Samsung's smart TVs fail to encrypt voice commands

The apparent oversight makes it easier for hackers to spy on customers' activities.

The matter was brought to the public's attention by UK-based cybersecurity experts.

Samsung told the BBC it planned to release new code that would encrypt the voice commands to protect its users.

"Samsung takes consumer privacy very seriously and our products are designed with privacy in mind," the company said in a statement.

Reassure consumers

"Our latest Smart TV models are equipped with data encryption and a software update will soon be available for download on other models."

The revelation is the latest in a series of PR problems for the South Korean company's smart TV division.

On 10 February it felt compelled to update its privacy policy after the original language raised concerns that its TVs were recording and transmitting everything said in front of them.

The blog post that clarified under what limited circumstances voice commands were shared specifically made mention of Samsung's use of "industry-standard security safeguards and practices, including data encryption" as part of its efforts to reassure consumers.

David Lodge carried out the test on Samsung's UE46ES8000 model, which went on sale in 2012 and is still available to buy

Last week it also said it was investigating why some of its sets were adding adverts to programmes and films where they did not belong.

'Easy to solve'

Concerns that Samsung was not always using encryption, as indicated, were raised by Ken Munro and David Lodge, from the London-based Pen Test Partners on Monday.

During their tests of one of Samsung's older internet-connected TVs, they discovered that it was uploading audio files of their commands to the voice recognition specialist Nuance in an unencrypted form alongside information about the TV, including its MAC address, which could act as an identifier.

Furthermore, when a transcribed copy of what had been said was sent back to the TVs - allowing the screen to act on the commands - this was also in an unencrypted form.

This meant that a hacker could read the words off a screen if they managed to hijack the data connection, rather than having to listen to each recording.

Samsung believes that such hacks would not be easy to achieve, and wants to reassure owners of older sets that they should not be too concerned.

But Mr Munro said he believed the flaw was serious.

David Lodge spotted the various words Nuance thought his pronunciation of "Samsung" might be in the unencrypted data that its servers sent back to the TV

"Intercepting those communications could be done over wi-fi by neighbours and/or hackers outside your house, if you use the wireless feature of the TV to hook up to the internet," he said.

"It could also be carried out by your ISP [internet service provider], and by anyone else that has access to internet backbones. I'm thinking governments, law enforcement.

"This is an easy problem to solve. The communications should be encrypted using SSL [Secure Sockets Layer cryptographic protocols] just like other sensitive internet communications are."

(BBC)