Monday, 18 November 2013

LG Smart TVs logging USB filenames and viewing info to LG servers

Earlier this month I discovered that my new LG Smart TV was displaying ads on the Smart landing screen.


After some investigation, I found a rather creepy corporate video (since removed, mirror here) advertising their data collection practices to potential advertisers. It's quite long but a sample of their claims are as follows:
LG Smart Ad analyses users favourite programs, online behaviour, search keywords and other information to offer relevant ads to target audiences. For example, LG Smart Ad can feature sharp suits to men, or alluring cosmetics and fragrances to women.
Furthermore, LG Smart Ad offers useful and various advertising performance reports. That live broadcasting ads cannot. To accurately identify actual advertising effectiveness.
In fact, there is an option in the system settings called "Collection of watching info:" which is set ON by default.  This setting requires the user to scroll down to see it and, unlike most other settings, contains no "balloon help" to describe what it does.


At this point, I decided to do some traffic analysis to see what was being sent.  It turns out that viewing information appears to be being sent regardless of whether this option is set to On or Off.


Here you can clearly see that a unique device ID is transmitted, along with the Channel name "BBC NEWS" and a unique device ID.
Here is another example of a viewing info packet.
GB.smartshare.lgtvsdp.com POST /ibs/v2.2/service/watchInformation.xml HTTP/1.1
Host: GB.ibis.lgappstv.com
Accept: */*
X-Device-Product:NETCAST 4.0
X-Device-Platform:NC4M
X-Device-Model:HE_DTV_NC4M_AFAAABAA
X-Device-Netcast-Platform-Version:0004.0002.0000
X-Device-Country:GB
X-Device-Country-Group:EU
X-Device-ID:2yxQ5kEhf45fjUD35G+E/xdq7xxWE2ghu0j4an9kbGoNcyWaSsoLgyk8JJoMtjRrYRsVS6mHKy/Zdd6nZp+Y+gK6DVqnbQeDqr16YgacdzKU80sCKwOAi1TwIQov/SlB
X-Authentication:YMu3V1dv8m8JD0ghrsmEToxONDI= cookie:JSESSIONID=3BB87277C55EED9489B6E6B2DEA7C9FD.node_sdpibis10; Path=/
Content-Length: 460
Content-Type: application/x-www-form-urlencoded
&chan_name=BBC TWO&device_src_idx=1&dtv_standard_type=2
&broadcast_type=2&device_platform_name=NETCAST 4.0_mtk5398&chan_code=251533454-72E0D0FB0A8A4C70E4E2D829523CA235&external_input_name=Antenna&chan_phy_no=&atsc_chan_maj_no=&atsc_chan_min_no=&chan_src_idx=1&chan_phy_no=&atsc_chan_maj_no=&atsc_chan_min_no=&chan_phy_no=47&atsc_chan_maj_no=2&atsc_chan_min_no=2&chan_src_idx=1&dvb_chan_nw_id=9018&dvb_chan_transf_id=4170&dvb_chan_svc_id=4287&watch_dvc_logging=0
This information appears to be sent back unencrypted and in the clear to LG every time you change channel, even if you have gone to the trouble of changing the setting above to switch collection of viewing information off.

It was at this point, I made an even more disturbing find within the packet data dumps.  I noticed filenames were being posted to LG's servers and that these filenames were ones stored on my external USB hard drive.  To demonstrate this, I created a mock avi file and copied it to a USB stick.


This file didn't really contain "midget porn" at all, I renamed it to make sure it had a unique filename that I could spot easily in the data and one that was unlikely to come from a broadcast source.

And sure enough, there is was...


Sometimes the names of the contents of an entire folder was posted, other times nothing was sent.  I couldn't determine what rules controlled this.

I think it's important to point out that the URL that the data is being POSTed to doesn't in fact exist, you can see this from the HTTP 404 response in the next response from LG's server after the ACK.

However, despite being missing at the moment, this collection URL could be implemented by LG on their server tomorrow, enabling them to start transparently collecting detailed information on what media files you have stored.

It would easily be possible to infer the presence of adult content or files that had been downloaded from file sharing sites. My wife was shocked to see our children's names being transmitted in the name of a Christmas video file that we had watched from USB.

So what does LG have to say about this?  I approached them and asked them to comment on data collection, profiling of their customers, collection of usage information and mandatory embedded advertising on products that their customers had paid for.  Their response to this was as follows:
Good Morning

Thank you for your e-mail.

Further to our previous email to yourself, we have escalated the issues you reported to LG's UK Head Office.

The advice we have been given is that unfortunately as you accepted the Terms and Conditions on your TV, your concerns would be best directed to the retailer.  We understand you feel you should have been made aware of these T's and C's at the point of sale, and for obvious reasons LG are unable to pass comment on their actions.

We apologise for any inconvenience this may cause you. If you have any further questions please do not hesitate to contact us again.

Kind Regards

Tom
LG Electronics UK Helpdesk
Tel: 
[premium rate number removed]
Fax: 01480 274 000
Email: cic.uk@lge.com
UK: [premium rate number removed] Ireland: 0818 27 6954
Mon-Fri 9am to 8pm Sat 9am-6pm
Sunday 11am - 5pm
I haven't asked them about leaking of USB filenames due to the "deal with it" nature of the above response but I have no real expectation that their response would be any different.

So how can we prevent this from happening?  I haven't read the T&Cs but one thing I am sure about is that I own my router and have absolute jurisdiction of any traffic that I allow to pass, so I have compiled an initial list of internet domains that you can block to stop spying and advertising on TVs that we, as customers have actually paid for.
  • ad.lgappstv.com
  • yumenetworks.com
  • smartclip.net
  • smartclip.com
  • llnwd.net
  • smartshare.lgtvsdp.com
  • ibis.lgappstv.com
This will free you from seeing ads plastered on your screen and having your viewing habits monitored, whilst it should still allow firmware updates to be applied.

(Update: removed llnwd domain, see comments)

(Update: 14 Dec 2013 - Changed Imgur images to Blogger to reduce dependencies. Minor formatting, Added mirror of linked Video)

219 comments:

  1. Since you are in the UK, it may be worth forwarding this to the Information Commissioners Office: http://www.ico.org.uk/ and pointing out to LG that you have done so... It would be interesting to see how that might affect their next response.

    If their data collection collects any personally identifiable information, they are subject to the UK Data Protection Act. That potentially means you can serve them with a Subject Access Request: http://www.ico.org.uk/for_the_public/personal_information

    Since it seems they are aiming to be able to track you, it would be interesting to send them one anyway and see what they respond - they can charge you up to 10 pounds to process it, and there are legally mandated response times. Including a full copy of one of the requests should be sufficient to authenticate you and provide them the information they'd need to check their logs...

    They would also be subject to the Data Protection Act for things like retention and providing ability for you to have any records they might hold purged.

