By Jeremy Hsu on September 24, 2024
Popular smart TV models made by Samsung and LG can take multiple snapshots of what you are watching every second – even when they are being used as external displays for your laptop or video game console.
Smart TV manufacturers use these frequent screenshots, as well as audio recordings, in their automatic content recognition systems, which track viewing habits in order to target people with specific advertising. But researchers showed this tracking by some of the world’s most popular smart TV brands – Samsung TVs can take screenshots every 500 milliseconds and LG TVs every 10 milliseconds – can occur when people least expect it.
“When a user connects their laptop via HDMI just to browse stuff on their laptop on a bigger screen by using the TV as a ‘dumb’ display, they are unsuspecting of their activity being screenshotted,” says Yash Vekaria at the University of California, Davis. Samsung and LG did not respond to a request for comment.
Vekaria and his colleagues connected smart TVs from Samsung and LG to their own computer server. Their server, which was equipped with software for analysing network traffic, acted as a middleman to see what visual snapshots or audio data the TVs were uploading.
They found the smart TVs did not appear to upload any screenshots or audio data when streaming from Netflix or other third-party apps, mirroring YouTube content streamed on a separate phone or laptop or when sitting idle. But the smart TVs did upload snapshots when showing broadcasts from the TV antenna or content from an HDMI-connected device.
The researchers also discovered country-specific differences when users streamed the free ad-supported TV channel provided by Samsung or LG platforms. Such user activities were uploaded when the TV was operating in the US but not in the UK.
By recording user activity even when it’s coming from connected laptops, smart TVs might capture sensitive data, says Vekaria. For example, it might record if people are browsing for baby products or other personal items.
Customers can opt out of such tracking for Samsung and LG TVs. But the process requires customers to either enable or disable between six and 11 different options in the TV settings.
“This is the sort of privacy-intrusive technology that should require people to opt into sharing their data with clear language explaining exactly what they’re agreeing to, not baked into initial setup agreements that people tend to speed through,” says Thorin Klosowski at the Electronic Frontier Foundation, a digital privacy non-profit based in California.
Actual paper here.
https://arxiv.org/html/2409.06203v1
It is not sending full screenshots as anybody technical would already have guessed. It’s a few KB over an hour, so it’s content recognition hashes.
Opt out anyway. Their study shows the opt out option does indeed opt you out of it.
So the data is still captured every 500ms. But it batches the data together and indeed only send data of around 8kb every minute back to the centralized server. But 8kb can not be full screenshots of MBs of course, so this is some kind of meta / fingerprint data. The original author (Jeremy Hsu) is misleading here with the term “screenshot every 500ms”.
the remaining scenarios exhibit consistent peak values occurring every minute, accompanied by additional smaller traffic one minute following each peak. Samsung’s official documentation (Canada, 2022a) mentions that its ACR captures the frames every 500ms, suggesting that Samsung batches the captures as well and sends the fingerprints every minute. The differences in ACR capture frequency explains the different network behavior across the two brands.
Yeah, it’ll grab a few frame, crunch them up, post back something like “ac8c986ffcb770d460151b20c1cfe628612247ac2d284c780761af3b544bfea7” to the servers and from there it likely gets binned as “not recognised” but might match a segment from Star Wars 4K77.
It sounds like the sort of thing that should be off by default (and it probably is, I haven’t bought a new one for years), but what we’ve learnt since GDPR is that if a big box comes up over what you’re trying to do and it has an “Accept” button, people will generally click it and read nothing just to get back to another riveting episode of America’s Deadliest Home Shootouts or something.
America’s Deadliest Home Shootouts
Does that come on before or after “Ow! My Balls!”?
Right after “People Falling Down And Suffering Serious Injuries: Oops! All slide Whistles Edition!”
The original author (Jeremy Hsu) is misleading here with the term “screenshot every 500ms”.
“meta tags every 500ms” might be more accurate, but the end result is the same. The device is monitoring what you consume in order to aggregate data on your household.
For example, it might record if people are browsing for baby products or other personal items.
Don’t mind baby products and dildos or whatever.
