By Jeremy Hsu on September 24, 2024
Popular smart TV models made by Samsung and LG can take multiple snapshots of what you are watching every second – even when they are being used as external displays for your laptop or video game console.
Smart TV manufacturers use these frequent screenshots, as well as audio recordings, in their automatic content recognition systems, which track viewing habits in order to target people with specific advertising. But researchers showed this tracking by some of the world’s most popular smart TV brands – Samsung TVs can take screenshots every 500 milliseconds and LG TVs every 10 milliseconds – can occur when people least expect it.
“When a user connects their laptop via HDMI just to browse stuff on their laptop on a bigger screen by using the TV as a ‘dumb’ display, they are unsuspecting of their activity being screenshotted,” says Yash Vekaria at the University of California, Davis. Samsung and LG did not respond to a request for comment.
Vekaria and his colleagues connected smart TVs from Samsung and LG to their own computer server. Their server, which was equipped with software for analysing network traffic, acted as a middleman to see what visual snapshots or audio data the TVs were uploading.
They found the smart TVs did not appear to upload any screenshots or audio data when streaming from Netflix or other third-party apps, mirroring YouTube content streamed on a separate phone or laptop or when sitting idle. But the smart TVs did upload snapshots when showing broadcasts from the TV antenna or content from an HDMI-connected device.
The researchers also discovered country-specific differences when users streamed the free ad-supported TV channel provided by Samsung or LG platforms. Such user activities were uploaded when the TV was operating in the US but not in the UK.
By recording user activity even when it’s coming from connected laptops, smart TVs might capture sensitive data, says Vekaria. For example, it might record if people are browsing for baby products or other personal items.
Customers can opt out of such tracking for Samsung and LG TVs. But the process requires customers to either enable or disable between six and 11 different options in the TV settings.
“This is the sort of privacy-intrusive technology that should require people to opt into sharing their data with clear language explaining exactly what they’re agreeing to, not baked into initial setup agreements that people tend to speed through,” says Thorin Klosowski at the Electronic Frontier Foundation, a digital privacy non-profit based in California.
If you have a smart device, someone is doing this with it. Best options to reduce their ability to access your devices: smart TV’s - don’t connect them to the internet unless you’re updating the firmware. Use a streaming stick for streaming services, and then your privacy violations are minimized to the streaming stick that doesn’t have a mic, or camera. Some controllers do have a mic, it’s only a problem with who is making the tech. Other smart devices like fridge, microwave, oven, washer, etc, just never connect them to the internet, they likely will work fine their entire life without a network connection. Personal smart devices such as smart phones, remove google, and apple. Neither can truly be trusted, however apple does have a track record of keeping their snooping to themselves for what that’s worth. For robots, they will likely need a network connection, I recommend supporting home automation projects that will allow us to replace the OS on our robot vacuums, and food delivery devices with one that connects to a home based server that doesn’t need an internet connection. But never, ever, trust a smart device that is within hearing, seeing, or is touching you. It is a monitoring device, and it is being used that way by anyone with enough power.
deleted by creator
My pi-hole blocks SO MUCH traffic from my Rokus. Never buying another Roku again.
deleted by creator
I don’t think my TV has ever been connected to the internet. As a safe guard to ensure that it never is I banned its wired and wireless MAC address from my network. So even if someone did plug it in…nothing.
I’ve jokingly said this before, but just wait until manufacturers start adding 4G/5G to TVs explicitly for ads and telemetry…
Just like modern cars… I wish there was some kind legislation that would limit phone-home telemetry to emergency service telecommunication frequencies, and be opt-in only. That way any OEM operating under commercial cellular frequencies would thus be unlicensed, and subject to FCC violations and import bans. Like what OnStar was originally pitched as; only auto dialing to 911, and 911 only, if you were unresponsive after airbags deployed. OEM couldn’t use the telecommunication frequencies for anything other than networking with emergency service endpoints on the same VLAN.