    You may also want to draw LG (and the ICO)'s attention to the fact the request appears to include cookie information, and to the infamous "cookie law"...

    Note in particular that it means *nothing* that the script returns a 404: The information may still be in their logs - collecting information this way without actually having anything at the endpoint is an old practice, and more efficient on server resources than making the web server execute anything.

    ReplyDelete
    Replies
    1. This was very helpful. I wasn't aware of the 404 practice. Good to know.

      Delete
    2. It's easy enough to generate a 'fake' 404 page, complete with proper header which still stores data into a database, for example I have a system running on http://img.overbythere.co.uk/ but I don't want people to see it, so I generate the 404 you see there.

      Delete
    3. I can back up the 404 logging practise, as we use it for error collection from client apps at the large online site I work for.

      Delete
    4. Hmm, per The Register, LG said they'll be issuing new firmware to remove that nonsense "soon".
      Well, the file scanning nonsense. And they also claim that turning off the "what you're watching" "feature" will actually turn it off with the patch.

      Delete
    5. Thanks for your notifications and good to know it.Thats why I hesitate to choose theirs.I definitely wouldnt buy them at any price.

      Delete
  2. I would not block llnwd.net as that is actually a CDN operated by Lime Light networks. They use llnwd.net for a lot of content delivery

    ReplyDelete
    Replies
    1. I was going to mention the same. Blocking llnwd.net would block access to several video content that goes via Limelight CDN.

      Delete
  3. Two questions arise from this:

    1/ Surely, it doesn't matter what is in their T&Cs if the option to switch data collection off doesn't work, then that's a serious matter and needs to be investigated by LG?

    2/ Are other Smart TV manufacturers doing the same thing, and not been found out yet?

    ReplyDelete
    Replies
    1. I expect the "Tom" character in the email response from LG is a lowly figure in the food chain (equivalent to Call Centre staff). To pursue this, one would need to go considerably higher.

      Delete
    2. "Further to our previous email to yourself, we have escalated the issues you reported to LG's UK Head Office.

      The advice we have been given is that unfortunately..."

      How much higher can you go than the head office?

      I understand it may not have been escalated properly by Tom or someone at the head office but Tom went out of his way to give the impression it couldn't go any higher and you would have to "live with it".

      Delete
    3. Their global corporate office in South Korea.

      You've gotten to the UK head office. The South Korean head office might not want bad press about televisions spying on customers.

      Delete
  4. Hello, could you help me to carry out the same checks with telefizor of Samsung?

    ReplyDelete
    Replies
    1. It's as simple as getting an old hub, putting your TV and a computer on the same hub, connecting hub to your router, and installing wireshark on your computer. It needs to be a hub and not a switch for accurate capture of packets.

      Delete
    2. Not all hubs support man in the middle sniffing. Best consult the wireshark wiki for the best way to set this up. Building your self a tap is the best way.

      Delete
    3. A Switch that supports Port mirroring would also work if you have one available.

      The Feature seems to be in a lot of these "Smart" or "Semi-Managed" switches.

      Delete
    4. You can use an old router with OpenWRT installed to handle the packet forwarding.

      Delete
    5. @Jeff, yes they do. Hubs are OSI Layer 2 devices, and they broadcast all packets to all other ports. Anything that doesn't do this is not a hub.

      Delete
    6. Actually more specifically...network hubs are dumb traffic devices that operate at Layer 1 (Physical Layer) to do this. While only the intended target *should* respond, the data is sent to all connected ports to find the correct destination. Switches are more intelligent traffic management and operate at Layer 2 (Data Link) and port destinations are identified by the actual destinations MAC address. There are various methods as to how a switch can handle this, but ultimately in a Layer 2 switch the traffic is sent to a specific port where the registered MAC is, rather than a broadcast to all ports as is done in a hub.

      Delete
    7. Hello Jeff, it's not really "man in the middle" but a promiscous sniff of traffic in the same broadcast domain. The hub blasts to all ports, and well mannered NIC's are supposed to mind their own business.
      So it's really a man on the side rather than in the middle. I have not seen a hub used for a while now., and the only ones I have in the shed are all 10BaseT, and decidedly not for HD, but OK for this kind of forensic work.

      Delete
    8. Sniffing communication between 2 endpoints (TV<-->LG => TV<->YOU<->LG) is a Man In the Middle by definition regardless domains or whatever. The only "man in the other side" is LG. :)
      http://mathcs.slu.edu/~chambers/spring11/security/assignments/lab04.html#reading

      Delete
    9. Not quite Rick.

      A man in the middle setup requires the traffic to pass through the middle-man and on to the end. A hub floods traffic out all ports (pedantically - thats not actually a broadcast). The listener doesn't then relay the traffic to the other side. A hub is NOT man-in-the-middle, its more man-on-the-side. Nothing goes from the listener to the other end-point as it does with a router.

      Delete
  5. The 404 response from the server is meaningless. It could be saving the submitted data regardless.

    ReplyDelete
    Replies
    1. Could be? Is.

      LG's http server, regardless of type, maintains logs of all requests made of it, which include (amongst other things) the user-agent (what browser), the timestamp, and the contents of the request.

      Their sysadmin for their webserver merely has to run the logs through a filter to look for all 404-spawning POST requests with the user-agent corresponding to their TVs. This will give him a complete archive of timestamped information suitable for processing for analytics or whatever other purposes they wish.

      The fact that this is sent in the clear is also worrisome; anyone capable of intercepting your network traffic now knows you have an LG TV on it, and can (trivially) determine if you are home watching TV, or (some difficulty) research whatever current exploits that kind of TV is vulnerable to.

      And yet people ask why a sysadmin like me has a 'dumb' TV and goes through the 'trouble' of hooking up separate boxes to it to watch things...

      Delete
    2. It doesn't matter what their logs are doing. Anyone can configure a web server to process a request and send a 404 as a response. They could send a 500 response, even a 403. It can still be processed by any type of service they have running. At the very least it's true that they are logging that information in their default configuration, but I bet there's more at play here.

      Delete
    3. I keep my TV dumb as well, with seperate boxes attached, but I have no illusions about those seperate boxes as well. Gameconsoles, set top boxes and mediaplayers might also scour your network and call home.

      Delete
    4. header('HTTP/1.0 404 Not Found');
      //Do something with the data submitted held in $_POST["query"];

      Delete
    5. POST data is typically not saved in web server access logs, at least partially because the data can contain a *large* amount of anything, including line breaks which could royally screw up flat file logs. (I don't know that it's even possible to tell Apache to log POST data without modifying the server code.)

      Access logs typically include: IP, timestamp, method (POST/GET/etc.), path with query string ("/rest/.../search.xml?" in this case), response code (200/404/etc.), response size, and user agent (misspelled "Mozila/4.0" in this case). It is definitely possible that their access logs are set to record those extra X-* headers, though.

      Delete
  6. This comment has been removed by the author.

