Hackers can control smart TVs using security flaws, Consumer Reports has found.
“We found that a relatively unsophisticated hacker could change channels, play offensive content, or crank up the volume,” stated the report.
The attack can be conducted over the web, but the vulnerabilities do not allow a hacker to access user information.
The problems affect Samsung televisions, and models made by TCL and other brands that use the Roku TV smart-TV platform.
“To become a victim, a TV user would need to be using a phone or laptop running on the same Wi-Fi network as the television, and then visit a site or download a mobile app with malicious code,” said Consumer Reports.
“That could happen, for instance, if they were tricked into clicking on a link in a phishing email or if they visited a site containing an advertisement with the code embedded.”
It will also affect certain Roku streaming media players, it added.
Samsung said it is aware of the report and is investigating, with fixes to be released in the future.
Update: Consumer Reports “got it wrong”
Roku has issued a statement on the Consumer Reports article, posted below:
Consumer Reports issued a report saying that Roku TVs and players are vulnerable to hacking. This is a mischaracterization of a feature. It is unfortunate that the feature was reported in this way. We want to ensure our customers that there is no security risk.
Roku enables third-party developers to create remote control applications that consumers can use to control their Roku products. This is achieved through the use of an open interface that Roku designed and published. There is no security risk to our customers’ accounts or the Roku platform with the use of this API. In addition, consumers can turn off this feature on their Roku player or Roku TV by going to Settings>System>Advanced System Settings>External Control>Disabled.
In addition the article discusses the use of ACR. We took a different approach from other companies to ensure consumers have the choice to opt-in. Therefore, the feature called More Ways to Watch, which uses ACR, is not enabled by default on Roku TVs. Consumers must activate it. And if they choose to use the feature it can be disabled at any time. To disable consumers have to uncheck Settings > Privacy > Smart TV experience > Use info from TV inputs.
We take the security of our platform and the privacy of our users very seriously.