[!]

Smart TV from LG phones home with user's viewing habits, USB file names.

It's not the premise of a sci-fi novel. Internet-connected TVs are watching you now. It sounds like the premise of a Philip K. Dick story, but it's not. A blogger has offered evidence that his Internet-connected television has been transmitting detailed information about his family's viewing habits, including the times and channels they watch and even the names of computer video files stored on connected USB drives.

watching-you.jpg (216.24 KiB) Viewed 8577 times

Cache of the original article:
LG Smart TVs logging USB filenames and viewing info to LG servers.

Earlier this month I discovered that my new LG Smart TV was displaying ads on the Smart landing screen.

7KRiiPb.jpg (634.76 KiB) Viewed 8577 times

After some investigation, I found a rather creepy corporate video advertising their data collection practices to potential advertisers. It's quite long but a sample of their claims are as follows:

LG Smart Ad analyses users favourite programs, online behaviour, search keywords and other information to offer relevant ads to target audiences. For example, LG Smart Ad can feature sharp suits to men, or alluring cosmetics and fragrances to women.
Furthermore, LG Smart Ad offers useful and various advertising performance reports. That live broadcasting ads cannot. To accurately identify actual advertising effectiveness.

In fact, there is an option in the system settings called "Collection of watching info:" which is set ON by default. This setting requires the user to scroll down to see it and, unlike most other settings, contains no "balloon help" to describe what it does.

g6WzfIFh.jpg (90.99 KiB) Viewed 8577 times

At this point, I decided to do some traffic analysis to see what was being sent. It turns out that viewing information appears to be being sent regardless of whether this option is set to On or Off.

Screenshot - 181113 - 15-33-32.png (220.48 KiB) Viewed 8577 times

Here you can clearly see that a unique device ID is transmitted, along with the Channel name "BBC NEWS" and a unique device ID.
Here is another example of a viewing info packet.

GB.smartshare.lgtvsdp.com POST /ibs/v2.2/service/watchInformation.xml HTTP/1.1
Host: GB.ibis.lgappstv.com
Accept: */*
X-Device-Product:NETCAST 4.0
X-Device-Platform:NC4M
X-Device-Model:HE_DTV_NC4M_AFAAABAA
X-Device-Netcast-Platform-Version:0004.0002.0000
X-Device-Country:GB
X-Device-Country-Group:EU
X-Device-ID:2yxQ5kEhf45fjUD35G+E/xdq7xxWE2ghu0j4an9kbGoNcyWaSsoLgyk8JJoMtjRrYRsVS6mHKy/Zdd6nZp+Y+gK6DVqnbQeDqr16YgacdzKU80sCKwOAi1TwIQov/SlB
X-Authentication:YMu3V1dv8m8JD0ghrsmEToxONDI= cookie:JSESSIONID=3BB87277C55EED9489B6E6B2DEA7C9FD.node_sdpibis10; Path=/
Content-Length: 460
Content-Type: application/x-www-form-urlencoded
&chan_name=BBC TWO&device_src_idx=1&dtv_standard_type=2
&broadcast_type=2&device_platform_name=NETCAST 4.0_mtk5398&chan_code=251533454-72E0D0FB0A8A4C70E4E2D829523CA235&external_input_name=Antenna&chan_phy_no=&atsc_chan_maj_no=&atsc_chan_min_no=&chan_src_idx=1&chan_phy_no=&atsc_chan_maj_no=&atsc_chan_min_no=&chan_phy_no=47&atsc_chan_maj_no=2&atsc_chan_min_no=2&chan_src_idx=1&dvb_chan_nw_id=9018&dvb_chan_transf_id=4170&dvb_chan_svc_id=4287&watch_dvc_logging=0

This information appears to be sent back unencrypted and in the clear to LG every time you change channel, even if you have gone to the trouble of changing the setting above to switch collection of viewing information off.

It was at this point, I made an even more disturbing find within the packet data dumps. I noticed filenames were being posted to LG's servers and that these filenames were ones stored on my external USB hard drive. To demonstrate this, I created a mock avi file and copied it to a USB stick.

pron.png (48.72 KiB) Viewed 8577 times

This file didn't really contain "midget porn" at all, I renamed it to make sure it had a unique filename that I could spot easily in the data and one that was unlikely to come from a broadcast source.

And sure enough, there is was...

Screenshot - 181113 - 14-04-16.png (159.04 KiB) Viewed 8577 times

Sometimes the names of the contents of an entire folder was posted, other times nothing was sent. I couldn't determine what rules controlled this.