Anything recorded by the vehicle would be required to stay on the vehicle due privacy regulations, like the black box recorder for warranted forensic investigations. OTA updates could also be distributed offline for users to download and flash via USB, like any motherboard bios, so transactions would be write only.
deleted by creator
There is usually two types of MAC randomization and they both apply to wireless. One is pre-auth and is part of the IEEE 802.11aq Pre-Association Service Discovery spec. It makes it harder to track a user just because they got in range of an AP.
The other is when they actually connect to an SSID. Win10 and mobile OS’s started supporting this but it maintains a relationship between a MAC/SSID pairing otherwise you would have all kinds of network/auth weirdness if it didn’t.
Regardless if I noticed a device on my network behaving poorly by randomizing its MAC on every connection then I’d swap my network over to a grant list of MAC addresses and it can happily knock itself offline as much as it wants. Utilize a guest networks for visitors to avoid the headache of list management when a friend stops by and wants WiFi.
I can say I’ve never seen that behavior across all my devices though.
No matter how much they ask
Installed pi-hole this week. Number one blocked domain with 1600 queries… Scribe.logs.roku.com.
wtf?
Something doesn’t add up. How can a TV take 100 Screenshots of 4k content per second? No wifi has that bandwidth. No embedded processor has that capacity.
It may be snapping multiple in a small period of time. Compressing them in the background then trickling them back out.
I’m pretty familiar with how one particular brand of TV works, and you’re right, it’s absolutely not screenshots. It’s a handful of single pixels across the screen. By matching these pixels against known content it’s possible to identify what was being watched. Not too different than how Shazam can identify a song.
That’s not to say all TV manufacturers work that way.
-
it doesn’t necessarily take full resolution images
-
just because it can capture images a few hundred milliseconds apart doesn’t mean it’s continuously capturing images. It could be several in short bursts with a delay between groups of images.
You know when people say “I’ve only talked about this once, never searched for it, and then I got ads a few days later”?
What if it hasn’t been phones that were listening (despite Siri/Google Assistant/Alexa mis-identifying something as a wake-word being the most sensible explanation), but TVs?
Why not both
-
Probably a data snapshot, not an actual screenshot.
It doesn’t say the screenshot must be full resolution and it doesn’t say the screenshot is immediately uploaded. A couple seconds to downscale and compress would work the same as far as content identification is concerned
360p is probably enough. And that’s “up to” per second, average is probably far far far less.
It doesn’t need a 4K screenshot. It needs enough data/metrics from any given single frame to run it through analytics and an algorithm to tailor ads. Backend surveillance like this isn’t interested in fidelity to the human viewing experience. It needs identifying data. That can be had through a combination of low quality data scrapes done numerous times.
“Screenshot” is more like a metaphor here. Sort of like how your Apple or Google photos are “private,” but the data and analytics taken from them you’ve given away. It’s like if you told me I could look at all the photos on your phone and take as many notes and subject them to as much analysis as I wanted, but I promised not to actually physically keep your phone/photos. Probably makes you feel like your photos are securely still in your possession, but I got what I wanted. Your data is technically private, but my data about your data is mine.
I’m the OP, but not the author of this article posted.
After I dove deep into the study, the study said it records data at 500ms. And then it batches the data together, and only sent data once per minute back to Samsung. Between 8kB and 9kB of data per minute. So definitely not 4K screenshots.
Totally agree. It sounds like something was lost in translation here by the final edit of potentially some run though a llm for proof reading to dumb it down enough to either just make it more consumable, more clickbait or realistic both.
My guess is the actual research reported that it was 100s of packets per second (not screenshots) which is still a lot more than you would expect even for spyware. Either way it’s been well known that smart tvs are spyware ridden, I don’t need a paywalled service to tell me that.
Plenty of embedded processors have that capacity, but I generally agree about the bandwidth.
Yea I don’t believe it, that’s some processor intensive streaming. My security camera feeds can’t even do that. 100fps is crazy for streaming. Are we sure these “screenshots” aren’t just anonymous metric gatherings like video codecs and resolution?
I’m with you, I think it’s probably BS. But I suppose it could be taking highly compressed low resolution snapshots.
