LG Smart TV Caught Collecting Data from USB Drives

C&T: Video Games, Table Top Games & Computerized Stuff
Post Reply
User avatar
rhoenix
The Artist formerly known as Rhoenix
Posts: 7998
Joined: Fri Dec 22, 2006 4:01 pm
17
Location: "Here," for varying values of "here."
Contact:

#1 LG Smart TV Caught Collecting Data from USB Drives

Post by rhoenix »

techdirt.com wrote:The growing presence of "smart" devices, each one requiring a connection to the outside world, is a bit alarming (Samsung TV zero day exploit, anyone?). The territory still remains largely uncharted and device manufacturers are still pretty much free to decide just how much data these devices will cough up when phoning home.

A blogger (and developer and Linux enthusiast) going by the name of DoctorBeet noticed his newly-purchased LG Smart TV was displaying ads on the "home" screen. He dug around and found more info on an LG corporate page that described the process in cheery let's-sell-some-ads tones.
LG Smart Ad analyses users favourite programs, online behaviour, search keywords and other information to offer relevant ads to target audiences. For example, LG Smart Ad can feature sharp suits to men, or alluring cosmetics and fragrances to women.
The endearingly sexist sales pitch attempting to sell other pitchmen on LG's "smart" ad platform/TV makes it pretty clear that LG's TV is very interested in any "interactions" you have with your device.

What the sales pitch failed to make clear is that LG will be grabbing this behavioral data no matter what.
In fact, there is an option in the system settings called "Collection of watching info:" which is set ON by default. This setting requires the user to scroll down to see it and, unlike most other settings, contains no "balloon help" to describe what it does...

At this point, I decided to do some traffic analysis to see what was being sent. It turns out that viewing information appears to be being sent regardless of whether this option is set to On or Off.
Not only was LG sucking up viewer data, it was sending the data on each interaction completely unencrypted. This isn't necessarily a huge problem if the data collection was limited to the channel watched and for what length of time. But as the increasingly creepy sales pitch above points out, LG also wants "search keywords" and a potentially unlimited amount of "other information."

At this point, LG already has a bit of privacy problem. Sending data on channel selection is one thing. Collecting and sending unencrypted web data like search terms is quite another. And it gets even worse.
It was at this point, I made an even more disturbing find within the packet data dumps. I noticed filenames were being posted to LG's servers and that these filenames were ones stored on my external USB hard drive.
DoctorBeet tested his hunch by mocking up an .avi file that would be immediately distinguishable from any other "normal" traffic. Plugging in a USB stick with the bait (Midget_Porn_2013.avi) into his TV, DoctorBeet soon saw data on his faux porn headed to LG's servers in unencrypted plain text. DoctorBeet (and his shocked wife) also watched his children's names being harvested from the file name of a Christmas video located on another connected drive.

Image

The implications of this data collection are huge. As DoctorBeet points out, it's simply an invasion of privacy at best. Who knows what ads LG might serve when faced with a hard drive full of porn? Who knows what it might do if it goes trolling through media files at the behest of publishers, studios and labels? It's not tough to imagine a scenario where "connected" files become bricked because of a perceived lack of license. As we've seen before, companies are seeking to patent methods of utilizing connected devices (like the now-mandatory Xbox "camera") to determine who's enjoying what content for ad-serving purposes/licensing fee extraction.

If nothing else, a "smart" TV shouldn't be gathering, much less sending, file data back home from customers' non-LG devices. The fact that LG does this in unencrypted form is also troubling. The fact that LG does this even when you specifically tell it not to is the sort of thing that becomes the basis for a class action lawsuit.

LG's pass-the-buck response to DoctorBeet's complaints makes everything so much worse.
Thank you for your e-mail.

Further to our previous email to yourself, we have escalated the issues you reported to LG's UK Head Office.

The advice we have been given is that unfortunately as you accepted the Terms and Conditions on your TV, your concerns would be best directed to the retailer. We understand you feel you should have been made aware of these T's and C's at the point of sale, and for obvious reasons LG are unable to pass comment on their actions.

We apologise for any inconvenience this may cause you. If you have any further questions please do not hesitate to contact us again.

Kind Regards

Tom

LG Electronics UK Helpdesk
Tel: 0844 847 5454
Fax: 01480 274 000
Email: cic.uk@lge.com
In other words:
"Sorry" if you misunderstood the Terms and Conditions you were compelled to accept if you wanted to use your new purchase. "Sorry" these same terms and conditions nullified your preferences on sending data without your permission. Oh, and by the way, not our fault -- the helpful people with the name tags at your local electronics store should have been intimately familiar with the Terms and Conditions of our entire product line and ensured that potential customers knew they were purchasing a SPY TV rather than a SMART TV.

If you have any other questions about our intrusive data collections, please don't hesitate to fuck off and die.
LG's representation may not care (at the moment) whether DoctorBeet feels LG's watching him more than he's watching its TV, but as this story continues to spread across the internet, I would imagine its tune will change. And when that changes, hopefully it will alter the Terms and Conditions as well.

People don't implicitly surrender their privacy when they attach a "smart" device to the internet. There are responsible ways to collect data and responsible ways to protect this data and, from what's being shown here, LG is doing neither.
This is indeed an issue, but something tells me this won't be an isolated incident. Considering that this guy had to use a traffic analyzer to see it, my personal (and as of yet unfounded) suspicion is that this is being tried by more than just LG.

In short - be wary when purchasing a new TV.
"Before you diagnose yourself with depression or low self-esteem, make sure that you are not, in fact, just surrounded by assholes."

- William Gibson


Josh wrote:What? There's nothing weird about having a pet housefly. He smuggles cigarettes for me.
User avatar
B4UTRUST
Dance Puppets Dance
Posts: 4867
Joined: Wed Jun 08, 2005 3:31 pm
19
Location: Chesapeake, Va
Contact:

#2 Re: LG Smart TV Caught Collecting Data from USB Drives

Post by B4UTRUST »

Well as this board's LG rep, I have to say I'm both surprised and not surprised at the same time.

I'm surprised because this is honestly the first I'm hearing that we're doing this on our TVs. I've never seen anything our back end engineering system to even suggest this feature. Our tech remote lets me access engineering sub menus that let me see pretty much every bit of data going in and out. Or so I thought. Apparently even to the techs this was hidden . Which will make my life fun when some customers start questioning me about it.

And I'm not surprised in the slightest because, well, it's LG Electronics. This is pretty much the type of shit I would suspect them of doing anyway. I know we can and do store user information in most of our appliances now and have the capability of analyzing that data in the field and over the phone if needed. Ostensibly it's suppose to be used for diagnostics and tech support capabilities(what error codes you've gotten, when, what was going on, etc). It does store cycle information, usage data, etc as well for review. Except for our microwaves and air conditioners I think all of LG's appliances come with this 'Smart Diagnosis' feature. Now I'm wondering what else we're keeping track of in some of this stuff.
Image
Saint Annihilus - Patron Saint of Dealing with Stupid Customers
Post Reply