to forget that smart TVs are actually powerful computers packing more capable processors than the ones smartphones had five years ago.

Chris Raymond/Digital Trends

That power, which is key to delivering the incredible audio, video, and streaming content we’ve become accustomed to, is also what makes these devices an ideal target for hackers. Once they have access to them, smart TVs can become a launchpad for spreading viruses to the rest of your network and potentially compromising the information on computers, smartphones, tablets, etc. At the moment, the ability to reach out to other devices from a TV is merely a byproduct of how all connected devices in your home share a common network, but Samsung’s planned Remote Access feature is actually designed to let you control a smartphone or a computer from your smart TV, which would create an even more tempting treasure box for digital thieves.

Is my TV at risk of being hacked?

If you’ve purchased a new TV at any point in the last three to four years, you probably own a smart TV. In Consumer Reports’ current TV ratings, of the 225 TVs with a screen size of 39 inches or larger, only 10 models aren’t smart TVs. If your TV is a smart TV, and you’ve connected it to your home router via Wi-Fi or Ethernet (and thus the internet), your TV is at risk. Shockingly, one recent proof of concept revealed that some smart TVs can be hacked even if they have no internet access at all.

How can we reduce the risk?

Smart TVs, like all internet-connected devices, run on software. It’s rare that a company will have discovered all of the possible security vulnerabilities in that software when a product goes on sale, so software updates are the standard way of patching these weaknesses as they’re discovered.

Your smart TV may only get one or two updates over its lifetime, if any, which over the course of a 10- to 15-year life span is insufficient.

“People should expect that the product they buy will be updated,” said Justin Brookman, director of privacy and technology policy at Consumer Reports. But software updates are problematic. Staying on top of these updates costs manufacturers money that must be spent long after the product in question has been sold, eating away at profits. A company with a broad range of connected devices, each with its own slightly different version of that software, has even greater costs than those with a relatively homogenous product line. The result: Unlike the operating system for your laptop, your smart TV may only get one or two updates over its lifetime, if any, which over the course of a 10- to 15-year life span is insufficient.

Then there’s the question of update installation. Computer users have rightfully insisted that they be able to choose whether or not to install a software update. An update that causes incompatibility issues with installed third-party software could be disastrous. Unfortunately, this cautious, user-driven approach to updates has carried over into the world of connected devices like smart TVs. But people just don’t think about their TVs as something that needs to be updated, so those updates don’t always happen.

LG TV Automatic Updates
Some manufacturers offer the option to enable automatic updates. LG

“When it comes to smart TVs,” said Casey Ellis, a cybersecurity expert, and founder of Bugcrowd, “these sorts of processes need to be transparent to the user. You can’t assume that my grandma is going to understand that there’s a threat.”

Brookman agrees. “Updates should really be done automatically, without the need for human intervention,” he said, pointing out that the same should be true of virus scans if a TV is equipped with such a tool, as is the case with Samsung Tizen-based smart TVs. Some TVs install updates automatically by default, but even Sony recommends that you check periodically to make sure you’re running the latest version of its software — just in case it discovers another bug that could let an outsider gain complete control over your TV.

What’s the worst that could happen?

In 2013, when we reported on a series of potential exploits, from making laser printers overheat to spoiling all the food in a connected refrigerator, a personal computer or smartphone were still the most “personal” devices in our homes. One year later, Amazon’s Alexa burst onto the scene, heralding a new era where digital assistants could exert tremendous control over our technology and our data. Smart TVs are now the latest devices to feature Alexa and Google Assistant built-in, with TV manufacturers starting to position the TV as a potential control center for your entire home. No longer a mere jumping-off point, TVs could become the main focus for hackers.

Just because we haven’t learned of any serious intrusions into smart TVs, doesn’t mean it hasn’t happened.

Now it’s true that there have been very few reported incidents of people’s TVs being hacked. Most of the stories you’ll find are all about weaknesses that researchers have discovered that could theoretically be used as a way to break into your devices. But keep in mind, many of the biggest data thefts at organizations like Sony, Starwood Hotels, and Yahoo were all discovered after the fact. In the most egregious cases, hackers had access to these groups for years before they were finally caught. Just because we haven’t learned of any serious intrusions into smart TVs, doesn’t mean it hasn’t happened.