I agree. I’m the OP, but not the author of this article. I do believe this author doesn’t know what he is talking about. After looking at the study, it seems it does record data at 500ms interval. However, only in intervals of 1 time per minute 8kB of data is sent back, meaning its only some kind of meta data.
Thanks for the followup!
Not mentioning taking 100 screenshots each second with what - 25 frames per second? - is kinda overkill…
Never connect your tv to the internet.
It automatically connects to unprotected wifi access points.
Is there evidence of this happening?
And if so, I think I would just plug it into an old router via ethernet with no external connectivity.
Okay. So how do we turn it off!? I’ve read nothing in my Samsung manuals about this “feature” and here no instructions for turning it off.
If there are open wifi networks near your TV that you can’t lockdown, you’ll want to confirm it your make/model is known to automatically connect to those, and then take whatever mitigation steps are justified for your own use case.
For example, if you have multiple TVs, maybe you can swap models around based on their capabilities and location, or look up the schematic for the TV and see if it’s easy to block it’s internal antennas.
Or maybe that seems like too much of a hassle and you just say fuck it, and don’t worry about it. Which is always an option, because given how much data already gets sucked up by surveillance capitalism, my evening TV viewing habits have to be some of the lowest value data points, as I already block ads and avoid all ad supported services.
Okay. So how do we turn it off!?
This is probably not the reply you want, but as someone who (in the past 40+ years) has never owned a TV, I simply can’t refrain from asking: Have you considered simply not owning a TV?
“I keep overcooking my steak, any advice?”
“I haven’t had meat in 40 years, have you considered simply going vegetarian?”
Movies and television shows can be an excellent form of entertainment and a great source of educational materials. And this is the golden age of television. Sorry you’ve been missing out on that
You know that part of the manual that tells you to connect the TV to the Internet?
Don’t do that.
That sadly doesn’t work well enough. They will connect to things on their own.
No Internet for the device
They have been known to connect automatically to nearby compatible devices or unsecured wifi.
Just don’t hook it up to your wifi. Don’t use any of its included apps. If you must stream get a separate device to do it.
This is the correct answer. I actually disabled LG’s version of it when I first heard about it. A few months later it had been reactivated in an update, so I just factory reset it and connected an old laptop.
You can’t trust anyone — corporation or government — to protect or respect your privacy. Ever. If it’s not open source and E2EE, assume that a criminal is going to view and process it for profit.
No it is not the correct answer! The correct answer is to put the CEOs who perpetrate this criminal shit in prison for millions of counts of hacking and stalking!
Merely shrugging and implementing a technological workaround is not an appropriate response to someone perpetrating a felony against you!
The downvotes are because your “solution” is not based in the reality that the rest of us live in.
There are no downvotes, so I’m not sure what point you think you’re making.
Okay… Though I agree the system is run by criminals, I’m gonna continue protecting my data as best I can, and recommending everyone do the same, while you live in a magical fantasy land where we don’t live in capitalist plutocracies and the rule of law applies to everyone, equally!
It still can connect to untrusted wifi access point (without password protection). So also try to go to: Settings Menu -> General & Privacy -> Terms & Privacy -> And there is a whole list of privacy setting. Try to find the option to: Do not agree with all. Or you need to manually disallow each privacy option… Good luck!
I have a Samsung smart TV that is not connected to any networks, and every few days it will display a ‘detecting device’ loading screen when switching to my input that fails after 30 seconds or until I cancel it (canceling does not seem to impact its functioning)
I have no evidence but I strongly suspect this to be related to attempting to record and send device data to a remote server.
I have noticed this too, I have to press the ‘back’ button on the remote to get the computer output.
Question, what separate device is best and most privacy focused? I just imagine getting a firestick, google Chromecast, etc would also give away data?
There are some open-source systems for media PCs.
Kodi seems to me to be popular, though I don’t use a media PC myself.
You’ll need to have the technical knowledge to install it yourself.
Again your media PC (or HTPC) is still connected to a smart TV. And the problem is with the TV recording HDMI data. In fact, if you read correctly, the Smart TV does no record data from the built-in apps like Netflix.