    ReplyDelete
  7. I concur with Grant. If you get back a 404 there is a server at the other end.
    That server may be faking a 404 and log what you sent them so they know of your midget porn! ;)

    ReplyDelete
  8. ICO is the correct people to follow this up with. Regarding the T&C's line LG are going with, it appearers it could be an unfair condition (especially if not pointed out in laymen terms during activation) and the OFT may be interested.

    ReplyDelete
  9. It would be interesting to know what the retailer has to say. Would they be happy that LG is spying on us and blaming them for it?

    ReplyDelete
  10. Yeh that's kinda creepy. I'll need to check out my Vizio smart set for the same type of shenanigans.

    ReplyDelete
  11. Note the different URI than the one where watching habits are posted to; note the "smartshare" in there. LG TVs sport a "Smart Share" feature, so isn't this related to the LG Cloud feature and isn't it just looking for the file in your own "private" cloud?

    (That it does this in clear text is of course ridiculous!)

    ReplyDelete
  12. Well, an LG Smart TV was going to be my next TV but now I'll be looking elsewhere, cheeky £@$7@&*$

    ReplyDelete
  13. Code 200 would be a valid response for the peer initiating the POST request, however, they can send back any response code they want and still log the request...

    Sounds to me they're trying to camouflage it a bit.

    ReplyDelete
  14. wait, you didnt agree to any terms or conditions when the tv booted up? nor at purchase time?

    well, just tell them they owe you $1million for replying to your email. oh they didnt see your T&C for email replies? heh

    ReplyDelete
  15. Dear Richer Sounds,

    I saw a blog post which reports that LG smart TVs contain spyware which sends to LG detailed information about what is being viewed and even the filenames of any files it discovers.

    http://doctorbeet.blogspot.co.uk/2013/11/lg-smart-tvs-logging-usb-filenames-and.html

    The author asked LG about it and they disdainfully said it's up to the retailer to make "you agree to being spied upon" (I paraphrase) a contract term at the point of sale. Please see their reply in that blog post.

    I purchased a LG smart TV and blu ray player from your Sheffield branch. The sales experience was very good but it was never explained to me that such a contract term did exist. If such a contract term was to exist then it would need to be pointed out at the point of sale, as it is not possible for the manufacturer to add further contract terms after purchase, regardless of whether or not they present me with pages of legalese and an "accept" button. UK law does not allow it.

    In addition to contract law, the Consumer Protection From Unfair Trading Regulations does require that all significant terms be made clear at the point of sale. I would argue that this detailed snooping is significant.

    I do not consent to any usage information being transmitted to LG (or anyone else) from the products I purchased from you. Had this behaviour been made clear to me at the point of purchase, I would not have made the purchase.

    If the blog post is true, and in order to preserve my privacy, I can no longer use these devices. I cannot (and obviously should not) trust them.

    So now we have a problem. I may need to return these units to you for a refund, regardless of how long ago the purchase was made.

    1. Will you take this issue up with LG on behalf of your customers?

    2. Had LG advised you that you must ensure that additional contract terms are explained to your customers as part of the sales contract? Can you please provide me with copies of the materials that LG provided to you about this?

    3. Will you update your website, catalogue and in-store materials to make clear which products intrude upon user privacy and the extent to which such intrusion can be minimised?

    4. For any customer who has purchased these products without agreeing in advance to this intrusion on privacy, will you provide a full refund, regardless of product age? I'd expect you to reclaim all monies and your costs from LG.

    I assume that you were not expecting this problem to land with you, but unfortunately LG's reply does make clear that they are making it your problem. Perhaps they will have greater respect for the purchasers of their products if you get involved.

    I look forward to your reply. I will post this message and your reply as comments to the blog post.

    ReplyDelete
    Replies
    1. Just to note that I've had a helpful email and phone call from Richer Sounds. They are unimpressed at LG, have tried to raise the issue with them and are getting only the bland "Customer privacy is a top priority at LG Electronics" reply.

      We had a short chat about the Sales of Goods Act aspects of a product whose manufacturer unilaterally changes the contract some time after purchase (mine being a 2012 model that has picked up the spyware in a recent update).

      Although Richer Sounds were keen to be helpful, we decided to await a fuller response from LG.

      Delete
    2. Richer Sounds passed on the fuller response when it came. Rather than bury it here, I've pasted it at the end of the comments (dated 22 November 2013 12:55)

      Delete
  16. It's possible the filename thing is attempting to identify the show in order to provide content information - for example with open source MythTV has a feature whereby you end up seeing the show logo and text about an episode if it identifies from the filename what the program is about. This must be using some form of web service to do it. It's possible the 404 you are getting back is not because the URL isn't found, but because it couldn't find any information about the program (for a REST API this would be a legitimate way of sending that sort of response)

    If (as is the case with MythTV) this was optional behaviour, then it would be OK, and potentially a useful feature, however, if you can't turn off (as in this case), then it is definitely an invasion of privacy...

    ReplyDelete
    Replies
    1. There is a lot of encrypted traffic to ipg.content.glb.gracenote.com which I would expect is being used for media metadata.

      Delete
  17. If this is not unlawful, it bloody well should be.

    ReplyDelete
  18. And now please add some irony with this article from 2010:

    http://torrentfreak.com/lg-shows-how-to-play-pirated-movies-on-tv-100205/

    ReplyDelete
  19. Keep in mind that just because the page is giving you a 404 doesn't mean that it doesn't exist. It's trivial to spoof a header, and most people (myself included) would take it at face value.

    But when they're quietly tracking information like this, they could easily have faked it to have plausible deniability. "Sure, the information is sent, but there's nothing at that location to save the data."

    ReplyDelete
    Replies
    1. While LG may or may not fail to log this, rest assured that the intelligence apparatus of our benevolent governments have not.

      Delete
  20. "your concerns would be best directed to the retailer. "

    I bought a 55" LG LED 3D TV on Amazon five weeks ago. One week too late to return given Amazon's return policy.

    No mention of this activity appears on the Amazon page for this TV.

    Please join me in (at the very least) hitting them on twitter. @LGBlog @LGUS and @LGUK.

    ReplyDelete
    Replies
    1. Here is my complaint to them that caused them to blame the retailer. Note this was before I discovered the filename leaks and the broken opt-out

      Dear Matt,

      Thank you for replying to my query regarding advertising and user-behaviour tracking on my Smart TV.

      Unfortunately, what you have told me makes me more certain than before that LG is in serious breach of EU Directive 95/46 on "Data Protection" in regard to the collection of data using my product.

      Firstly: I purchased the TV from a high street dealer intending to use it for viewing digital TV and YouTube online content. The product is prominently labelled as having this feature on the box.

      Upon setting up the TV, I did notice the user agreement that you pointed out and I initially refused to accept the terms. It became clear that not doing so rendered many features of the TV unavailable including many that were my reason for buying this product. Additionally, it was difficult to use the TV as it nagged me to accept the terms repeatedly - which I did after about a day.

