StarDestroyer.Net BBS

Get your fill of sci-fi, science, and mockery of stupid people
Login  FAQ    Search

View unanswered posts | View active topics


It is currently 2014-04-18 07:27pm (All times are UTC - 5 hours [ DST ])

Board index » Non-Fiction » Gaming, Electronics and Computers


Quote of the Week: "In the United States, the majority undertakes to supply a multitude of ready-made opinions for the use of individuals, who are thus relieved from the necessity of forming opinions of their own." - Alexis de Tocqueville, French writer (1805-1859)

LG Smart TVs Are Full Of Built-In Spyware

Moderators: Stofsk, Thanas, PeZook, Keevan_Colton

Post new topic Post a reply  Page 1 of 1
 [ 14 posts ] 
  Print view Previous topic | Next topic 
Author Message

Zaune
PostPosted: 2013-11-20 12:14pm 

Sith Marauder


Joined: 2010-06-21 11:05am
Posts: 3585
Location: In Transit
Blog by someone calling themselves "DoctorBeet", found via Techdirt:

Quote:
Earlier this month I discovered that my new LG Smart TV was displaying ads on the Smart landing screen.

http://i.imgur.com/7KRiiPb.jpg

After some investigation, I found a rather creepy corporate video advertising their data collection practices to potential advertisers. It's quite long but a sample of their claims are as follows:

LG Smart Ad analyses users favourite programs, online behaviour, search keywords and other information to offer relevant ads to target audiences. For example, LG Smart Ad can feature sharp suits to men, or alluring cosmetics and fragrances to women.
Furthermore, LG Smart Ad offers useful and various advertising performance reports. That live broadcasting ads cannot. To accurately identify actual advertising effectiveness.

In fact, there is an option in the system settings called "Collection of watching info:" which is set ON by default. This setting requires the user to scroll down to see it and, unlike most other settings, contains no "balloon help" to describe what it does.

http://imgur.com/g6WzfIFh.jpg

At this point, I decided to do some traffic analysis to see what was being sent. It turns out that viewing information appears to be being sent regardless of whether this option is set to On or Off.

Image
(Larger version)

Here you can clearly see that a unique device ID is transmitted, along with the Channel name "BBC NEWS" and a unique device ID.
Here is another example of a viewing info packet.

GB.smartshare.lgtvsdp.com POST /ibs/v2.2/service/watchInformation.xml HTTP/1.1
Host: GB.ibis.lgappstv.com
Accept: */*
X-Device-Product:NETCAST 4.0
X-Device-Platform:NC4M
X-Device-Model:HE_DTV_NC4M_AFAAABAA
X-Device-Netcast-Platform-Version:0004.0002.0000
X-Device-Country:GB
X-Device-Country-Group:EU
X-Device-ID:2yxQ5kEhf45fjUD35G+E/xdq7xxWE2ghu0j4an9kbGoNcyWaSsoLgyk8JJoMtjRrYRsVS6mHKy/Zdd6nZp+Y+gK6DVqnbQeDqr16YgacdzKU80sCKwOAi1TwIQov/SlB
X-Authentication:YMu3V1dv8m8JD0ghrsmEToxONDI= cookie:JSESSIONID=3BB87277C55EED9489B6E6B2DEA7C9FD.node_sdpibis10; Path=/
Content-Length: 460
Content-Type: application/x-www-form-urlencoded
&chan_name=BBC TWO&device_src_idx=1&dtv_standard_type=2
&broadcast_type=2&device_platform_name=NETCAST 4.0_mtk5398&chan_code=251533454-72E0D0FB0A8A4C70E4E2D829523CA235&external_input_name=Antenna&chan_phy_no=&atsc_chan_maj_no=&atsc_chan_min_no=&chan_src_idx=1&chan_phy_no=&atsc_chan_maj_no=&atsc_chan_min_no=&chan_phy_no=47&atsc_chan_maj_no=2&atsc_chan_min_no=2&chan_src_idx=1&dvb_chan_nw_id=9018&dvb_chan_transf_id=4170&dvb_chan_svc_id=4287&watch_dvc_logging=0

This information appears to be sent back unencrypted and in the clear to LG every time you change channel, even if you have gone to the trouble of changing the setting above to switch collection of viewing information off.

