Ask HN: Has anyone seen smart TVs connect to unsecured WiFi without permission?
In IT circles I've noticed that whenever there's any discussion around Smart TVs, someone will usually say they buy a Monitor or Digital Signage TV instead as they don't have smart features.
This would be to avoid adverts, viewing habit tracking via content ID tracking or just running software without security updates on your network.
And inevitably someone will say that they'd heard that Smart TVs will connect to unsecured WiFi networks in proximity and start uploading your data.
This seems like something worth reporting to regulatory authorities at least. And also would be quite interesting to understand how it works.
But I've never heard of any specifics. Like what brand does this? What data is it trying to send?
It's easy to spoof a public hotspot and then at least identify what domains it tries to connect to.
Failing that there might be information gleaned from wireshark.
69 comments
[ 1590 ms ] story [ 1658 ms ] threadHow expected...
If the aluminium foil is only around the antenna and/or connected to the antenna this might not be enough or might even improve the antenna.
In the UK, you can be arrested for unauthorised use of a Wi-Fi network, under our Computer Misuse Act law. [0] I think this would be unlikely if the network was wide open, but I believe it could still happen in principle.
edit I missed this from the linked article. Looks like you can't be arrested for accidentally using an unsecured Wi-Fi network.
> If the network was hacked then a crime has been committed, but our friends over at Out-Law.com confirm that connecting to the wrong network by mistake is not a crime
[0] https://www.theregister.com/2008/10/30/wi_fi_arrest/
You probably haven't committed a crime if you accidentially use an unsecured Wi-Fi network, but if you deliberately use one then the situation is less clear. Section 1 of the CMA (https://www.legislation.gov.uk/ukpga/1990/18/section/1) requires only that you "[cause] a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable any such access to be secured," that "the access [you intend] to secure, or to enable to be secured, is unauthorised" and that you "[know] at the time [you cause] the computer to perform the function that that is the case."
How does a law so broadly worded translate to technical reality? Many of us in the industry don't really know, and as a result feel that the UK's computer misuse laws really are crying out for reform. See https://www.cyberupcampaign.com/ for more.
But regardless of that… it's totally plausible that a manufacturer could end up doing this, and as such it presents a risk vector. I can even see how it might be done semi-accidentally by a bad engineering team.
An even bigger risk is corporate-owned mesh networks, like Amazon Sidewalk. It's quite possible that TVs with Alexa support will end up also having access to this network, and will use your neighbour's Echo to ship data back even without you knowing. Or even a built-in LTE/5G transceiver.
Without strong regulation of privacy and consent, this will be a persistent and dangerous issue.
I can totally see this being done as a "usability" feature.
It won't be a dangerous issue because no one can force a TV inside your house/office.
Meanwhile leave the rest of us the option to make this trade-off
You're still missing the crux of the matter. You can't disapprove of something you don't know about.
In addition (Slightly OT, but related), there are many people who do disapprove, but have to have access to a product/service in order to do their job. The only way to protect them is regulation.
Regarding the job example -- the employer is also a human being, and if they want to get that TV they may. If you disapprove of that, you don't have to work there. Either way, best if you keep your private conversations out of the office.
True. I suppose that the people asking for more regulation (myself included in this instance) would mostly just like for those laws to actually have teeth in this sort of situation. Unfortunately, lawmakers/enforcers mostly fall in the "not knowing" category.
Also, my apologies if I came across as overly combative, that was not my intention.
> If you disapprove of that, you don't have to work there.
Unfortunately, many people do not have the option to drop a job and find a better work environment. I have some other views on this, but that would be OT for this thread.
> Either way, best if you keep your private conversations out of the office.
Definitely agree on that.
Well, it sounds like the regulation you might want is something that oDot could also live with: a requirement for full disclosure and clear labeling, but not a ban on anything.
2) Being OPT-in would not stop you from using it.
I'm very curious why you feel so strongly that SmartTV's should be allowed to send data without anyone's knowledge?