Its real tricky to get into and overwrite some of the SoC processors and ARM chipsets, but pretty earlyon the hacker crowd was turning Samsungs Smart TVs dumb.
They’ve acrually got some great resistance to screen burn.
I love my Samsung because I never gave it the wifi credentials.
Dumb TV is better. My PS5 can do everything I want and I already give all my metrics to them just playing it
Hello 8th person I’ve had to explain this to: they still connect to stuff. Even if you disable WiFi on the Samsung TV they can mesh network with other TVs in your neighborhood or with your phone (Samsung is particularly pushy about wanting you to install and connect your phone).
Ok I’ll look into this. I have not witnessed any evidence of this behavior. What frequency would this be meshed on? Any 2.4GHz and 5Ghz I would have already seen.
I got an LG because despite how it looks, you can just refuse to agree to a bunch of their privacy agreements and be fine. It’s not perfect, but it’s a hell of a lot better than it would be otherwise, and miles ahead of Samsung’s lack of options.
I have come to realize this and have declined all the T&Cs except for like 3 that you just have to accept to make it function.
Yep, same. Works fine for me, I never wanted the features that disables.
Use Pi-hole and block their domains
Do you know where I can source the domains?
Pihole will log DNS requests. The requests come.from the TV. So when it pops up, Block it.
https://blocklistproject.github.io/Lists/ the Smart TV list under their beta lists.
I use nextdns on my network and there’s a filter there for smart tvs. Samsung seems to want to call home the most.
They’re getting smart to that and are starting to hard code server IPs, circumventing any DNS you have in place.
Joke’s on them. Their telemetry server is in another
castleVLAN.
You can go to Settings Menu -> General & Privacy -> Terms & Privacy -> And there is a whole list of privacy setting you automatically agreed with (which you didn’t). However, you should find an option for: Do not agree with all. Or you need to manually disallow each privacy option… Good luck!
Disable internet.
You’ll have to insulate your home from any outside unsecured wifi and compatible devices to stop some of them from networking.
Since it can also connect to untrusted wifi access point (eg. without password). You need to live in a Faraday cage …
LOL “if it was opt-in, no one would do it!”
no fucking shit. there is nothing worth watching that i would buy a smart tv for
if it was opt-in, no one would do it!
Which should be telling them that not only does no one want it, but maybe just maybe we already paid for your fucking TV. Either raise the price or stop being so fucking goddamn greedy to the point that you force us to make the government force you to stop.
Of course the bought and paid for US government won’t, but hopefully EU governments will.
If they raise the price, then they only get money once. If they sell your data, now they have an income stream.
One issue that has come up recently in discussions on here is that it’s hard to get dumb TVs or computer monitors in large format in 2024.
Not impossible, but surprisingly difficult. I went looking for a large computer monitor for some user who wanted a large one. I eventually found an older one on Amazon still for sale, but it’s not that easy to get large computer monitors, which I think is part of what drives people to use smart TVs as computer monitors.
You can get projectors, but that’s not what everyone’s after.
A smart tv without an internet connection is usually close enough to a dumb TV. It’s not like your TV needs regular security updates so leaving it off your home network is fine.
I do not know how true it is, but I’ve heard that some of them will create a mesh network if your neighbor has the same brand and it’s connected to the internet.
I’ve always meant to look into it but I have big dumb TVs that work for now.
Open the tv and rip out the antenna. Y’all already forgot the classic secret agent trope of checking the hotel room for bugs? Now we all get to play that game!
Nowadays the antenna is often embedded into the pcb, so no way to rip it out other than scraping off the traces
Google part numbers (if they aren’t scratched off/lasered off/ epoxied). Once you’ve found the ethernet controller, you can short out the pins, or yeet it off the board.
“mechanical malfunction, please contact support” as a big red warning that you cannot dismiss
It’s called wardriving, a practise Samsung TVs are infamous for.
I never put that together with wardriving but that’s exactly what it is. Thank you for that.
Unrelated story: ~20 years ago I was in the military and broke as hell. I went wardriving in my neighborhood looking for open wifi and found a business not too far away that had it. So I built an antenna out of a coffee can, mounted it up just outside my window, and got free wifi for months.