      I could not return the TV for a refund as the retailer's policy prohibits this once the box is opened. There was no way that I could be expected to give my informed consent to be tracked without unpacking the TV, and once this had been done there was no realistic way for me to decline the terms without accepting a crippled product that did not fit the description of what I purchased.

      LG cannot insist that I submit to being spied on in order to use a product that I purchased, unless this is made perfectly clear at the point of sale when I can still decline without losing money.

      Secondly: the data collection option in the system menu labelled "Collection of watching info" is defaulted to "ON" - even when the user chooses to decline the terms. This means that informed consent is not being obtained prior to data collection and tracking.

      I intend to report this offence to the Office of the Information Commissioner and OFCOM tomorrow. I would urge LG to prepare a firmware update as soon as possible to rectify this situation.

      I am speechless that LG would choose to treat its paying customers in this way; by stealthily monitoring them and selling the resulting information to advertisers for additional profit.

      regards

      Delete
  21. The US Government should be interested in this too - it has to violate HIPPA if there's anything personally identifiable in the filename, like the patient name and/or number(*) and the disease name for a Case Study.

    (* = And that Patient ID number is often the Social Security Number in whole with a few letters or digits tacked on at one end to disguise it - or signify sex and birthdate, which would be an additional bonus. Nevermind it's been illegal to use the SSN as an I.D. number {in whole or part} for decades, virtually all major hospitals health plans and insurers all use it. Unless you see it and scream bloody murder.)

    And think how handy it would have been for Hitler's staff to see a briefing video filename like (old example everyone should get) "Operation Overlord 06061944 Normandy" come across from a TV in a Pentagon briefing room a few weeks or months ahead... Huge Military Security Breach here we come.

    ReplyDelete
    Replies
    1. Unfortunately, HIPPA only applies to health care workers. In other words. LG is not bound by it.
      Furthermore, The Privacy Act of 1974 with a few exceptions applies to government agencies. Not the private sector.
      The best you can do here in the USA is have some judge void the T & C as a "contract of adhesion".

      Delete
    2. It's HIPAA, not HIPPA. And while I agree that it's a pretty wild stretch to think this circumstance would result in a violation of the privacy rule, it is categorically *not* true that HIPAA only applies to health care workers. For example, any company that conducts administrative and/or financial transactions defined in 45 CFR § 160.103 (and others) could be subject. In fact, I'm currently preparing responses for my companies HIPAA compliance audit because we partially self-insure. We have nothing to do with health care, and much as I'd love you to be right, we are subject to HIPAA.

      Delete
  22. I discovered similar activity from my Lg TV shortly after I bought it last year. I was infuriated to see budweiser and mcdonalds banner ads shortly after setting the TV up. I also discovered quite a lot of links being generated to a lot of non-lg sites for ad serving and activity tracking, with many of URLs going to blank or 404 pages. I think the activity tracking is a lot worse in the U.S.. I received a similar response from lg support, with excuses that the ads and tracking allow them to provide a better experience blah blah blah. I have blocked all the hosts via my router. I'm not playing this game over a device I OWN.

    ReplyDelete
    Replies
    1. Please post a list of URLs that you are blocking, as I plan to do the same ASAP. Thanks!

      Delete
  23. The fact that their server is returning HTTP 404 response does not mean that they are not collecting data. They may be returning 404 on purpose, so in the event that they are sued, they can say their collection URL was not implemented, yet the may collect the data anyway.

    ReplyDelete
  24. To those of you who seem to be aghast at this - how exactly did you think your SMART TV was getting it's SMART's? And as we laughed at many of the comments here at the office - do you really think that your other media devices aren't sending data on you back 'home'? You live in a connected world where much of the free services you use are powered by advertising - because things like hosting, development and so on costs money and if you aren't going to pay someone else has to. The point is not to worry about the fact that your TV is sending your viewing habits and penchant for midget porn to LG. The point to worry about is that they offer to stop sending this data as an option but don't honour that contract. I'm pretty sure that's no legal but I'm not a lawyer.

    ReplyDelete
    Replies
    1. LG TVs are not "free".

      Delete
    2. LG smart TVs are a premium-priced paid-for product not a free service. You see the difference?

      Delete
    3. Nothing supplied on LG TVs requires advertising and/or tracking. The streaming services these TVs have are either paid for via their own subscriptions or their own in app advertisements, same with the 3rd party apps in their app store. The price paid for the TV should be enough to cover the cost of development and to included the often lackluster media center options. If it isn't, then they need to reconsider how much they're going to charge for these products. The idea that LG customer service is trying to absolve themselves of responsibility and make the retailer to blame, at least in the U.K., is absurdity at its finest.

      Delete
    4. You are _paying_ to get advertising on your TV ?

      doesnt sound very smart to me.

      Delete
    5. Yeah, it a miracle that people pay for Sky, isn't it?

      Delete
    6. I know for a fact that most (not all) of my smart devices don't spy on me, because I too keep an eye on network traffic. But don't let facts get in the way of your unfounded and illogical blathering.

      Delete
  25. This comment has been removed by the author.

    ReplyDelete
  26. Obviously it's time to start spamming the daylight out of the endpoints with data that *could* be real but isn't. Make the data harvested as close to worthless as possible.

    ReplyDelete
    Replies
    1. Quite so, Irregular Shed. Spurious spontaneous irregular and unconventional harvesting of massively misleading content is a guarantee of chaos delivery to madness and mayhem.

      And if not a solution to encourage development change then also an application for Clouds Hosting Advanced Operating Systems to micromanage macro disorder and possibly smarter hostile user base energies for increased controlled and controlling powers with imaginative synergies and virtually elusive and/or attractively divisive distractions/sweet sticky passions which breed insatiably satisfying needs and feeds ...... Immaculate Source Seeding of QuITe Sublime IntelAIgent Services to Servers with Global Operating Devices for the COSMIC Application ProgramMING Environments ..... Mined Intelligence/Mind Infiltration Networking Games Grids for Live Operational Virtual Environments and the Sheer Pure Hell of IT’s Addictive Pleasures and Fiat Treasures.

      And it would be pure speculation to imagine and posit that such as is freely shared there is a pre-emptive dump of info and intel in response to what be lost to Snowden from the Wild Wacky West and delivered in rapturous capture to the Exotic Erotic East .... but that in no way is to suggest that all or anything at all there is false whenever all is perfectly true.

      Delete
    2. Hi amanfromMars. Nice words. Would you please send us a link to the tool you used to generate your comment. It is terrific. There's a book called _Infinite Jest_ that does you one better: it makes sense.

      Delete
  27. can you share the packet capture? I'd like to see those http headers

    ReplyDelete
    Replies
    1. http://pastebin.com/5Kp2kC56

      Delete
    2. awesome, thanks. can you grab one for the channel change too?

