Millions of smart TVs sitting in family living rooms are vulnerable to hackers taking control — and could be tracking the household's personal viewing habits much more closely than their owners realize, according to a new Consumer Reports investigation.
The non-profit consumer product testing organization examined five of the top smart TVs on the market and found that in several of them, "a relatively unsophisticated hacker" could conduct remote hijinks like cranking the volume to a roar, knocking the TV off the Wi-Fi network, quickly changing channels or forcing it to play objectionable YouTube content.
The vulnerability was found in sets by Samsung, TCL, and devices using the Roku TV platform, which can include brands like Philips, RCA, Hisense, Hitachi, Insignia, and Sharp, along with some of Roku's own streaming players.
Testing found the televisions were also constantly tracking what their owners were watching and relaying it back to the TV maker and/or its business partners, using a technology called ACR, or "automated content recognition."
ACR helps the TV recommend other shows you might enjoy watching, but can also be used to target your families with advertising. The data can also be combined with other aspects of your personal information to help build profiles on your behavior that are sold to other marketers.
"For years, consumers have had their behavior tracked when they’re online or using their smartphones," Justin Brookman, director of privacy and technology at Consumers Union, the advocacy arm of Consumer Reports, told the magazine. "But I don’t think a lot of people expect their television to be watching what they do."
The smart TVs typically ask for users' permission during initial setup to collect their viewing data, while also warning they may miss out on some functionality, like being told if they watch one show they may also enjoy another, if they decline. Unaware or impatient consumers may breeze through the setup without reading or understanding what they're agreeing to.
"Our Smart TVs include a number of features that combine data security with the best possible user experience," a Samsung spokesperson told NBC News in an emailed statement. "Before collecting any information from consumers, we always ask for their consent, and we make every effort to ensure that data is handled with the utmost care."
In a statement on their blog, Roku said that Consumer Reports's story was "a mischaracterization of a feature" and "there is no security risk."
The company said users could turn off the remote control function by navigating to "settings," then "system," then "advanced system settings," then switching "external control" to "disabled."
"We take the security of our platform and the privacy of our users very seriously," said Gary Ellison, a vice-president at Roku, in the statement.
A TCL spokesperson said "customer’s privacy and security are always a top priority" and deferred to the Roku statement.
Consumer Reports recommends that smart TV owners who want to protect their privacy should check their manuals on how to revert their TV to factory settings and set them up again, paying careful attention to decline to have their viewing data collected.
Users can also disable the ACR feature, but may have to dig through several screens first.
Maybe 80s pop star Rockwell was onto something. With the amount of data being gathered and sold about you, somebody is always watching you.