They could see bank activity and even login credentials when someone is temporarily displaying their own passwords.
This basically ignores all security measures regarding everything. Sensitive communication, company secrets and so on.
That’s fucking seriously huge. What the fuck?!
I know right!?? I connected my htpc to my Samsung tv. Omg!
Right? But we’ve been convinced the Chinese government spying on us through Huawei is a problem.
Every major tech major brands and business, even cars like BMW and now also TVs like Samsung or LG are all spying on their customers. And why isn’t this forbidden by lawn already?
They are. They just aren’t the only one.
They’re both problems.
Do not connect your Smart TVs to network people, seriously. Just a bad idea. Use a media center PC or some other device that allows you to stream content, and make sure the TV itself is just a big monitor, nothing more.
I hear but have not verified that they will connect to an open network without letting you know.
I have definitely had to forget networks, then have them connect to that network weeks later at random, then having to forget the network again. Don’t know how that’s legal.
Forgetting a network is only when your wifi is password protected. If the TV can find an open wifi access point, it could just automatically connect to the internet. “Forgetting” a network doesn’t help here…! Since there is nothing to forget (there are wifi points without password). But it should be forbidden IMO to automatically connect to these kind of access points. But even your mobile phone might do the same thing.
This!
They’re eating the dogs. 😊
Btw, is there a firmware hacking/flashing scene for smart TVs?
Unfortunately no.
The best option if you want a new tv without this stuff is buying a business display, such as here:
https://www.sharpnecdisplays.us/products/displays/m651-2
This one even comes with a Raspberry Pi compute module.
You have to specifically search display and not TV.
Yes there is, believe it or not. It just depends on the kind of TV you have.
I setup my LG to be “jailbroken” so I could have it inject a python script into a PS4 to mod that.
https://youtu.be/zYoesrUsIj8?feature=shared
Interesting stuff.
The other option is to setup a PiHole and find the telemetry they are using to send the info off and blocking that.
I would love to able to able to put a different OS that does nothing but what I actually tell it to so on my smart TV…
Buy a commercial TV. It’s a plain jane TV. I put one in as a SCADA, but it’s just a tv with no frills. When I saw what it was, I knew when I’d need to purchase a tv this would be the type I wanted.
Would be nice if we could have some technological privacy laws written in this century.
We need all the boomers in Capitol Senior Care Home to vacate first
You have it backwards. You have to EVICT them.
They already tried Jan 6 ! The old geezers won’t go.
Sceptre still sells dumb TVs’. If you are in the US, Walmart sells them. I have one and it’s pretty good. No frills.
Use a pihole people, don’t go barebacking the internet
Doesn’t help if the device has a baked in DNS address and just ignores your settings tho. Amazon and Google devices seem prone to that. After blocking everything on the common DNS ports except the PiHole, some of my devices have been acting kinda sluggish.
Easy to block that - though not with pihole exclusively.
We use another tool at our network edge to block all 53/853 traffic and redirect all port 53 traffic to our internal DNS resolver (works much like pihole).
Then we also block all DoH.
Only two devices have failed using this strategy: Chromecast - which refuses to work if it can’t access googles DNS. And Philips Hue bridges. Both lie and say “internet offline”. Every other device - even some of the questionable ones on a special VLAN for devices we trust work just fine and fall back to the router-specified DNS.
I wanted to do that as well, but I can’t redirect outgoing traffic on my router, just block it entirely. Sadly it was the only device of that series not supporting OpenWRT (sigh)… Next one will either have to support that or be a DIY project… Have been starting to self host my stuff already and I’m not planning to stop there!
That might not help…
awful ethics aside what a disgusting waste of processing power. software already barely runs
now you know why
Screenshotting every 500ms is insane.
Even a 0.30$ ch32v003 could handle this tiny amount of data. It’s not a resource limit
I was curious enough to check and with 2KB SRAM that thing doesn’t have anywhere enough memory to process a 320x200 RGB image much less 1080p or 4K.