I think it's important to point out that the URL that the data is being POSTed to doesn't in fact exist, you can see this from the HTTP 404 response in the next response from LG's server after the ACK.

However, despite being missing at the moment, this collection URL could be implemented by LG on their server tomorrow, enabling them to start transparently collecting detailed information on what media files you have stored.

It would easily be possible to infer the presence of adult content or files that had been downloaded from file sharing sites. My wife was shocked to see our children's names being transmitted in the name of a Christmas video file that we had watched from USB.

So what does LG have to say about this? I approached them and asked them to comment on data collection, profiling of their customers, collection of usage information and mandatory embedded advertising on products that their customers had paid for. Their response to this was as follows:

Good Morning

Thank you for your e-mail.

Further to our previous email to yourself, we have escalated the issues you reported to LG's UK Head Office.

The advice we have been given is that unfortunately as you accepted the Terms and Conditions on your TV, your concerns would be best directed to the retailer. We understand you feel you should have been made aware of these T's and C's at the point of sale, and for obvious reasons LG are unable to pass comment on their actions.

We apologise for any inconvenience this may cause you. If you have any further questions please do not hesitate to contact us again.

Kind Regards

Tom
LG Electronics UK Helpdesk
Tel: 0844 847 5454
Fax: 01480 274 000
Email: cic.uk@lge.com
UK: [premium rate number removed] Ireland: 0818 27 6954
Mon-Fri 9am to 8pm Sat 9am-6pm
Sunday 11am - 5pm

I haven't asked them about leaking of USB filenames due to the "deal with it" nature of the above response but I have no real expectation that their response would be any different.

So how can we prevent this from happening? I haven't read the T&Cs but one thing I am sure about is that I own my router and have absolute jurisdiction of any traffic that I allow to pass, so I have compiled an initial list of internet domains that you can block to stop spying and advertising on TVs that we, as customers have actually paid for.

ad.lgappstv.com
yumenetworks.com
smartclip.net
smartclip.com
llnwd.net
smartshare.lgtvsdp.com
ibis.lgappstv.com

This will free you from seeing ads plastered on your screen and having your viewing habits monitored, whilst it should still allow firmware updates to be applied

fuck-off-7.jpg (25.3 KiB) Viewed 8577 times

[!]

LG smart TV snooping extends to home networks, second blogger says.

Internet-connected TVs from LG phone home with file names in shared folders.

A second blogger has published evidence that his LG-manufactured smart television is sharing sensitive user data with the Korea-based company in a post that offers support for the theory that the snooping isn't isolated behavior that affects a small number of sets.

In addition to transmitting a list of shows being watched and the names of files contained on USB drives, the Internet-connected TV also sent the names of files shared on home or office networks, the blogger reported. He made the discovery after plugging the Wireshark packet-sniffing program into his home network and noticing that an LG TV-model number 42ls570, purchased in April-was transmitting file names that sounded vaguely familiar even though there was no USB drive plugged in.

"It turns out it was pulling filenames from my shared folders over the network and broadcasting those instead," he wrote in a blog post published Thursday. "I moved all the media out of the folder and put a few duds in named 'GiantPorn,' turned the TV off and on and it was still broadcasting the old filenames. The TV couldn't see those files whilst browsing manually so I'd hazard a guess it's caching some of these locally."

Mark, a Web developer who asked Ars not to publish his last name, said he also noticed that his TV sent an authorization code to LG as soon as he turned it on and a deauthorization code each time he turned it off.

"I'm not sure how unusual this practice is, but it gives LG a pretty precise measurement of when and how long you are using the TV," he wrote.

network-file-monitoring.png (85.08 KiB) Viewed 8573 times

lg-shutdown-ping2.jpg (317.28 KiB) Viewed 8573 times

tv-watching.jpg (90.83 KiB) Viewed 8573 times

A funny quote, hahahaa:

I guess it's time to start watching Funny Cat'); DROP TABLE LOGS;--.avi.

[CharlotteTheHarlot]

That's a great report about the LG fiasco.

I mentioned this today at MSFN ... there is no good reason to connect these things via Wi-Fi, which is the first thing the installer does when they bring in a large TV you buy. If the TV is near the router just use an Ethernet cable instead to avoid having to enter the network router Wi-Fi passphrase into the TV which gives it to the TV installer guy and also the TV company who store the stuff in the cloud. By not using the air you have ultimate control over the TV networking and can just pull out the Ethernet cable at will. Another advantage is that the wire is faster and cuts down on the traffic in the air.