      Delete
    3. setting up adtrap to block all this.. well, not block, but alter it so it's unusable to them. I'll probably just put in block rules if the tv will be normal if it can't get to those servers.

      http://forums.getadtrap.com/forums/viewtopic.php?f=8&t=2261&p=8369#p8369

      Delete
    4. notify flipping on.. forgot earlier

      Delete
    5. I hadn't heard of AdTrap, good work!
      http://pastebin.com/kQY4qKNm
      Also, you see that last parameter? &watch_dvc_logging=0
      I've just discovered that this is what the on screen opt-out seems to be changing...

      Delete
    6. Doctorbeet, when you check / uncheck the data collection box does the POST address change?

      Delete
    7. No. The only change is that parameter. I'm not very impressed with this as an implementation to say the least.

      Delete
    8. lol, thanks! Are you familiar with charles proxy? you can setup a transparent firewall rule to forward the requests into it, and then it'll give you a breakdown of all the http requests. It's MUCH easier to deal with than a packet capture for actually seeing what's going on. plus you can spoof a https certificate and possibly get a visual on that traffic too.. some things don't like it though, and I'm not sure how you'd accept the cert on a tv...
      I wonder where that jsessionid came from, aren't those server assigned?

      Delete
    9. Yes airdamien. jsessionid is created by (I believe Java-based HTTP services) as a fallback in case the client does not support cookies for session tracking.

      Delete
    10. Typically an HTTP session ID, in this case from a Java Web server as jsessionid, is for the current session and unlike a cookie would not be stored on the client side from session to session. It maintains data that should accompany subsequent requests for the life of the session and it can be used so that a load balancer will always return the same user's requests to the same server, i.e. for session affinity because that particular server might be caching session data for that user. So better performance, response time, etc.

      Delete
  28. People use facebook, twitter, google+, gmail and they get stressed because LG knows what they are watching? No sense! :)

    ReplyDelete
    Replies
    1. People don't pay hundreds/thousands of dollars for facebook, twitter, and google. Most people don't have a problem with free services collecting data.. Most people DO have a problem when their expensive toys spy on them without their consent.

      Delete
    2. Valdemir - in my opinion ANY non public person posting their photo and other personally identifiable information, thus enabling ALL unstoppable mismanagement and abuse of these in the future through all kinds of commercial and legal actors, IS AN OBVIOUS MORON, not deserving any discussion with adults at all. Morons belong to kindergarten schooling about privacy and data security. That's all. Cheers.

      Delete
  29. There is an easy way to stop this, just send LG a notice that your consulting fees are £500 per day or £1 per byte of data transmitted, whichever is greater, and then bill them for using your information that they so desperately want from you.

    ReplyDelete
  30. I traced mine, just opening the Applications menu and then opening Netflix. As part of that I see a request to

    http://ae.amgdgt.com/ads/?t=de&p=9372&pl=d3155b14&cat=portal.homelivecard.360x150&aid=&did=&dom=938rMmOsPSB&mod=&ref=&cip=&dou=&gender=&age=&rnd=3144535663689619721

    followed by another request (truncated):

    http://ad-emea.doubleclick.net/N8549/ad/lgtv.nc3.nl.smartclip/portal.homelivecard.360x150;appid=;devid=;gender=;age=;dom=938rMmOsPSB;sz=1x1;dt2=%26amgid%3D349426c0-e83c-4b0f-b8a6-d1889627f33b%26client%3Dlg%26a

    And another truncated one:

    http://ad.smartclip.net/delivery/tag?sys=4&sid=42049640&zid=42858680&size=1x1&aid=113899520&dt1=&dt2=%26amgid%3D349426c0-e83c-4b0f-b8a6-d1889627f33b%26client%3Dlg%26appid%3D%26devmod%3D%26ref%3D%26cip%3D

    Note the "gender" and "age" parameters in that URL, albeit with empty values. This is for a TV registered in the Netherlands.

    ReplyDelete
  31. This comment has been removed by the author.

    ReplyDelete
  32. This settlement with Google may have bearing on such devices in the US. "The settlement requires Google to not bypass cookie settings without a user’s consent, nor may it fail to inform consumers of how Google serves personalized ads to them via their browsers. In addition, Google must expire the cookies placed on Safari browsers from June 1, 2011 through Feb. 15, 2012 by February of next year."
    http://threatpost.com/google-pays-17m-privacy-settlement-to-37-states/102966

    ReplyDelete
  33. Great idea suggested by Irregular Shed about just spamming those endpoints. Wonder what legal issues would kick up if you had a linux box (or Raspberry Pi?) on the same hub as your wireshark tap that simply spewed spoofed packets constantly reporting random data? It seems dicey for them to charge you with unauthorized access to systems making unauthorized access to your information...

    ReplyDelete
  34. Found this info on the company behind the LG data collection:
    http://www.theregister.co.uk/2013/09/02/cognitive_lands_lg_as_its_first_tv_oem/
    http://vimeo.com/22276085

    ReplyDelete
  35. My US lg looks similar but there is not option to disable data collection. It would be limited to usb and dnla played content because of our screwed up cable system that requires a box.

    ReplyDelete
  36. The privacy concern here isn't that your data is being collected. You bought a smart TV, obviously the manufacturer has data on your usage of it. The issues are twofold.

    1. The end user is not being explicitly told their data is being collected, and they have no way of opting out
    2. They're allowing third parties to collect the data directly from your device without telling you

    Smartclip and Doubleclick are advertising companies. LG just gave them the keys to tag up your TV.

    Similar to how websites have third party tracking from ad tech companies, the Smart TVs are inviting these companies to track directly as well. Those companies are doing a few things with the data.
    1. Building a profile for your device based on data signals
    2. Selling ad inventory targeted to the type of users they believe you are
    3. Using your network data to cross-stitch to your phone, iPad, laptop etc.

    Don't be surprised to get an ad for a fancy suit on your TV, then get it a few seconds later while you're browsing the web on your iPad. Then the next day on your Samsung galaxy... while you're walking past the fancy suit store.

    Again, the biggest concern here is a lack of opt-out mechanism and transparency to the end user. At the end of the day, the ads aren't going away. Opting out won't make it so advertisers will stop messaging you, it will just make those messages less relevant.

    ReplyDelete
    Replies
    1. "You bought a smart TV, obviously the manufacturer has data on your usage of it".

      I don't see why this is 'obvious'. A Smart TV is a TV with an Internet stack, a Web browser and streaming clients for various OTT video protocols. End of story. It has no business whatsoever reporting any local activity back to the manufacturer whatever the user is forced to accept.

      This isn't some subsidised mobile device where you have signed away your first born to an operator in return for a nearly free bit of kit, this is a generic TV bought full price at retail. Actually it amazes me that people even accept advertising in the manufacturer's portal in the first place (as opposed to services they may use, which is fair enough).

      The irony is that LG probably wasn't using the data anyway - I know that 404's can be spoofed, of course, but never attribute something to malice that can be explained by incompetence...

