Samsung Smart TVs Don’t Encrypt Speech Or Transcriptions Image courtesy of JKehoe_Photos
In their blog post explaining how transcription works, Samsung assured the public that the company “takes consumer privacy very seriously,” and that they use “industry-standard security safeguards and practices, including data encryption, to secure consumers’ personal information and prevent unauthorized collection or use.” Many people understood this to mean that the voice data and transcribed text sent to and from smart TVs is always encrypted, but that doesn’t seem to be the case. Perhaps “we encrypt consumer data” is true, but doesn’t include smart TVs.
We know this because a security researcher in the U.K. spent some time yelling at a Samsung smart television while monitoring the traffic going back and forth from the remote transcription service. David Lodge of Pen Test Partners wanted to check, since the statement from Samsung implied that customer data is encrypted. Here is what he saw being sent to Nuance, that third-party service:
That’s most likely audio data, but the important thing is that information about the device’s MAC address and operating system isn’t concealed in any way. The service sends back what it thinks the speaker said in plain text.
What danger does this pose? As things stand right now, none. The TV only listens when you tell it to, either by saying “Hi TV” or some other preset phrase, or by pressing a button on the remote control. The problem is that it could become a problem if what Lodge calls “rogue firmware” infected the TV, perhaps listening in to your conversations all the time or sending your data somewhere nefarious.
IS YOUR SAMSUNG TV LISTENING TO YOU? [Pen Test Partners]
Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.