[!]

Documents show that private firms are selling mass surveillance systems around world.

Private firms are selling spying tools and mass surveillance technologies to developing countries with promises that "off the shelf" equipment will allow them to snoop on millions of emails, text messages and phone calls, according to a cache of documents published on Monday.

The papers show how firms, including dozens from Britain, tout the capabilities at private trade fairs aimed at offering nations in Africa, Asia and the Middle East the kind of powerful capabilities that are usually associated with government agencies such as GCHQ and its US counterpart, the National Security Agency.

Some companies offer a range of spy equipment that would not look out of place in a James Bond film

Spy vans

Ordinary vans, cars and motorbikes can be customised to offer everything a spy could need. Tiny cameras and microphones are hidden in wing mirrors, headlights and even the makers' logo. Vehicles can also be fitted with the latest mass surveillance technology, allowing them to intercept, assess and store a range of digital communications from the surrounding area.

Hidden cameras

The range of objects that can hide high-quality cameras and recording equipment appears almost limitless; from a box of tissues giving a 360-degree view of the room, to a child's car seat, a brick and a key fob. Remote controls allow cameras to follow targets as they move around a room and have a powerful zoom to give high definition close-ups.

Recorders

As with cameras recording equipment is getting more sophisticated and more ubiquitous. From cigarette lighters to pens their are limitless ways to listen in on other people's conversations. One firm offers a special strap microphone that straps to the wearer's would be spies' back and records conversations going on directly behind them. According to the brochure: "[This] is ideal because people in a crowd think that someone with their back turned can't hear their conversation.. Operatives can work much closer to their target."

Handheld 'biometric cameras'

This system, made by a UK firm, is currently being used by British forces in Afghanistan to help troops identify potential terrorists. The brochure for the Mobile Biometric Platform says: "Innocent civilian or Insurgent? Not Certain? Our systems are." It adds: "The MBP is tailored for military use and enables biometric enrolment and identification of finger, face and iris against on board watchlists in real time from live or forensic data."

Mobile phone locators

It is now possible, from a single laptop computer, to locate where a mobile phone is calling from anywhere in the world, with an accuracy of between 200 metres and a mile. This is not done by attaching probes, and it is not limited to the area where the laptop is working from. The "cross border" system means it is now theoretically possible to locate a mobile phone call from a town abroad from a laptop in London.

Fibre-optic-cables-009.jpg (36.54 KiB) Viewed 8567 times

[!]

So look, I've got this bridge I've been trying to sell...

Why letting your insurance company monitor how you drive can be a good thing.

...car insurance firms like Progressive are trying to convince consumers that letting them monitor their driving behavior is actually a good thing.

Orly_owl.jpg (23.71 KiB) Viewed 8561 times

[!]

Ah yeah, this is exactly what we need. More spying. Chrome can now listen to your microphone all the time!

Speak to your PC: "OK Google" command comes to desktop Chrome browser.

Google has announced a plug-in that will enable Chrome browser users on laptops and desktops to simply start speaking to their PC, and have Chrome respond

speaknow.jpg (5.76 KiB) Viewed 8558 times

[!]

CyanogenMod is actually what I use on my phone mini PC right now. I deleted the crap Samsung put on my Galaxy S4 Mini. Battery life went from 1.5 day to 1 week! Anyway, Google... so open... and so free... makes you all fuzzy and warm inside, doesn't it?

People say it's no big deal because you can "sideload" applications but how long until that little Orwellian checkbox "Allow installation from unknown sources" gets removed? Time will tell.

If you truly did own your device, if they truly were having an open platform, that checkbox would have never even existed!

CyanogenMod installer is removed from Google Play Store.

Cyanogen, Inc. has announced through the company blog that CyanogenMod Installer has been voluntarily pulled from the Play Store after Google pointed out that the app violated the Store's Terms of Service.

...

The company has posted that Google contacted them regarding the app and indicated that it violated the Play Store's developer terms. Google asked Cyanogen to remove the app voluntarily or it would be forcibly removed if the company failed to comply.

According to Google, the app in itself is harmless as it enables functionality which is natively present in devices but insisted that it encourages the users to void their warranty which is the reason why it would not be allowed in the store.

