Blog: How Tos

Is your Samsung TV listening to you?

David Lodge 16 Feb 2015

samsung-listening-tv

You may have heard about the recent stuff about whether your Samsung TV is listening to you whilst you watch it.

If you haven’t here’s a quick synopsis:

 

  1. Modern Samsung Smart TVs have a voice command facility
  2. The voice command facility is enabled by saying a command phrase (the default is “Hi TV”)
  3. The terms and conditions state that voice data may be shipped to a third party at any point

This presents a bit of a privacy concern – can Samsung listen in on you whilst you’re sat on the sofa watching TV? The easiest way is to intercept some traffic from a TV and see what it’s trying to do.

I don’t have a Samsung smart TV for several reasons, aside from the fact I don’t actually watch TV, to the logical disjunct about trying to control something that makes audio by audio. So I had to borrow one. Turns out my colleague Ken had one, though he had never actually got round to setting up voice control nor even configured the IP connection. Partly because he lives in a silly place where the bandwidth is so poor that streaming is impossible.

Due the usual pressure of time (i.e. doing the day job and that said colleague wanted his telly back) I ended up with half an hour of shouting incoherently at a TV in the vague hope that it would understand my flat northern vowels.

To intercept the traffic I used a cheap and nasty TP-Link switch which had the capability to mirror the traffic from one port to another (more on this in another post). This allowed me to transparently intercept the traffic. From there I could record its handshake as it joins the network and attempt to make a few voice requests in several different ways.

This was all recorded in Wireshark and saved as a PCAP for later analysis.

So. Does it listen to you?

The answer, I can say in my brief period of messing around is, not unless you ask it to.

This doesn’t mean it can’t and doesn’t mean that it won’t on the next firmware update, just at the moment it only listens to audio when you say “Hi TV” (which you have to shout multiple times if you happen to have a northern accent).

Does it send your audio to a third party?

Yes it does, sometimes. When you say “Hi TV” it will listen for some simple things, such as volume up and volume down, that it does on TV, anything more complex, such as a web search it will pass to a third party, in the case I monitored, nuancemobility.net.

I tried to get the TV to search for the word “Samsung” (and everything else I thought of can’t be published in a family friendly blog). Immediately after this, this traffic was produced:

  1. A DNS request for av.nvc.enGB.nuancemobility.net
  2. A conversation over 443/tcp to av.nvc.enGB.nuancemobility.net

443/tcp? That’s familiar, that normally signifies HTTPS – i.e. HTTP over SSL. My first thought when I saw this was “bugger, it’s going to be harder than I thought” as it is possible to intercept and view the contents of HTTPS traffic, but you need to set up the environment and hope that the client doesn’t check certificates.

Then I had a look at the contents of the stream, which surprised me, let me just do a screenshot:

samsung1

(Red is TV -> server; Blue is server -> TV)

What we see here is not SSL encrypted data. It’s not even HTTP data, it’s a mix of XML and some custom binary data packet.

The sneaky swines; they’re using 443/tcp to tunnel data over; most likely because a lot of standard firewall configurations allow 80 and 443 out of the network. I don’t understand why they don’t encapsulate it in HTTP(S) though.

Anyway, what we can see is it sending a load of information over the wire about the TV, I can see its MAC address and the version of the OS in use. After the word buffer_id is a load of binary data, which looks audio-ish, although I haven’t delved further into it yet.

Then, right at the bottom, we have the results:

samsung2

You can make out that it thinks I’ve said either Samsung, Samson or Samsong.

Although, out of interest, you can see an RFC1918 internal IP address with a port number: 172.16.36.143:4500. This isn’t the IP address assigned to the TV. Is the protocol leaking Nuance’s internal network details?

Plenty more to work to be done here yet. The potential for a rogue firmware update enabling ‘snooping’ is significant, though I’m sure Samsung sign their updates…

Based on the limited information leaked above in plaintext, there’s plenty to suggest that interesting data is making its way on to the interwebs from your TV. Come on Samsung, how about at least protecting it with SSL?