University researchers say that smart TVs are leaking sensitive, private user information to companies including Google, Facebook, and Netflix.
As reported by the Financial Times, smart television sets produced by popular vendors including Samsung, Apple, and LG, alongside content and app streaming devices such as Amazon's FireTV and Roku, are sending out information potentially without the knowledge or consent of users.
Academics from Northeastern University and Imperial College London examined 81 Internet of Things (IoT) devices in the US and UK, including TVs, smart home hubs, and appliances.
In a paper titled, "Information Exposure From Consumer IoT Devices," (.PDF), the team said that 34,586 controlled experiments revealed a total of 71 out of 81 devices send information to destinations other than the device manufacturer; 56 percent of US devices and 83.8 percent of UK products will leak information abroad, and every device involved in the study exposes information via at least one plaintext flow.
User and device behavior, in 30 out of 81 cases, can be "reliably inferred" from eavesdropping whether or not information flows are encrypted. This may include our interactions with television sets and other household IoT products.
Location data and IP addresses were commonly sent by our IoT devices to third-parties including Netflix, Spotify, Microsoft, Akamai, and Google. The vendors mentioned are not a surprise, given that they all utilize or provide cloud technologies -- which are relied upon by connected devices to operate.
When it came to smart TVs, however, almost all of the devices included in the study would contact Netflix -- whether or not a TV was configured with an account for the content streaming service.
"This, at the very least, exposes information to Netflix about the model of [a] TV at a given location," the paper reads.
The data leaks may be a catalyst for further discussion on the privacy aspects of user data generated and stored by IoT products, but the paper did note that encryption is commonly used -- a protective measure against eavesdroppers, but also a barrier to the team decoding exactly what information was being transferred to third-parties.
Facebook told the publication that it was "common" for services with Facebook integrated into them to send data to third-party services. Netflix said that data transfers were "confined to how Netflix performs and appears on screen," and Google said user preferences and consent levels dictate how publishers "may share data with Google's that's similar to data used for ads in apps or on the web."
If you are interested in inspecting the IoT network traffic in your smart home, Princeton University has developed and released an open source tool called IoT Inspector. The software uses ARP spoofing to analyze what IoT devices are connected to the Internet, how much data is exchanged, and how often information is traded.
Exposed RDP servers see 150K brute-force attempts per week: Here's how to protect them
"The acquisition of this sensitive information has continued to raise some pressing questions: how far will it undermine consumer trust in these major technology companies and to what extent is this coming at the expense of consumer privacy?," said David Emm, principal security researcher at Kaspersky. "It is crucial that people are made aware of the repercussions of having connected devices in their home, and have the option as to whether their data is shared or not."
A lack of security standards around our smart devices may not be the only issue IoT product owners have to contend with. Recent reports suggest that Samsung is planning to target ads at smart TV owners based on what they are watching, with tailored marketing reaching the household level in an effort to further monetize the television industry.