New research from Avast reveals just how easily compromised many so-called “smart” TVs actually are, as well as how little your consent to being tracked actually matters. This hack is unrelated to the investigation we discussed yesterday, concerning Vizio’s decision to sell identifiable user data to third-parties and advertisers, though many of these issues are interrelated.

Writing for Avast, Aaron McSorley details how the company investigated the security of a Vizio smart TV. The entire point of the exercise was to illustrate how a normal person could be impacted by hacking a smart device via a man-in-the-middle attack.

In the end, we found that the smart TV we were inspecting actually broadcasted fingerprints of users’ activities, whether they agreed to the device’s privacy policy and terms of services when first setting it up. In addition, we uncovered a vulnerability within the device that could serve as a potential attack vector for an attacker attempting to access a user’s home network. Since this all sounds pretty creepy, it’s important to note that Vizio successfully resolved these issues upon being notified of our findings. (emphasis original)

What Avast found, overall, was that Vizio repeatedly connected to control.tvinteractive.tv, a domain owned by Cognitive Networks, via HTTPS. The researchers quickly discovered that the television used HTTPS, but didn’t actually check to see if the certificate was valid. Each of its requests contained a checksum value at the end — if that checksum comes back invalid, the TV refuses to use the data it receives. While that’s better than Samsung’s problems earlier this year, in which supposedly encrypted information was transmitted in the clear, Vizio’s failure to check for proper HTTPS certification is still a serious flaw.

After discovering a flaw within the networking menu that allowed for local command injection, Avast was able to persuade the TV to communicate its entire file system and copy its data to a USB stick. At this point, the team states, “The TV is pwn’d.”

Once they had the file system dumped to disk, it was easy to locate the necessary key for breaking the initial checksum encryption and take control of the television.

Vizio is watching you

By telling the TV to transmit via HTTP, rather than HTTPS, the security team could watch the TV’s output and see that it was transmitting a binary blob of data every 1-2 seconds. This data proved to be pixel information from whatever was playing on-screen at the time. That data is shown below:

Each line of pixels in the image represents values taken from pre-defined points on the television, and each row of pixels represents one second. To the naked eye, this is nothing but an unidentifiable smear. To a computer, it’s something far different. To understand how this kind of data analysis works, imagine flipping on your own TV and catching a favorite movie or TV show partway through. Depending on how well you know the show, it could take you mere seconds to recall everything about the episode — even though you’ve only seen a fraction of the content.

We humans perform this kind of analysis using the full frame of video, the accompanying audio stream, and at least a few seconds worth of content. A computer can handle an analogous analysis using pixel data measured at predetermined points. The Avast research doesn’t share whether the television always transmits pixel data when active, or if it shuts down once a positive stream identification is made, but either way the system is analyzing everything you watch and transmitting it back to Cognitive Networks.

The researchers go on to note that this attack could be used to inject malicious advertising or content monitoring into a display, though they didn’t have much luck with their initial efforts to show faked ads on-screen. We reached out to Aaron as to whether Vizio’s latest software update resolves this, and were told the following: “With the latest firmware update from Vizio, if you decline the privacy agreement during initial setup, the TV will not send data to Cognitive Networks servers. The update also patches the known exploits.”

While we’re glad to hear that this is the case, Vizio has presumably been shipping affected televisions for months, if not years. That means consumer data has been shared without consent for this entire span of time. And the issues that ProPublica raised still remain — Vizio is still selling your personal information unless you specifically opt out of that program.

Historically, these kinds of efforts have been justified by claiming that the consumer agreed to them by clicking “Yes” on whatever shrinkwrap license the provider has seen fit to wrap around the product. As this breach shows, however, these types of leaks can occur whether you actually agreed to anything or not.