Further you definitelly don’t want to send 2 images per-second down to a server in uncompressed format (even 1080p RGB with an encoding that loses a bit of color fidelity to just use two bytes per pixel, adds up to 4MB uncompressed per image), so its either using something with hardware compression or its using processing cycles for that.
My expectation is that it’s not the snapshoting itself that would eat CPU cycles, it’s the compression.
That said, I think you make a good point, just with the wrong example - I would’ve gone with: a thing capable of handling video decoding at 50 fps - i.e. one frame per 20ms - (even if it’s actually using hardware video decoding) can probably handle compressing and sending over the network two frames per second, though performance might suffer if they’re using a chip without hardware compression support and are using complex compression methods like JPEG instead of something simpler like LZW or similar.
TVs I’ve come across are such displeasure to use, it’s incredible
You hear that? It’s a whisper… It’s a multinational multibillion dollar class action lawsuit coming after Samsung and LG. WTF!
The divide between the tech savvy and the tech illiterate grows deeper.
And wider?
These are criminal violations of the Computer Fraud and Abuse Act. Jail the motherfucking felon CEOs!
But the supreme court ruled to save the conviction for the election.
Worse than that, they
havegave free speech to corporations, and now that includes doing nearly anything involving communication or spending money.I’ll believe corporations are people the moment Texas executes ones.
On politics itself no less.
So LG and Samsung likely have tons of illegal (copyright) content on their servers then? Ownership is 9/10ths of the law so they say. That’s gotta be exabytes
Most likely yes… And other privacy sensitive information like banking details, passwords and more.
LG by now will have several weeks of footage of me scrolling through streaming services and failing to find anything to watch.
Diagnosis: ADHD. Display ads for stimulants.
Not sure how ads for medications are legal anywhere.
Probably won’t happen as I’m not in the US, however if it does start to show ads it will be very quickly disconnected from the internet and relegated to being solely a display for the PS5. It’s not far off that anyway.
prediction if this becomes widespread: soon they will have their own wireless internet connection just so they wont have to rely on your network to spy on you lel😎
You joke but that’s literally what they did with the cars. I remember when that was an upsell, now you getting that modem you asked for it or not and it will ping the merchant when it detects that you are fucking your mistress in the back seat.
Welcome to to today’s America peasants
The question now is, even if I don’t connect the TV to Internet, what TV brand should I buy? Currently I have LG, but no way I’m supporting that even without Internet connection.
Well thing is, they all track you to some point.
Specs wise, LG still makes some of the best TVs. You want 4k 120Hz, they’ve got you. But if you feel morally unable to support a company that has opt-out tracking like this, you’re a bit more limited. I thought maybe Sony’s better, but nope. There’s instructions on how to disable ACR on their TVs too. Philips comes with Roku or Google TV, both of which snoop on you, but I don’t know if they do the automatic content recognition thing.
Dumb TVs exist, but good luck finding one with a decent resolution AND price.
Yeah. I really like LG products. Will see what happens when my current TV stops working.
Many video projectors don’t. My Epson doesn’t.
that name invokes the old horror that is printers
I can top it - my first desktop PC was an Epson. Come to think of it, my first printer was an Epson dot matrix. Loud as fuck but it was a good little workhorse.
Bought an EH-TW7000 4K PRO-UHD Projector a couple years back for less than 1 kEUR. Was about the best value then, haven’t looked recently.
Epsons were pretty chill printers. You could buy just the print head and you could use your own ink refills
Yeah I get that. But I don’t want to use projector.
hopfully they dont communicate locally with other lg or partnered devices
now or in the future
Fortunately these TVs are not yet sophisticated enough to communicate to the internet without your permission like Apple devices do now.
Like amazon ring devices? I think it’s called Sidewalk .
So I guess they learned nothing from the last class action lawsuit https://topclassactions.com/lawsuit-settlements/lawsuit-news/lg-samsung-sony-class-action-alleges-smart-tv-privacy-violations/. Also reminded me of this past gem from LG: https://arstechnica.com/information-technology/2013/11/lg-smart-tv-snooping-extends-to-home-networks-second-blogger-says/.