69 comments

[ 5.3 ms ] story [ 139 ms ] thread
I always hardware disable the microphone that comes with such devices
So what do you do with your phone, ipad, laptop, etc? Clip all the microphones? That's a serious question I think these are all concerns.

For the Smart TV, How do you hardware disable the smart TV microphone? I'm searching online but don't see directions yet. Can you do it without opening the TV outer case?

Here's an article on how to block it using your router but I don't think this would defeat malware. http://www.tomshardware.com/news/lg-smart-tv-hdtv-doctorbeet...

Interested to hear ideas & opinions from HN.

Occasionally, I sniff my network. Usually when I wonder why my network light is blinking like mad on my modem despite there being no computers on. Or, so I thought, as it has always turned out to be something innocent. But I've got my blog all warmed up and ready for when it turns out not to be!

If something in my house was continuously transmitting a stream of audio, I'd notice. Very, very eventually, but I would notice. There's enough of us out there that this sort of thing is harder to sneak by than you might first guess. Home networks are easy to sniff because they're so empty, whereas my work network is a constant stream of mDNS, DHCP, and all sorts of other broadcast traffic to step through before I can see anything interesting.

(Also, yes, I'm eliding details like wired vs. wireless sniffing, etc. And I'm not talking about the router, though evidence online suggests there's a set of people periodically sniffing the router<->internet, too. And yes, clever clogs could try to time things to when people may not be looking, etc. The point is that the traffic is not as unwatched as you may think, not that the watchers are perfect.)

Isn't one of OpenDNS main features watching your network to find suspicious activity. If your network is asking openDNS to resolve DNS of black listed servers or something it could throw up a red flag.

Apart from OpenDNS I'm guessing companies like ESET (Antivirus) will monitor network activity and look for streaming audio and trigger something? Or maybe that's a more tailored alert.

OpenDNS does not have a great record (do they still modify NXDOMAIN responses?) - are you sure you want to send them information about everything you're connecting to?
This is just untrue. Even when we modified NXD responses, we were always open about it and let people control their experience.

We are probably the fastest growing (revenue) security company in the market today, and our good reputation is a big part of it. I say fastest growing for at least companies north of $10m ARR. It's easy to be doing 1000% growth < $10m ARR. :-)

-David

What if your TV provider is also your Internet provider (and also provides your modem)? Wondering if they could disguise or obscure this traffic if they control the network.
That's part of what I was trying to sweep under the rug, because there's a ton of details and caveats. In particular, while I'm sure it's possible, I personally do not have the hardware to intercept between the cable modem and its network.

However, for the smart TV, broadly speaking, they can disguise what the traffic is, but they are not capable of disguising that there is traffic, and without engaging in outright deception can't disguise where the traffic is going. (I mean that caveat about outright deception... it is theoretically feasible, of course.) (If the TV is wired-only, I'd have to insert my computer between the TV and the router. This is a few minutes with Linux routing commands. If it's wireless I just sniff the wireless.)

And many of the cases we are talking about are cases where the mere presence of traffic, or traffic in a certain shape ("a continuous 4kilobit stream" -> audio stream), is intrinsically suspicious. Netflix pouring megabytes into my console when I ask for a movie is not surprising; constant leaks coming out of my cell phone when I'm not actively using it would be, whereas occasional bursts to Google Play servers or my corporate email server wouldn't be. The topic of "metadata" is one that comes up a lot in these discussions, and here's an example of where that can play in our advantage for once... you can tell a lot just by looking at a stream's basic characteristics, no matter how encrypted the internals may be.

> So what do you do with your phone, ipad, laptop, etc? Clip all the microphones?

You use software that you trust.

Yes, that restricts options severely... I mostly use software whose source is public and anything closed is handled as suspicious (for example, Cyanogenmod's Privacy Guard comes handy to fence applications in - but something as basic as looking at networks traffic is a good basic check).

It's all fine until it's firmware that is spying on you. Or baseband chip.
(comment deleted)
In other words, you void the warranty?
Doesn't Chrome do this on desktops for "OK Google", I know Android does with Nexus Devices.

I've turned it off for everything aside from my Xbox One which I find myself trusting for some reason.

