Samsung smartTVs don’t encrypt voice and text data

Samsung smartTV send unencrypted voice recognition data and text information across the Internet without encrypt it, allowing hackers to capture them.

A few days ago I was one of the first to publish the news about the Samsung privacy policy that reports smartTV are sending user voice data to third parties.

“Samsung SmartTV transmits data to a third party, be aware that if your spoken words include personal or other sensitive information.” I wrote in my previous post.

Another discovery is concerning the owner of Samsung smartTVs, the devices, in fact, send users’ voice searches and data over the internet unencrypted, this means that a bad actor could snoop it. The Samsung SmartTV also sends other information about the TV and user without encryption.

In response to the numerous request for information on the privacy policy, Samsung replied that it adopts “industry-standard security safeguards and practices, including data encryption, to secure consumers’ personal information and prevent unauthorised collection or use,” but this last discovery seems to contradict it.

When a user sends a vocal command to make a search on the Internet using the Samsung smartTV, the audio is sent across the internet to a voice recognition service that interprets the speech and return the results via the TV display. Samsung uses the voice recognition system developed by the company Nuance to interpret voice command sent by the users.

A security researcher discovered that, both the audio command and the text results returned aren’t encrypted. As a consequence, an attacker can snoop on user’s voice and intercept text.

The Security researcher David Lodge from Pen Test Partners tested a Samsung UE46ES8000 smartTV and discovered that the results of his voice recognition for the spoken word ‘Samsung’ were sent over the internet in plain text.

“What we can see is it sending a load of information over the wire about the TV, I can see its MAC address and the version of the OS in use. After the word buffer_id is a load of binary data, which looks audio-ish.”  wrote Lodge in a blog post. “You can make out that it thinks I’ve said either Samsung, Samson or Samsong” .

A hacker could be able to spy on Samsung SmartTV user by accessing to its Wireless Lan traffic, but the security issues open the doors also to surveillance activities that could be operated by persistent attackers (e.g. Intelligence agencies) that could access user traffic directly from internet service providers or with access to the Internet backbones.

Stay Tuned for further information …

(Security Affairs –  privacy , Samsung SmartTV)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

2 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

8 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

20 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

24 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.