      Paul (Smart TV UI developer, among other things)

      Delete
  37. If I owned an LG Smart TV, and knowing they were collecting information in this way I would have a little fun. Here are a few suggestions.

    1. Place a rubber band over the channel change button on the remote control and point it at the tv so it continually changes channels. Do this once or twice a week when you plan to be out of the house for at least an hour.

    2. Whenever you upload a video file to your USB, rename it things like "jihad for beginners", "101 to plan before your rampage", "Yes, I killed your dog" and "LG UK HQ blueprints". Get creative and have fun with it.

    3. Use their packets as a template to send extra packet data to their servers. Randomize the the device ID and send random, non-tv related content. Pub quiz trivia might be a good place to start for content.

    There is plenty more you can do. I feel like blocking it out is missing an opportunity...

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. Now THAT is a great idea. However, I'd be careful about which bogus titles I used for the videos. You don't want the local cops, CIA, FBI, (or depending on where else you may reside, MI6, Mossad, etc.) showing up at your house... ;-)

      Delete
  38. Here's another way to capture this traffic that worked for me without a hub. I have a Linksys WRT54GL router with dd-wrt custom firmware. I used telnet into the router to setup iptables to forward all traffic from the TV to my PC with wireshark capturing the traffic. Example:

    iptables -t mangle -A POSTROUTING -d 192.168.1.100 -j ROUTE --tee --gw 192.168.1.101



    iptables -t mangle -A PREROUTING -s 192.168.1.100 -j ROUTE --tee --gw 192.168.1.101

    ReplyDelete
    Replies
    1. This is a good method if you have a router with flashable firmware. I used an Xubuntu PC with two NICs and configured it as a router.

      Delete
    2. For those with custom firmware, this might be useful for blocking:

      http://www.howtogeek.com/51477/how-to-remove-advertisements-with-pixelserv-on-dd-wrt/

      Delete
  39. I wonder if they display this file data on a web interface somewhere. Try script injecting them.

    ReplyDelete
  40. I have not found this information anywhere in your post, so may I ask you which firmware version is running on the TV? Thanks!

    ReplyDelete
  41. I soo much hope there are enough people who stumble upon this post, and understand its implication, for this to go viral!!!

    ReplyDelete
  42. help us put an end to this https://github.com/MarsVard/Everything-is-bugged

    ReplyDelete
  43. getting a 404 error from the server does not mean it doesn't process the data. it can process the data and send an 404 error back, just to obscure the fact that it is really collecting data... this is outrageus.

    ReplyDelete
  44. Well, this is an interesting coincidence -I was starting to look at the same things after a software update to my LG TV popped up a 50 screen "update our new privacy policy" sequence on reboot. You are ahead on me on wiresharking

    If there are group of people interesting in playing with what we can do here -serving up images, analysing the data, deanonymizing it or simply co-authoring letters to the ICO, i'd be up for joining

    @steveloughran

    meanwhile, here are my screen shots of the privacy policies as declared on the device, which doesn't differentiate web access from device access, but does say they consider MAC addrs, cookies and TV watching to be non-personal info, and they can do what they want with it. Personal details are name and address, and they can do what they want with that too

    http://www.flickr.com/photos/steve_l/sets/72157637867348596

    ReplyDelete
    Replies
    1. Thank you for posting this.

      "We may collect your first and last name and mailing addresss and may tie that information to your Non-Personally Identifiable Information), in an effort to track your usage of our products and services so that we can deliver products and services to you that meet your needs."

      This would almost certainly place LG in violation of the Data Protection act and the EU DP directive. I have been unable to match my device serial number to the device ID that was being transmitted - but this statement indicates that they can and do match it back to your name.

      Thanks for this information.

      Delete
    2. If some information contains enough information to tie it to "personally identifiable" information, I would think that the information should legally be considered "personally identifiable" - surely only aggregate information that fundamentally can't be tied back to a single person would be considered non-personal?

      This also seems relevant: http://www.out-law.com/page-8060 - it seems that IP addresses can become "personal data" in some cases, even if they aren't tied to your name. I would imagine the same would be true of the device ID (i.e. your viewing habits associated with a device ID would probably fall under the data protection act as "personal data" even if they aren't associated with your name and address, since they are still linking the information with a single specific (unknown) person in a non-aggregate way.

      Delete
  45. I've written to John Lewis customer services pointing out this article, and how LG are fobbing this issue off onto them. I've asked them to get LG to explain what the hell they are playing at.

    ReplyDelete
  46. I have just got myself one of these tv sets, and have now emailed Currys asking the same information as the person above who asked Richer Sounds. I will post any replies I get.

    I the meantime I have set up url filters on my router to block traffic.

    Many thanks for the heads up

    ReplyDelete
    Replies
    1. Today I have had a reply from Currys

      It reads,

      Dear John,

      Thank you for your email dated 20th November 2013. Please accept my apologies for the delay in response.

      The terms & conditions of the EULA (End User License Agreement) states that LG can gather information from the TV and you would have agreed to this as it would have come up when you set up the TV.

      Therefore we will not be offering a refund or an exchange as you agreed to the terms and conditions, and the item has been used.

      Thank you for contacting KNOWHOW™.

      Kind regards,

      Mohammed Ansar
      The KNOWHOW™ Team

      Delete
    2. This was my issue; you've purchased the TV and have to unpack it and connect it up to read the Licence Agreement. Then if you disagree - tough you've bought it now so there's nothing you can do.

      There needs to be laws to protect users against "omnipotent" licence agreements that we are not aware of at the point of purchase.

      Delete
    3. AFAIK there is... all Ts and Cs are agreed at point of sale, and cannot be altered thereafter. Hence all these I agree buttons etc when you fire the device up are meaningless in contract law.

      Retailers need to be made to adhere to the law, and to aid this they should display openly such conditions at the point of sale.

      I think I might try my local MP

      Nice Job BTW Doc B in bring this to everyone's attention, and ultimately this leading to a firmware update... It is not often one man makes a difference, but you definitely have.. Kudos

      Delete
  47. Another thing many dont consider. When you have a device that is expecting a response over IP communications, if there is any issue with that like, DNS timeout, unreachable IP etc it can lead to a laggy experience. Most system software developers do not properly thread the code to let this communication process spin off on its own.

    ReplyDelete
  48. Will certainly be blocking this tonight. Personally i'm not as fussed over watching habits being reported but the transmission of what is on external media is ridiculous. I need to get a copy of the terms you accept when you start the TV. If there is a breach of the Ts&Cs the target IP (for gb.ibis.lgappstv.com) resides in a block of IPs managed by RIPE, who will investigate misuse of its network (http://www.ripe.net/data-tools/db/faq/faq-hacking-spamming)

    ReplyDelete
  49. Put a firewall block outgoing from TV ip to internet, ip tables.
    or hack the tv and install a proxy.