Don't you have to click something before saying "Ok Google"?
That's a config option. Regardless, the recognition is done locally.
I have the impression that this may be a regional thing.

Apparently it's an option in the US (but not the default?).

Considering it wasn't even available in Germany for quite a while, I wouldn't be surprised if there are legal requirements surrounding this feature.

I think that the difference is that "OK Google" is discerned locally, and only then is audio uploaded for remote processing.
Something to remember about that - the last few seconds of audio before you say "OK Google" are also uploaded. The extra data helps filter out background noise etc. and it's something you might want to keep in mind.
Looks like Samsung TVs too have a trigger word that can be changed, (and the whole voice recognition can be turned off) see settings:

http://youtu.be/arsAs9pGrBk?t=52s

I don't know for sure that the tigger word is processed locally on SmartTVs too, but it's likely because Samsung said: 'voice data is provided to a third party during a requested voice command search', so you have to request it's happening probably with the trigger word. And technically it would not make too much sense to constantly stream audio from every SmartTV because the trigger word recognition is a simple enough task to do it locally and also the continuous stream would consume lot of bandwidth for the users and probably for the servers too.

But it's still very concerning that we have more and more devices with microphones and internet connections and in the case of SmartTVs proprietary OS with questionable security.

I always wondered this about Xbox one, how much of the processing is done locally? Given that it relies on a beefy dedicated device (Kinect) for audio/visual processing, has it got to a point where it doesn't need a central server?

The funny thing is that ever since Xbox one I have gotten so used to voice commands for playing/pausing/muting videos that I ended up building one on raspberry pi to control the tv, lights and other devices.

Part of me really wishes someone would hack their sound-recognition servers and start streaming all incoming voice data to a website. Voice of People, a broadcast everyone could tune in to, and listen to everyone else.
No need to hack the servers. Just intercept the traffic at your local router/firewall.
He wants to publish the recordings of everyone.
Sounds like a YC2018 class start-up.
When I was 6 I was certain that this was already happening, and that if I just yelled loud enough my friends could hear me over the rest of the laugh track on my favorite shows.
Now here's a startup idea if I ever saw one - crowd sourced canned laughter :D.
Don't be surprised if you're also get recorded through web cam on your tv :)
I didn't realise that Siri does it too: http://appleinsider.com/articles/14/09/17/how-to-enable-and-...

I think it's really poor reporting (but not unsurprising) that the BBC hasn't mentioned other devices that have similar issues.

After 1984 "TVs that listen back" have certain unique flavour
'Hey Siri' is vanilla voice recognition processed locally on the device, so not the same thing at all.
> processed locally on the device, so not the same thing at all.

Same situation with 'Ok, Google'.

Initially, the 'Ok, Google' phrase was limited to certain phones that had the audio processing chip in them. I don't know if this is still the case.

> had the audio processing chip in them

I doubt that was ever actually true. It was probably a kind of shorthand to explain to users that some processors had the right kind of power management to enable efficient always-on speech recognition.

And, another thing, local speech processing doesn't mean you are safe from recording or from large-vocabulary transcription. Compared to what 1980s speech processing runs on, even when throttled-down to conserve batteries, you've got ample processing power in modern smartphones.

I haven't had an iPhone for a long time but the last time I used Siri all the functionality required a data connection.
(comment deleted)
This seems like a good opportunity for locally processed speech to text (and therefore commands, etc) to push itself. I used Dragon Naturally speaking for quite some time for writing papers, and loved it, but I am constantly on the lookout to replace anything proprietary I use with a GPL/MIT licensed alternative.

Any suggestions?

Nuance (the company that now owns Dragon) has a huge patent portfolio for speech recognition. No commercial products will be able to ship with F/LOSS speech recognition because of this. It also makes using the GPL not possible

It is possible that someone will make an MIT licensed version (and could do so legally in some countries that aren't the US), but it would be technically illegal to distribute in the US.

Oh, so that's why we don't have local speech recognition and everything is going to the cloud? Damn it, patents.
If you want to be even more pissed off, read the Nuance wikipedia page and see how they essentially bought-out every single potential competitor.
Late stage capitalism at its finest. Cut-throat competition becomes oligopoly becomes monopoly. John D. Rockefeller figured this out about 150 years ago.