It was at this point, I made an even more disturbing find within the packet data dumps. I noticed filenames were being posted to LG's servers and that these filenames were ones stored on my external USB hard drive. To demonstrate this, I created a mock avi file and copied it to a USB stick.

This file didn't really contain "midget porn" at all, I renamed it to make sure it had a unique filename that I could spot easily in the data and one that was unlikely to come from a broadcast source.

And sure enough, there is was...

Image

Sometimes the names of the contents of an entire folder was posted, other times nothing was sent. I couldn't determine what rules controlled this.

I think it's important to point out that the URL that the data is being POSTed to doesn't in fact exist, you can see this from the HTTP 404 response in the next response from LG's server after the ACK.

However, despite being missing at the moment, this collection URL could be implemented by LG on their server tomorrow, enabling them to start transparently collecting detailed information on what media files you have stored.

It would easily be possible to infer the presence of adult content or files that had been downloaded from file sharing sites. My wife was shocked to see our children's names being transmitted in the name of a Christmas video file that we had watched from USB.

So what does LG have to say about this? I approached them and asked them to comment on data collection, profiling of their customers, collection of usage information and mandatory embedded advertising on products that their customers had paid for. Their response to this was as follows:

Good Morning

Thank you for your e-mail.

Further to our previous email to yourself, we have escalated the issues you reported to LG's UK Head Office.

The advice we have been given is that unfortunately as you accepted the Terms and Conditions on your TV, your concerns would be best directed to the retailer. We understand you feel you should have been made aware of these T's and C's at the point of sale, and for obvious reasons LG are unable to pass comment on their actions.

We apologise for any inconvenience this may cause you. If you have any further questions please do not hesitate to contact us again.

Kind Regards

Tom
LG Electronics UK Helpdesk
Tel: 0844 847 5454
Fax: 01480 274 000
Email: cic.uk@lge.com
UK: [premium rate number removed] Ireland: 0818 27 6954
Mon-Fri 9am to 8pm Sat 9am-6pm
Sunday 11am - 5pm

I haven't asked them about leaking of USB filenames due to the "deal with it" nature of the above response but I have no real expectation that their response would be any different.

So how can we prevent this from happening? I haven't read the T&Cs but one thing I am sure about is that I own my router and have absolute jurisdiction of any traffic that I allow to pass, so I have compiled an initial list of internet domains that you can block to stop spying and advertising on TVs that we, as customers have actually paid for.

ad.lgappstv.com
yumenetworks.com
smartclip.net
smartclip.com
llnwd.net
smartshare.lgtvsdp.com
ibis.lgappstv.com

This will free you from seeing ads plastered on your screen and having your viewing habits monitored, whilst it should still allow firmware updates to be applied.


Bloody hell...
   Profile |  

Vendetta
PostPosted: 2013-11-20 12:54pm 

Emperor's Hand


Joined: 2002-07-07 04:57pm
Posts: 9290
Location: Sheffield, UK
Y'know, as much as it makes him feel clever to do this, it's probably in the EULA saying it's going to do it.....
   Profile |  

Thanas
PostPosted: 2013-11-20 01:25pm 

Magister


Joined: 2004-06-26 07:49pm
Posts: 23859
nobody reads them which is why courts (for example in Germany) say that no matter how often you agree to them provisions are automatically invalid if they unfairly infringe on your rights.
   Profile |  

InsaneTD
PostPosted: 2013-11-20 06:04pm 

Padawan Learner


Joined: 2010-07-13 12:10am
Posts: 257
Location: South Australia
I'm curious how this differs from Google adds?
   Profile |  

Simon_Jester
PostPosted: 2013-11-20 06:06pm 

Emperor's Hand


Joined: 2009-05-23 07:29pm
Posts: 19971
For one, Google doesn't read your hard drive and send filenames back to its website as far as I know.
   Profile |  

Mr Bean
PostPosted: 2013-11-20 06:12pm 

Lord of Irony


Joined: 2002-07-04 08:36am
Posts: 20668
Simon_Jester wrote:
For one, Google doesn't read your hard drive and send filenames back to its website as far as I know.