To me, Wardriving is back in the day when you used to drive around town with a laptop and a program that catalogues all the open wifi networks in range.
Would love to know how true this is as I wouldn’t put it past manufacturers
There’s another reply further down that goes into specifics. I ain’t the one because I didn’t come with receipts and I’m just a drunk.
I will not give them the satisfaction.
Smart TVs are only smart when they are connected to the internet.
As mentioned by others, they sometimes network with nearby devices such as your neigbor’s TV or an unsecured wifi.
“They found the smart TVs did not appear to upload any screenshots or audio data when streaming from Netflix or other third-party apps, mirroring YouTube content streamed on a separate phone or laptop or when sitting idle. But the smart TVs did upload snapshots when showing broadcasts from the TV antenna or content from an HDMI-connected device.”
The world is owned by a big club, and you’re not in it.
“When a user connects their laptop via HDMI just to browse stuff on their laptop on a bigger screen by using the TV as a ‘dumb’ display, they are unsuspecting of their activity being screenshotted,”
But if you never connected the TV to the internet, it’s not able to upload anything right?
Correct
Thing is, it’s getting pretty cheap to build radios into devices, and companies are doing that and bridging them to whatever Internet connectivity they can reach, not just your own. You don’t necessarily have to personally plug something into an Ethernet socket to make a device Internet-connected.
From back when Amazon Sidewalk was rolling out:
https://www.statuscake.com/blog/what-is-amazon-mesh/
This time, however, the big news is Amazon mesh, a network to connect users and their devices. The tech giants have called this project Amazon Sidewalk+ with the idea first being made public back in 2019 where they announced they wanted to extend and expand the connectivity of their customers.
Why did Amazon do this?
According to Amazon, the main reason was to provide a better service for their customers whilst using their devices. Although there has been some backlash by those in the safety and security space, the idea seems to be very safe and simple.
How will Amazon mesh work?
The Sidewalk project will create a network mesh between all the connected devices so it can increase the connection field around the devices. It will be able to do this by using Low-energy Bluetooth and 900MHz radio signals to pass data with the connected compatible devices. By doing this, the network can extend the reach of the signal and thus it will be able to cover a larger area to allow devices to connect.
Here is an example of how this will work: imagine if you have a compatible device at the end of your garden such as a light which you normally can’t control with your phone. With the extended network, that light could connect to a neighbour’s device and by doing this it will be connected to the network, and you will have the ability to then use your phone to control the light.
There has been some concern regarding how much data the network will use for those who agree to be part of it and Amazon have estimated that the data usage could be around 400-500mbps a month. For most people, this is such a small amount that it won’t even be noticeable.
How can the mesh network be used?
Another use for this mesh is for users around the network to connect and possibly use the mesh to perform other tasks such as a Ring doorbell (Amazon-owned) to be installed in the part of the house where the usual Wi-Fi signal doesn’t reach. This provides customers with a great alternative to the far more expensive Wi-Fi extender mesh products on the market.
As is normal in situations like this, many users are concerned about the security of this project. According to what Amazon has released regarding how it will work so far, there will not be any security concerns as the connections will not identify which device was connected meaning that if your Ring doorbell extends the network to a nearby device, the system will not mention that this device was connected to that particular Ring doorbell. However, people need to be aware that Amazon itself can collect this data and the way the users interact with the network.
The feature works by creating a low-bandwidth network using smart home devices such as Amazon Echoes and Ring security cameras. At its simplest, it means that a new Echo can set itself up using a neighbour’s wifi, or a security camera can continue to send motion alerts even if its connection to the internet is disrupted, by piggybacking on the connection of another camera across the street.
But the company’s plans have caused alarm among observers. Ashkan Soltani, a former chief technology officer of the US Federal Trade Commission, told the tech site Ars Technica: “In addition to capturing everyone’s shopping habits (from amazon.com) and their internet activity (as AWS is one of the most dominant web hosting services) … now they are also effectively becoming a global ISP with a flick of a switch, all without even having to lay a single foot of fiber”. The feature may also break the terms and conditions of users’ internet connections, which do not allow such resharing, warned Lydia Leong, an analyst at Gartner.
