Recently Samsung found itself at the center of a controversy concerning its Smart TVs. A careful look at the privacy policy had revealed a warning from the company itself that users shouldn’t discuss personal or sensitive information in front of the TV since it could be among the data that’s picked up by the TV and transmitted to a third party due to use of the Voice Recognition function. People were quick to dub the policy Orwellian, forcing Samsung to edit the privacy policy, and explain in detail how Voice Recognition really works on Smart TVs.

Looks like that wasn’t the end of Samsung’s troubles as far as this product is concerned. Security researchers have discovered that the voice data the company’s Smart TVs send over the internet is not encrypted. David Lodge, a researcher at security consultancy Pen Test Partners explains how they can to this conclusion by studying the Smart TVs data transmissions with network inspection tool Wireshark.

Spoken web search queries are often sent to a third party over the internet for analysis, Nuance in this case, which analyzes and beams back the result to the television. It was discovered that this information is transmitted through port 443 which is usually meant for TLS-secured HTTPS connections that are conventionally not firewalled off. The stream from Samsung Smart TVs is not encrypted thus opening the data up to man-in-the-middle attacks. Lodge explains that the data pulled from the stream isn’t even SSL encrypted, its just a mix of XML with custom binary data packet. Other information sent over the internet include the TV’s MAC address as well as the OS version in use. Even the processing server that returns a transcript of what was said send its back in plaintext.

Unencrypted data in transit is open to man-in-the-middle attacks. For example spoken commands can be intercepted and swapped thus altering web searches for users remotely, and for malicious purposes. Researchers were even able to decode the encoded voice audio that the TV transmitted and replayed the users’ spoken voice commands.

Lodge concludes his explanation imploring Samsung, like many Smart TV owners might now implore Samsung, to at least protect the data with SSL encryption. Something is better than nothing after all.

Update: Samsung reached out to media AllaboutSamsung.de with the following statement, concerning the same: “The consumer privacy is a top priority for all Samsung products. Our latest Smart TV models are therefore equipped with a corresponding encryption function. Previous models for an appropriate software update will be available shortly, which ensures the encryption of the data.”

Via