Samsung’s Smart TVs are not only listening to what its users says, they are uploading the words to the Internet in an unencrypted form, granting hackers access to customers’ activities, a security expert has found.
After testing Samsung’s UE46ES8000 model from 2012 — which is still available to buy — U.K. security expert David Lodge of Pen Test Partners discovered the device was uploading unencrypted audio files of his voice commands to third-party service provider Nuance Communications.
Nuance, the voice recognition specialist Samsung uses to enable its Voice Recognition system to work on its Smart TVs, was also receiving unencrypted information about the TV, such as its media access control (MAC) address, which can be used to identify the user’s location.
“The potential for a rogue firmware update enabling ‘snooping’ is significant,” Lodge wrote in a blog post. “There’s plenty to suggest that interesting data is making its way on to the interwebs from your TV. Come on Samsung, how about at least protecting it with SSL?”
Samsung denied that its TVs were eavesdropping on customers, saying that voice recognitions functions are only transmitted when the user makes a specific search request to the Smart TV by clicking the activation button either on the remote control or on the screen and speaking into the microphone on the remote control.
While Lodge confirms the TVs only listen to users after they have activated the voice recognition and give the device demands, he said the ability is there for eavesdropping to occur.
“So. Does it listen to you?” he wrote. “The answer, I can say in my brief period of messing around is, not unless you ask it to. This doesn’t mean it can’t and doesn’t mean that it won’t on the next firmware update, just at the moment it only listens to audio when you say ‘Hi TV’.”