Users can disable Sidewalk in the settings section of the Alexa or Ring apps, but have until 8 June to do so. After that, if they have taken no action, the network will be turned on and their devices will become “Sidewalk Bridges”.
Amazon is not the first company to look to create such a network. Apple has taken a similar approach with the company’s range of AirTag item trackers, which can connect to the internet through any compatible iPhone they come into contact with, not simply their owner’s. And BT, through a long-term partnership with Fon, ran a service from 2007 until 2020 that allowed broadband customers to share spare bandwidth in a public wifi network.
When you have companies creating their own radio networks, they can use someone else’s Internet connection to move data.
For expensive devices, like cars, it also makes economic sense to have a dedicated cell modem and service phoning data home. But it’s not the only route.
Point is, you don’t have a monopoly over granting your devices Internet access any more.
Well. That’s it. Get the flamethrowers. Time to burn down the Amazon.
No. Not the one that’s already burning. The other one.
Yeah I remember when they rolled that out… it does not give me hope for the future of privacy.
Canada needs to really ramp up our privacy laws, I’m not crazy about GDPR specifically, but there needs to be something more substantial here.
I’m not really gung-ho about mandatory approaches either, like with licensing, but for an optional approach:
-
I have to be able to assess a device and its drawbacks with a reasonable amount of knowledge and time spent researching it.
-
There has to be at least one option on the market that does what I want.
For cars, at least, we’re really getting to the point where it’s not practical to get a new car without a cell data link that phones home.
And trying to stay atop of the privacy issues for all classes of device out there can’t be a full-time job, or it’s not reasonable to expect people to make informed purchasing decisions. Like, I should just be able to say that I don’t want a device that broadcasts any persistent unique IDs in plaintext over a radio, not have to research whether the current crop of smart automobile tire pressure valves has a protocol that exposes that information or not…
I’d like to avoid Europe’s prescription-heavy regulatory route, but the way things are now in the US isn’t my ideal either.
-
Cellular modems with lifetime contracts from a telco are also increasingly common.
SDRs like the Hackrf Portapack are, as well.
So much more goatse and bathtube girl pictures along with porn are now gonna be on my tv
What the fuck are you talking about? Lol
Don’t Google it. Just be happy you missed Liveleak and r/watchpeopledie.
And ebaum’s world. And rotten. And something awful.
Man wants to watch some kinky shit.
I wish I could go back in time to warn myself not to read this. The memory of receiving those (and other awful shit) is indelibly marked in my brain.
lol yeah! My friend where dicks and would set that to our screen savers or if we left our laptops open would go to meatspin.com and then lock your laptop. You got quite the surprise when you unlocked your computer lol
I’d rather pay for pretty much all products up-front with money at purchase time rather than pay with my data.
Not gonna tell other people what to do, but for myself, whether it’s my car or television or search engine or whatever, I’d rather just pay the bill rather than having the manufacturer or service provider go data-mining my data to figure out how they can make money from it.
I think that YouTube is a great service. YouTube Premium, though, is ad-free. What I want isn’t no-ad stuff, but no-log policies. And there aren’t a lot of manufacturers selling privacy. And it’s hard to compare services and products based on that.
I’ll go one more step. I don’t want to go read through privacy policies and figure out what the latest clever loophole is. We had to deal with that kind of legal stuff back prior to standardization around a few open-source licenses, and it sucked.
And I don’t want to deal with privacy policies that change and maybe don’t do what I want.
What I want to do is look for a privacy certification, and let the certification agency deal with that.
I’m happy to see this, my wife and I were about to buy a smart TV. Now I’ll just get the dumb variant.
Now I’ll just get the dumb variant.
These don’t really exist on a consumer level anymore. What you’re looking for is called a commercial display, which is what’s used in businesses and hospitals.
Luckily they exist in smaller sizes still. I’m just getting a small tv for occasional use.
No, they still exist.