You can always buy NUAN stock. I'm serious, this isn't hyperbole or sarcasm. I won't buy a "merchant of death" like Philip Morris, but I'm going to check out Nuance. If they really have become a monopoly, perhaps there's some money to be made by investing in them.

Yes I know it sucks, and in an ideal world you have every right to be "pissed off". But in the real world, you'll do better to remember the slogan: "if you can't beat 'em, join 'em".

I personally am much "more pissed off" at how companies like Comcast, who are "natural monopolies", have been extracting ever larger "monopoly rent" from everyone. They should be much more tightly regulated than they are.

PocketSphinx/CmuSphinx [1] is your best bet. I have combined it with raspberry pi to voice control my TV, Xbox360 and the lights.

Its not very accurate, but if you limit it to a small set of keywords, you are going to be fine.

[1] http://cmusphinx.sourceforge.net/

I saw this blow up on twitter over the weekend, but I don't understand how this is different then what Siri does (my understanding is that it gets sent to Apple's servers for processing your speech)... at least Samsung is being up-front about it.
You activate Siri. These TVs listen constantly feeding your voice data back to Samsung's servers at will.
Ah, that makes sense. Thanks! (I guess I got downvoted because people thought I was trolling? Fwiw it was a genuine question).
Why would this be limited to only TV's and not every Samsung product if they company is employing something as stupid as this.
Shock & Awe!

You'd think the fact that a smartphone stays in your pocket would be more alarming. The things have multiple cameras, microphones, GPS tracking devices, and a whole myriad of personal information stored on them.

They're even rectangular screens!

Someone needs to write an article that refers to smartphones in the context of "telescreens" and describe what they do matter-of-factly so we can snap out of it...

This is why I do absolutely nothing on a new phone until it's been unlocked, rooted, wiped and Cyanogenmod-ed.
Those steps might make you feel better but buy you very little in terms of privacy. Your telecoms provider will still know roughly where you are at all times, they have to, it's how their switches know which towers to route your traffic to and from.

Unless you tunnel all your data traffic they'll also get copies of that and may sell pseudo-anonymous website usage statistics to one of the web metrics businesses. In some countries they also intercept and modify web content that you might view.

And what can you do about the baseband radio processor and its code? Nothing. Assuming you have a tunnel in operation, the phone could still be collecting and quietly sharing metadata and you'd never know.

Well you're right that it's not a silver bullet, but it does have some benefit. At least I know no software running within or on top of the OS is reading/stealing my info.
"Well sure, my OS might have a rootkit, but I've replaced Internet Explorer with Chrome, so my online banking should be secure!"

The baseband has its own processor and, to my understanding, pretty much complete hardware control of the phone.

I don't deny that that the benefit is non-zero, but I think saying "it's not a silver bullet" is still overselling it. I think it would be more accurate to describe it as "It's all I can do, and it's better than nothing."

I'm aware of the sarcasm, but this is actually not mere hyperbole.

Imagine every American being in the vicinity of a remote-controllable intercept device with a microphone, camera and GPS tracker 24 hours each day.

But don't worry, you have nothing to hide, right? Can't let the terrorists win.

Actually I wasn't being sarcastic -- our smartphones really are more insidious than Telescreens, from a technical standpoint.
Those claiming similar foul play by Apple are probably wrong.

I just checked and "hey Siri" is recognised offline.

Yakov Smirnoff approves wholeheartedly.
Well, I'm not sure what the problem is. They're open about it, and no one is forcing anyone to enable voice recognition if one doesn't need/want it, or doesn't like what happens with the recording.

I'm not saying there's nothing wrong with the trend of personal and home devices becoming surveillance machines, there's a lot wrong, but Samsung in this case is an example of how you do it properly if you have to do it (it's a feature that apparently has to work the way it works).

> [Samsung added] that it took consumer privacy "very seriously".

No taking it very seriously would mean refusing to implement this feature unless you can do it without sending audio recorded in the room over the Net.

I don't think it would be hard at all for NSA/GHCQ to tap into a feed like this, Samsung/3rd party willing or not.