X

Consumer Reports finds Samsung, Roku TVs vulnerable to hacking

Certain smart TVs not only raise privacy concerns but can be controlled by hackers exploiting easy-to-find security flaws, according to the publication.

David Carnoy Executive Editor / Reviews
Executive Editor David Carnoy has been a leading member of CNET's Reviews team since 2000. He covers the gamut of gadgets and is a notable reviewer of mobile accessories and portable audio products, including headphones and speakers. He's also an e-reader and e-publishing expert as well as the author of the novels Knife Music, The Big Exit and Lucidity. All the titles are available as Kindle, iBooks, Nook e-books and audiobooks.
Expertise Mobile accessories and portable audio, including headphones, earbuds and speakers Credentials
  • Maggie Award for Best Regularly Featured Web Column/Consumer
David Carnoy
2 min read
tcl-s405-series-26
Enlarge Image
tcl-s405-series-26

TCL's Roku TVs were among the models highlighted in the report.

Sarah Tew/CNET

We've written in the past about how your TV is probably tracking you, and now Consumer Reports, as part of a broad privacy and security evaluation, has has found that millions of smart TVs are vulnerable to hackers and "raise privacy concerns by collecting very detailed information on their users."

According to the report, the problems affect Samsung televisions, plus models made by TCL and "other brands that use the Roku TV smart TV platform, as well as Roku's popular streaming devices."

"We found that a relatively unsophisticated hacker could change channels, play offensive content or crank up the volume, which might be deeply unsettling to someone who didn't understand what was happening," Consumer Reports said. "This could be done over the web, from thousands of miles away."

The good news is these TVs' security vulnerabilities apparently won't allow hackers to spy on you or steal your information, according to Consumer Reports.

The report singled out Samsung, TCL and other Roku TVs as being vulnerable, but smart TVs from LG , Sony and Vizio were also evaluated. While they were cleared from a security standpoint, the testing found "that all these TVs raised privacy concerns by collecting very detailed information on their users."

As CNET's David Katzmaier wrote last year, Vizio was slapped with a $2.2 million fine by the FTC for failing to properly disclose how it shares its tracking information, and in previous years Samsung and LG have both faced similar scrutiny. Streamers from Roku, Apple , Amazon and Google haven't yet made any major privacy missteps, but their policies are generally less intrusive than those of TVs.

Samsung told Consumer Reports it would update its API "as soon as technically feasible." In a rebuttal to the report, Roku said Consumer Reports got it wrong and that its users face no security risks.

"Roku enables third-party developers to create remote control applications that consumers can use to control their Roku products," Gary Ellison, vice president of trust engineering at Roku, wrote in a blog post. "This is achieved through the use of an open interface that Roku designed and published. There is no security risk to our customers' accounts or the Roku platform with the use of this API. In addition, consumers can turn off this feature on their Roku player or Roku TV by going to Settings > System > Advanced System Settings > External Control > Disabled."

Consumer Reports noted that consumers can limit the data collection from their TVs, "but they have to give up a lot of the TVs' functionality -- and know the right buttons to click and settings to look for."

Update, 10.32 a.m. ET: Added statement from Roku.

Read more: Your TV is probably tracking you and how to stop it