    ReplyDelete
    Replies
    1. yea..
      1 Buy TV which can show Netflix and Hulu
      2 Block that TV from internet..

      Delete
  50. Is this only if you are watching TV through the inbuilt tuner? What if you have cable box (eg Sky)? I assume they can't track what you are viewing then?

    ReplyDelete
  51. Dear Sir or Madam,
    I was thinking about purchasing one of your smart televisions, but have just discovered that you collect all viewing information, including what programmes are being watched, who is watching them and for how long, and that you are also collecting data from any usb connection to the television. This even includes file names and names and names of children on those files. I understand that you also offer an option to “opt out” of this, rather than “opt in” and that even when the opt out is selected you still collect the information. You don’t offer any guarantees regarding the safety or security of this information, you are allowing it to be passed over the internet unencrypted where anyone can collect it. If you could confirm these points for me before I purchase the television, I would be extremely grateful. I see also that you say that it is the responsibility of the retailer to inform the customer, and that it has nothing to do with your company or televisions...Are your retailers aware of this procedure. I always thought that when I purchased a television it was for the purposes of receiving information rather than divulging persona information for free. Is this the way of the future for L.G.? Would you like your children’s information, or your own private information spread over the internet, without your being aware or being asked for your consent?
    Yours sincerely,
    Douglas Rankine.
    P.S. Have you checked with the Data Commissioner that what you are doing is perfectly legal and good practice for the protection of private Data?

    ReplyDelete
  52. Dear LG UK,

    I'm furious to discover via the media that my "smart" TV has been sending details of every button press to you.

    1. Please inform me the version number of the TV firmware where this snooping commenced.

    2. On what date did that version become available for download by the 2012 smart TV range?

    3. How was "informed consent" obtained such that each individual user of the upgraded 2012 television fully understands and agrees to the data collection?

    4. How can users of a 2012 television seek recompense for the unilateral change of contract term if they do not agree to it? The UK Consumer Protection From Unfair Trading Regulations prohibit such unilateral changes in terms.

    5. What are the contact details of your data controller (the Data Protection Act requires that you have one) and do you propose to charge a fee for a Subject Access Request under the Act?

    I look forward to your prompt reply.

    ReplyDelete
  53. I use opendns.com as an easy way of filtering what sites can be easily accessed from my home network. Any restricted domains (I add), or sites containing certain types of info (drugs, web spam etc) can also be blocked.
    Visiting those sites returns a configurable access denied type page.

    You simply configure your router to use opendns servers, then you can create an account and setup 'web content filtering'.

    I've added the sites listed in this post. This whole thing is pretty disgusting. I really must try and setup some form of traffic analysis myself. Would appreciate any good articles out there on doing this

    ReplyDelete
    Replies
    1. Yes, but then what do you do about opendns.com tracking your DNS history?

      Delete
    2. This is true, I guess you get nothing for free. Just like trusting Google with all your searches.
      I trust opendns to do the right thing, more than LG. Is this really any worse than trusting your ISP with the same DNS history...

      Delete
  54. I have logged a complaint with the Irish Data Protection Commissioner today.
    I will update you with any feedback.

    ReplyDelete
  55. We have an lg smart tv too, but the tv does not allow us to turn this off - it's greyed out! That's rather naughty!!

    ReplyDelete
  56. Replies
    1. I got the URL for this post from a link on nbcnews.com, which has an article about it.

      Delete
  57. Just a note - llnwd.net is the generic top-level domain for the Limelight CDN. As far as I'm aware, it's not possible to collect data using a Content Delivery Network (it's for *delivering* *content*). Other than that, interesting article.

    ReplyDelete
    Replies
    1. I think you're right and some others have pointed this out too. At the time I suggested blocking LL I had intercepted packets served on behalf of YuMe Inc.
      I will try and update the list with a note.

      Delete
  58. This really just happened:

    "Hello, LG support"

    "Hi, I'm calling about your smart TVs"

    "What is your address and postcode?"

    "Why do you need to know?"

    "In case we want to write to you"

    "It's excessive data collection that I am calling about..."

    ReplyDelete
  59. You know, now that I think about it, I'm not sure what's worse about the mention of encryption. I mean, it can be intercepted if its not encrypted (not like LG would care, they just want the data, so what to them if others spy on your viewing habits) but on the other hand if this WAS encrypted then it wouldn't have even been discovered..

    ReplyDelete
  60. http://gb.lgappstv.com/appspc/footer/footer/movePrivacyView.lge

    Quote: "you do not want LGE to collect your personally identifiable information, please do not provide it to us." #Sigh

    It does mention at the end though: "If you have any questions about this privacy policy or our privacy practices, please contact us at [hiral.gandhi@lge.com]"

    Good luck with that though I guess - Good write up and well spotted sir.

    ReplyDelete
  61. Heh... reading the BBC article now, I love it when companies change their tune about looking into something when it becomes a much larger audience.

    --------------------- From: http://www.bbc.co.uk/news/technology-25018225

    When the consultant - Hull-based Jason Huntley - contacted the South Korean company he was told that by using the TV he had accepted LG's terms and conditions, and that any remaining concerns should be directed to the retailer who had sold him the screen.

    But when the BBC contacted LG, it indicated it was looking into the complaint.

    "Customer privacy is a top priority at LG Electronics and as such, we take this issue very seriously," said a spokesman.

    LG user interface
    Mr Huntley said details of what channels he had been watching had been sent even after a privacy setting had been changed
    "We are looking into reports that certain viewing information on LG Smart TVs was shared without consent.

    ---------------------

    ReplyDelete
  62. Great. First they try to get away with it. When it goes public they suddenly make it a top priority to "look into it". It's always the same.

    ReplyDelete
  63. Sidenote: 47LK950S with 06.01.24 and current 06.01.28 do not show any channel- or filenames so far - guess its too old to be "smart enough" ;)

    ReplyDelete
  64. If the feature to turn it off isn't working, then I'd consider it a malfunction, and request a repair under terms of the warranty.

    It would be interesting to see how they respond to that!

    ReplyDelete
  65. This comment has been removed by the author.

    ReplyDelete
  66. for those making comments such as what Jason Miller stated above "it's not possible to collect data using a Content Delivery Network" this is completely incorrect, had any of you actually researched this you would be able to denote the fact that "Content Delivery Network" servers are still running functioning web servers which store requests in the access log.

    as far as the server they are making these data acquisition requests to giving 404 errors, the key note here is that they are returning an error which denotes the fact that these requests are stored in an easily accessible manner in the access_log of the webserver in which they control

    ReplyDelete
  67. This comment has been removed by the author.

    ReplyDelete
  68. The Register reported this was coming:

    "The trick up the sleeve of Cognitive Networks is to move content recognition to the cloud, and place a thin client on a device, which makes porting far easier, in this case it believes that one day the smart TV will be the best device to have such a client on, and that in this way it can offer a number of advanced services across the board – mostly advertising-related.