If I purchase and install an appliance, and do not connect it to a network, I have a reasonable expectation that it will not not send my personal data to the manufacturer.
It is unlikely that consumers will anticipate hidden data-gathering being performed by products. We already enforce standards to validate that products will not do things like burst into flames, or emit toxic gases. It is equally reasonable to require that products being sold to customers meet acceptable levels of protection for private data.
Additionally, you are still welcome to make that trade-off for yourself. Regulation requires that you are informed and in some cases consent to data-gathering. It does not require it to not exist.
Nobody mentioned yet what kind of regulation they are talking about.
I reckon oDot was objecting to an outright ban, but would accept a disclosure requirement.
No, but the government forces me to pay for the public TV stations and there is no way to opt out. So yes, I do want a TV in my home.
Inb4 sunk cost fallacy.
Just seems like a massive anti-pattern to me.
Initially I was a little bit worried that it might have really bad black levels/image quality, given that it's rated for 24/7 and 500cm/m² of backlight brightness and the fact they offer a "plain" TV-like model for a little bit less. I was pleasantly suprised that these fears were unfounded and you can even adjust the actual backlight (most TVs will do this dynamically and so have fun in your sunny living room...) and it has really great viewing angles (for VA. I own a 32" VA-display as well ...). I'd say picture quality is on par, if not better than most of what I could have gotten at a similar price point (remember price was reduced from €800 to €400) and compares okish to the €900€ TV of relatives (the latter has less banding (and yes, every TV in the 3-digit range has groce banding))
So: if you see a digital-signage display marked down and are shopping for a TV (without nuisances and inbuilt-tuner). Try it. It might be a really nice experience!
When my 15 year old Sony Bravia finally kicks the bucket I have my eye on a 55" 4k Iiyama commercial display to replace it. I made the mistake of buying a 2015 Sony Bravia Android TV for upstairs and it is an utterly painful experience, I don't think I've used it in nearly 8 months now.
https://www.iiyama-monitors.co.uk/products/monitors/le5540uh...
Great to hear of a model with multiple inputs (2xHDMI 2.0, 1xDVI-D/Displayport 1.2), a quick look at signage screens earlier this year only brought up ones with a single HDMI.
I found it at an auction by chance and have looked for them occasionally since. I recently got a second one for around $100.
Also
> And also would be quite interesting to understand how it works.
What do you mean how it works? If network=open, connect and start uploading.
Except an open network does not mean there's an actual internet connection. Specifically, most "open" networks, require going through a portal to gain access, and while that used to be easy to bypass, it's not so trivial anymore as network admins have gotten wind of the issues.
Is there anywhere that ships to the EU (possibly IN the EU) where I could go take a look and buy one of those DSTVS?
https://old.reddit.com/r/privacy/comments/bpr6xs/if_you_choo...
That's the root of the problem isn't it. Unrelenting pressure on margins forces these companies to look elsewhere for revenue.
That won't stop the issue mentioned here about it connecting by itself (not that I personally believe it will).
My personal router got scanned by the ISP router...
dunno what to assume with this now... :Ð
It's like trapped at every turn :D
Friendly yours.
When I bought my Sony TV I had no idea it was an Android TV until afterwards. I’ve never connected it to my WiFi and it’s never connected up updated itself. I can easily monitor everyone connected to my network.
Consumer Reports has a great article if anyone is interested.
https://www.consumerreports.org/privacy/how-to-turn-off-smar...
I control access by connecting a Samsung TV to my Ethernet network but keep it configured to use WiFi most of the time. I’ve never entered a WiFi password so the network is effectively disconnected until I configure the TV to use the wired connection.
The TV prompts me to use the wired connection when I reboot my router and the link drops and comes back up but I can cancel switching to wired at that point.
[1]: What the HEC? Security implications of HDMI Ethernet Channel and other related protocols Andy Davis, Research Director NCC Group https://research.nccgroup.com/wp-content/uploads/2020/07/44c...
https://forum.developer.samsung.com/t/if-you-choose-to-not-c...