Also Google is offering you something for what it takes, it's suite of apps and useful programs it gives out free. Meanwhile LG TV is in exchange for spying on you without your knowledge is giving you nothing. It's not like the steal your information TV's are cheaper than equivalents. The models reported are mostly middle of the road with one or two high end smart TV, there are better ones on the market so do you want a bigscreen smart TV that cost 1,500$ and spies on you? Or a bigscreen smart TV that costs 1499.99 and does not invade your privacy to steal your metrics and viewing habits and display popup adds?

Hmm not a tough call on that one.
   Profile |  

atg
PostPosted: 2013-11-20 08:35pm 

Jedi Master


Joined: 2005-04-20 09:23pm
Posts: 1295
Location: Adelaide, Australia
Thanas wrote:
nobody reads them which is why courts (for example in Germany) say that no matter how often you agree to them provisions are automatically invalid if they unfairly infringe on your rights.


I think there is also an issue with the fact that generally you can't read the EULA before purchasing the product, making it void as a contract, and you generally cannot return the product to the retail location even if you did disagree with the EULA because 'it's not faulty'.
   Profile |  

Esquire
PostPosted: 2013-11-20 10:01pm 

Jedi Knight


Joined: 2011-11-17 12:20am
Posts: 516
I suspect there's going to be a major class-action suit filed in the next few years to do with the stuff they put in EULAs, and license agreements generally. Who knows, maybe this will be the basis... anyway, it seems to me that companies stick all sorts of stuff in them on the grounds that nobody's ever going to read the things. But that's got to count as some sort of bad-faith dealing, and I shouldn't have to hire a lawyer to buy a TV.
   Profile |  

Zaune
PostPosted: 2013-11-21 08:10pm 

Sith Marauder


Joined: 2010-06-21 11:05am
Posts: 3585
Location: In Transit
Well, that was fast. I won't quote the whole thing because it's mostly a rehash of the original blogpost, but it seems LG changed their tune quite quickly when they started getting calls from the media and the Information Commissioner's office.

Oh, and check out this comment on the original blog post; it seems that the retailers they were passing the buck to weren't made aware of this hidden feature either.
   Profile |  

InsaneTD
PostPosted: 2013-11-22 04:48am 

Padawan Learner


Joined: 2010-07-13 12:10am
Posts: 257
Location: South Australia
I wonder how many other smart TVs do that?
   Profile |  

Beowulf
PostPosted: 2013-11-23 02:11am 

The Patrician


Joined: 2002-07-04 01:18am
Posts: 10144
Location: 32ULV
Yet another reason to have a dumb TV.
   Profile |  

Document
PostPosted: 2014-04-07 02:15am 

Redshirt


Joined: 2010-05-17 05:48pm
Posts: 5
Could you censor the super-wide string in the quoted packet?
   Profile |  

Borgholio
PostPosted: 2014-04-07 09:26am 

Jedi Council Member


Joined: 2010-09-03 09:31pm
Posts: 1777
Document wrote:
Could you censor the super-wide string in the quoted packet?


Sure, after we censor useless thread necros.
   Profile |  

Document
PostPosted: 2014-04-07 06:08pm 

Redshirt


Joined: 2010-05-17 05:48pm
Posts: 5
[quote="Borgholio"]Sure, after we censor useless thread necros.[/quote]
Sorry; didn't think to check the date.
   Profile |  

Display posts from previous:  Sort by  
Post new topic Post a reply  Page 1 of 1
 [ 14 posts ] 

It is currently 2014-04-18 07:27pm (All times are UTC - 5 hours [ DST ])

Board index » Non-Fiction » Gaming, Electronics and Computers

Who is online: Users browsing this forum: Tribble, VincentUrsus and 5 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group