Cyanogen mentions that the installer has been downloaded hundreds of times and that it had realistic demand from users. The company remains committed to getting their installer to users and would publish it to the Amazon Appstore and Samsung Apps in the near future. Until then users who want to install this app would have to sideload it from the company's website.

cyanogen-scr.jpg (42.72 KiB) Viewed 8556 times

Again, if you truly did own your device, if they truly were having an open platform, that checkbox would have never even existed!

Wallpaper3_Wallpaper_dump_s1024x768_210077_580-s580x435-251463.jpg (155.04 KiB) Viewed 8556 times

[!]

A brave new world indeed...

Renault will remotely lock down electric cars.

For a long time, cars were a symbol of freedom and independence. No longer. In its Zoe electric car, car maker Renault apparently has the ability to remotely prevent the battery from charging. And that's more chilling than it sounds.

When you buy a Renault Zoe, the battery isn't included. Instead, you sign a rental contract for the battery with the car maker. In a Zoe owner's forum, user Franko30 reports that the contract contains a clause giving Renault the right to prevent your battery from charging at the end of the rental period. According to an article in Der Spiegel, the company may also do this when you fall behind on paying the rent for the battery.

This means that Renault has some way of remotely controlling the battery charging process. According to the Spiegel article, the Zoe (and most or all other electric cars) collect reams of data on how you use them, and send this data off to the manufacturer without your knowledge. This data tells the company where you are going, when, and how fast, where you charge the battery, and many other things besides. We already knew that Tesla was doing this with its cars since the company's very public spat with a journalist who reviewed one of their cars for the New York Times. Seeing the same thing in a mass market manufacturer like Renault makes clear just how dangerous this trend is.

This sort of thing fits well into the dystopian picture which Cory Doctorow paints in his 2011 talk "The coming war on General Computation" (which you really must watch, if you haven't already), where he argues that "we don't have cars anymore, we have computers we ride in". The question then becomes who is in control of this computer: You, the manufacturer, or someone else?

If there is a mechanism to remotely control what your car does, some will make use of this mechanism at some point. This could be the manufacturer, shutting down your car as you fall behind on the battery rent because you just lost your job, meaning that it becomes harder for you to find work. It could be the government, compelling the manufacturer to do its bidding. In his forum post, Franko30 predicts that at some point, governments may simply ask car manufacturers to block charging near controversial political events (e.g. a G8 summit), in order to prevent you from participating in demonstrations. Or it could be any random criminal out there, gaining access to this mechanism by bribing a Renault employee.

The only way out of this is to stay away from cars and other computers that you can't fully control; and to build systems that put users in charge. At the Free Software Foundation Europe, we are empowering and supporting people who build systems where you, the user, are in control.

(http://www.spiegel.de/auto/aktuell/elek ... 30066.html)

BlueSky7.jpg (48.96 KiB) Viewed 8555 times

[!]

A cross link for those who readers only follow this one thread.

Not only Microsoft bans accounts of people who upload Spybox Xbone videos, they also are listening to Skype and ban the Skype account as well.

Don't swear on Xbox.

271113mic.jpg (101.62 KiB) Viewed 8554 times

pink-floyd-the-wall-scream.jpg (31.94 KiB) Viewed 8554 times

[Steven W]

Forgive me if this is a bit rambling. The spy car hardly shocks me (although the fact that a *huge* industry has sprung up around spying does). There's always going to be people who want to or "need" to spy on others. With that said, I couldn't possible agree more with you about the television, that's absolutely repugnant. It's especially repugnant that no consumer protection laws are in place to require retailers and *MANUFACTURERS* to fully disclose the fact that that the devices doing such things.

With the phone, I'm not as shocked given the amount of attention such matters have garnered in the past few years, but sill, where are the consumer protections? It also occurs to me that there is the "Green" aspect to all of this as well. "Green" being a big buzz-word for the corporate-tards nowadays. Seriously, how much electricity could we save if all of this spying weren't going on? As "!" pointed out:

CyanogenMod is actually what I use on my phone mini PC right now. I deleted the crap Samsung put on my Galaxy S4 Mini. Battery life went from 1.5 day to 1 week!

Well, imagine the television's electric usage, the router it's hooked up to, etc. How much quicker would "!" have to buy a new battery? No worries there about being "Green".

Then there's the societal aspect to all of this. It's acceptance is something else I find repugnant. Growing up in an era where it was considered, at minimum, impolite to go around shoving your nose up other people's asses probably has something to do with that.

Cars? Don't even get me started on what has been done to cars over the past 30 years.