In 2017, Wikileaks revealed that the CIA had developed software under the code name “Weeping Angel,” which was designed to make specific models of Samsung smart TVs appear to be fully asleep, while the built-in webcam and mic were kept on and used to record anything that happened in the room. The vulnerabilities that were exploited by Weeping Angel have since been patched, but it’s a stark reminder of how valuable our smart TVs are to those who would do us harm.

What are manufacturers doing to stop hackers?

We posed this question to representatives of several major manufacturers including Sony, Samsung, LG, Vizio, Roku, Apple, and Amazon. We also asked how each company communicates with its users in the event of serious security threats or concerns. What we got was a highly varied set of responses, which show that the smart TV industry still has a long way to go in terms of standardizing its approach to these issues.

Sony: Sony, which uses Google’s Android TV software for all of its current smart TVs, relies heavily on Google’s Play Store to provide protection from malware by scanning apps both before and after they’re installed on the TVs. For users who choose to load apps via USB, Sony provides security software known as “ESET,” which can be downloaded for free. Curiously, when asked about Sony’s non-Android TV products, the response was, “with regard to TVs that are not Android, the TV does not have the capability to install apps.” While this may be true, installing a malicious app is not the only way a smart TV can be compromised. Sony updates its support website with relevant issues and does not notify its customers directly.

Amazon: Amazon told us that it provides automatic security updates to customers who use the Fire TV platform. These don’t require any user action to be installed. It did not offer any details about how or if it informs customers about security concerns.

Apple: Apple told us that its Apple TV 4K, Apple TV HD, and 3rd-gen Apple TVs all receive regular software updates, though these are not automatically installed unless you select automatic updates from their respective settings menus. Apple’s security protocols extend to the App Store too, and each app is verified by Apple before it is made available for download.

LG: Declined our request

Vizio: Declined our request

Samsung: Samsung only commented on how it handles user privacy.

Unfortunately, not all smart TV makers are as diligent as these brands when it comes to software updates. “The really cheap vendors do tend to have a worse track record when it comes to identifying exploitable issues on their systems,” Ellis said.

So what happens when the maker of your smart TV or set-top box doesn’t patch its product to deal with a potential threat? “At present, there are no laws that hold a smart TV manufacturer liable for invasions of privacy due to malware,” said David Reischer, an attorney and the CEO of LegalAdvice.com, which means a lawsuit would be your only recourse — and it would be far from a slam dunk. “Any lawyer can bring a class-action lawsuit for a manufacturer failing to protect consumers against a known security vulnerability. The issue of proving damages may, however, be difficult.”

What Samsung Is Doing to Keep Your Smart TV Secure
Samsung detailed their “Three Stage Model Security Solution” in a 2017 press release. Samsung

Over time, it may get easier to identify the brands that do the most to protect consumers. The Digital Standard is a new, open-source initiative backed by Consumer Reports that seeks to create an independent rating system that can be applied to consumer software, digital platforms and services, and Internet-connected products.

What should I be doing to keep my smart TV from being hacked?

The simplest way to keep yourself safe may require giving up a few of the bells and whistles of your shiny new TV. “Does your TV need to be connected to the Internet?” asked Ellis. “When you switch one of these things on, it encourages you to do that, and you’re probably going to do what it says.” Ellis encourages people to think hard about that choice: “What benefit do I get from that? Is this something I really need? Does this introduce risk into my home?”

If you decide that the rewards of being connected to the internet outweigh the risks, staying on top of software updates — as annoying as it may be — is your best bet in terms of keeping your smart TV as secure as possible. If your TV doesn’t get many updates, or worse, if it’s never received an update that you’re aware of, you might want to consider outsourcing its “smart” features to a more trustworthy device — preferably one that has an approach to security that you understand.

