LOS ANGELES — Buyer beware. If you’ve snapped up a smart TV, with built-in Netflix, YouTube, Hulu and other Web connections, heads up on this warning — your smart TV could make you vulnerable to hackers and is probably monitoring more of your viewing than you realize.
Consumer Reports just analyzed smart TVs from five big U.S. TV brands — Samsung, LG, Sony, TCL and Vizio — and found several problems. All can track what consumers watch, and two of the brands failed a basic security test.
How bad is the security? So poor, according to its report, that hackers were able to take over complete remote control of the TVs from Samsung and TCL's branded Roku TV, which included changing channels, upping the volume, installing new apps and playing objectionable content from YouTube.
"What we found most disturbing about this was the relative simplicity of" hacking in, says Glenn Derene, Consumer Reports' senior director of content.
The non-profit, which publishes a magazine and a website, partnered with a firm called Dissconnect to do the hack tests.
It was easy to break in, Derene said, because "basic security practices were not being followed."
Both Roku and Samsung told Consumer Reports the companies would take a closer look at the issues and address them.
However, Roku pushed back Wednesday morning in a blog post, saying Consumer Reports"got it wrong" and insisted there is "no security risk" with its products.
"We take the security of our platform and the privacy of our users very seriously," said Gary Ellison, a Roku vice president.
The Consumer Reports test hacked into the TCL/Roku TV by using a feature Roku created that allows for remote control access of the Roku, software which could be used, for instance, to let you use your iPhone as a remote. The vulnerability for users could come about if a phone owner, whose TV is on the same household Wi-Fi network, clicks on a malicious link that allows a hacker onto the network — and then into the TV interface.
Roku says that feature can be disabled. Additionally, to use the feature, you have to be on the same Wi-Fi system, and Roku suggests users have password-protected Wi-Fi to prevent security breaches.
Smart TVs represented more than half of all TV sales in the first half of 2017, according to market researcher GFK, and at this point, most sets being marketed are "smart." Consumers opt for them because they save people the hassle of changing their settings when they want to stream media from the Internet.
These new TVs have a technology add-on called Automatic Content Recognition, which monitors what you watch, in an attempt to do a better job than Nielsen at measuring viewership.
So, hypothetically you could watch the show This is Us, and the next thing you know, your computer and phone will start showing you ads for the NBC show, similar to how we’re tracked online.
Consumer Reports says there’s an easy fix. Turn off the feature that tracks your watching.
That’s one choice. Your other two are to turn off Wi-Fi while you’re watching, which doesn’t make sense if you like to stream, or buy a dumb TV and stream the old-fashioned way, via a set-top box.
But that still may leave you open to hackers. Consumer Reports found that the Roku streaming box, which used the same operating system it tested on Roku-branded TV's sold by TCL, was also vulnerable. It didn’t mention testing the Amazon Fire TV or Apple TV boxes because those operating systems aren't widely available, if at all, within other TVs.
Hacking risk aside, the report found that the smart TVs it evaluated asked for permission to collect viewing data and other information, but it wasn't necessarily easy for users to understand what information they were agreeing to share, and there was a tendency to request oversharing — such as monitoring everything a TV watcher did, whether it was streaming, playing a DVD or watching paid TV.
Consumers are used to letting Internet-streaming services Netflix, YouTube and Hulu track everything they watch on their services, in order to recommend other shows. So is it so bad if NBC and CBS, via the set manufacturer or software vendor, get the same information?
Derene's view: It's just not the expectation of consumers that their TV will be tracking everything they watch, particularly if they're not streaming.
Regulators have also started to look more closely on the information gathered by Web-connected TVs. A year ago, Vizio agreed to pay $2.2 million to settle claims from the Federal Trade Commission and the Office of the New Jersey Attorney General over collecting viewing data without consumers' consent. That information, along with demographics data including sex, age, income, marital status and home ownership, was sold to third parties who used it for targeting advertising and other purposes, the agencies charged.
The FTC said then: "Smart TV makers should get people’s consent before collecting and sharing television viewing information."