Despite the negative reaction toward Samsung’s awkward virus scan tweet, Ellis thinks the company deserves credit for raising awareness of the reality surrounding smart TVs. “It’s almost admirable,” he said, “because they know that there’s a threat that exists within a person’s home and they’re trying to enable users to do something about reducing that risk.”

What about my privacy?

Those seeking access to your devices are by far the biggest threat, but they aren’t the only area of concern when it comes to smart TVs and set-top boxes. Your personal data, like the shows and movies you watch, is a potential treasure trove for manufacturers, or anyone else who can collect it. In 2016, Vizio became the target of a Federal Trade Commission (FTC) investigation over its alleged collection of this data, which was reportedly happening without its customers’ awareness or consent and was then sold to advertisers. In California, a class-action lawsuit was launched against the company over the same practices. The resulting proposed settlement not only included a financial penalty but also forced Vizio to delete all collected data and give users a clear way to opt-out of such collection in the future.

“There is no standard default setting for consumers to consent (or not) to data sharing among smart TV manufacturers.”

That tendency — to minimize or obscure how a TV collects your personal data — prompted two senators in 2018 to call for an investigation by the FTC into these practices. The senators referenced the Vizio case in their letter to the FTC, but it was a New York Times article about Samba, a company that uses third-party software on several smart TV platforms to collect viewer data, that caught their attention. “Regrettably,” the senators wrote, “smart-TV users may not be aware of the extent to which their televisions are collecting sensitive information about their viewing habits.”

These cases highlight just how much smart TVs have changed the relationship between TV viewers and companies that seek to track their behavior. We asked the same manufacturers above about their data-collection activities, but their responses once again varied considerably.

Samsung told us that “before collecting any information from consumers, we always ask for their consent, and we make every effort to ensure that data is handled with the utmost care.” The company did not provide examples of how this consent is requested, but requiring users to agree to a privacy policy is a common method for doing so.

Sony told us that when users choose to use third-party apps on its smart TVs, Sony doesn’t collect that data (if any) for itself. It also confirmed that its own apps’ data-collection activities are covered by the respective privacy policies for each app, and for its TVs.

Amazon appears to give its users a good amount of control over their data, with new privacy settings that let users opt-out of four areas of data collection: Personalized ads, app-based data, device-usage data, and data monitoring.

smart tvs not enough to protect us from hackers family tv
Skynesher/Getty Images

In other words, regardless of which smart TV or set-top box you own, you will need to read the fine print very carefully to know what personal data you are agreeing to share, and explore the settings menus to see what your opt-out options are. “There have been efforts among privacy rights groups to standardize notice and consent data-sharing opt-in default settings,” Reischer said, “but as of yet, there is no standard default setting for consumers to consent (or not) to data sharing among smart TV manufacturers.”

Trouble is, it can be difficult, or even impossible to prevent this data collection entirely. Heading into your TV’s settings will reveal ways to opt-out of these programs, but sometimes doing so will disable certain features like curated TV show and movie recommendations, or even entire services. LG’s Channel Plus and Live Plus features, which give you access to free streaming content, require that data collection be allowed. If you withdraw permission, these apps will be disabled.

It’s still the Wild West

If you’ve now reached the conclusion that there are no standards in place around either smart TV security or data collection, you’re right. It’s very much the Wild West out there, which means you’re going to have to be your own best resource when it comes to safeguarding your data. The most important thing is to realize that a smart TV — or a set-top box — is a full-fledged internet-connected computer and as such, it’s potentially vulnerable to the same security exploits as your laptop or desktop.

Disconnecting it entirely from the internet remains one of the few things you can do to prevent hackers from accessing it, though this is obviously the thermonuclear option. Staying on top of software updates — ideally by turning on automatic updates if your device has such a setting — is the biggest step you can take if you still want to enjoy your TV’s  “smart” features.

Always read the terms and conditions you are agreeing to when using a smart TV or any of its included apps or services. In many cases, these terms include language that provides manufacturers with your data-collection consent, even if they haven’t asked for that consent clearly and specifically on its own.

Editors' Recommendations