    "The system grabs tiny fragments of content from small regions on the screen and throws them to the cloud for recognition, picking them from 10 different frames in each second. Collette told us that the ser-vice would be on 10 million TVs by mid-2014 and now it is headed for LG smart TVs being sold in the 2013 range as well as being downloadable to those in the 2012 range."

    http://www.theregister.co.uk/2013/09/02/cognitive_lands_lg_as_its_first_tv_oem/

    also: http://www.theregister.co.uk/2013/11/20/lg_smart_tv_data_collection/

    ReplyDelete
    Replies
    1. Hi Sue,

      You can relax about Cognitive. I contacted their CEO at the same time as LG and received a reply saying that they have not used this technology in the UK yet.

      He also stated that the picture information is sent as a digital signature meaning that it cannot be used to reconstruct a picture of anything you are watching. It can only be used to say whether it is (or isn't) X-Factor for example.

      Delete
  69. What's the model? I want tor report the device to the Canadian and Ontario privacy comissioners, as well as ensure that I do *not* have one of them.

    --dave

    ReplyDelete
  70. i got ping responses and a full trace rout from that "GB.smartshare.lgtvsdp.com" (IP address 193.67.216.137)
    http://i.imgur.com/WQ0uktI.png

    ReplyDelete
  71. This comment has been removed by the author.

    ReplyDelete
  72. Eben Moglen has given warning to attacks like these on our freedom of thought in his talks. To freely think, read without be judged for example. The problem is not what you publish but what you read.

    His talks lead/help you to shift your mind over a hill to an understanding. In other words, watching and thinking about the talks will be a bloody good investment of a few hours of your time in your 70 year life.

    http://multimedia.aross.me/eben_talks/ (my mirror of his talks.)
    http://snowdenandthefuture.info/

    ReplyDelete
  73. If it sends the data in a HTTP_POST to the server, it is trivial in PHP to still capture the information, and send back a realistic 404, even though there is really a file there.

    My software, ZB Block, sends back 403s and 503s all day to bots and other hostile connections. Yes there is a file there, but it decides on the fly how to respond based on several criteria.

    Don't EVER trust server response codes. Your data can still be logged, and the 404 just makes you feel good. I personally would find a way to stop it from connecting to the server, and send it to a real black-hole 404 on that request.

    And if you have a cruel streak, try posting something nefarious, like the EICAR test file to that supposed 404 page. On the other hand, you could have some fun sending it things like "White_House_Morning_Security_Briefing_12-16-13.avi" and wait to see if they then attempt to download it (whatever it is) from you. Make sure it's a fat file.

    If that happens and you think on it, it could be this exists for espionage reasons, and LG has been co-opted by an enemy government, and their electronics will need to be removed from all governmental establishments.

    ReplyDelete
    Replies
    1. you are aware that these fake responses are easily detectable right, also your suggestions regarding the EICAR file and the "White_House_Morning_Security_Briefing_12-16-13.avi" are meaningless because they are steps ahead of you as far as this is concerned and will not attempt to make any requests for this content, its not like they are microsoft or apple.

      Delete
  74. I did send Twitter message to LG Nordic
    @LGNordic I will never buy any LG device, with or without ethernet, if there is not acceptable answer http://doctorbeet.blogspot.co.uk/2013/11/lg-smart-tvs-logging-usb-filenames-and.html … for #spying

    ReplyDelete
  75. As stated many times above, the 404 means nothing. There's just no web server running on port 80. But it can listen on many other ports. A port scanner could find out which ones are open.

    ReplyDelete
    Replies
    1. Actually, if you are going to play on technicality, 404 DOES MEAN that there's a web server running on port 80.
      404 is an HTTP protocol's status code. That can happen ONLY if there's a web server listens for connections and replies back.
      If there was no web server on port 80, his TV would not be able to stable connection at all and he wouldn't be able to see all those requests sent to LG.

      Delete
  76. I have a USB stick in my TV with family pictures on it. Seemed like a good idea at the time. Would it sometimes take these JPG files, without my consent and send them across the www to LG?

    NOT HAPPY.

    ReplyDelete
    Replies
    1. No. Only the names of files are sent.

      Delete
  77. Here is the reply I received from the company. Nice to see all this concern and activity. Mustn't encourage the paedophiles and terrorists must we, by inadvertently making honeytraps out of our children. They must be getting quite busy with all those queries. Lots of time wasted in dealing with customers and the various arms of the state investigating can help to make the whole thing unprofitable and they may have to re-write it. As Robert Burns used to say, "The weel laid plans o' mice an men, gang aft agley, and lea us nocht but grief and pain for promised joy"...:-).

    P.S. Perhaps someone should tell Which Magazine. The company are so proud of the award they won, that they display it on their emails. The Consumers Association needs a bit of enlightenment too, I should think... :-)


    Good Afternoon

    Thank you for your e-mail.

    Customer privacy is a top priority at LG Electronics and as such, we take the issue very seriously.

    We are looking into reports that certain viewing information on LG Smart TVs was shared without consent. LG offers many unique Smart TV models which differ in features and functions from one market to another so we ask for your patience and understanding as we look into this matter.

    We expect to have more information for you very shortly.

    If you have any further enquiries, please do not hesitate to contact us.


    Kind Regards

    Emma Hills
    LG Customer Service Escalations Team
    LG Electronics UK Helpdesk
    Tel: 0844 847 5454
    Fax: 01480 274 000
    Email: cic.uk@lge.com
    UK: 0844 847 5454 Ireland: 0818 27 6954
    Mon-Fri 9am to 8pm Sat 9am-6pm
    Sunday 11am - 5pm

    ReplyDelete
  78. Engadget - LG promises to stop your Smart TV spying on you - http://www.engadget.com/2013/11/21/lg-admits-smart-tv-data-collection/

    ReplyDelete
    Replies
    1. Thanks for posting this - this is really interesting. It's a step in the right direction.

      Delete
    2. Nice work on sussing this out. Without your post, I doubt they would've taken any action (at least, not so quickly).

      Delete
  79. Hi,
    after finding out about your findings via a German news site, I did some wiresharking on my German LG LM660S and noticed exactly the same behavior es you did.

    USB directory file names were transmitted to some server, Apparently the server does not exist, but who knows whether such a response is spoofable..

    URLs are now blocked,

    Thanks for finding this out!

    ReplyDelete
  80. Where do they draw the line? What about surreptitiously activating video cameras in the TV's and sending the data back to HQ?

    ReplyDelete
  81. I also saw this,
    "Since the issue became public it has emerged that Sony's PlayStation also collects data from every Blu-ray disc that is played"
    On a news site, The PS3 has LONG since been known to do FAR more spying than that (reporting back the model of TV you have and file names on storage as well as any device seen on your home network etc) but nothing ever happened about it (god knows why not)
    Can we just make sure that ALL companies guilty of breaking EU data laws get punished here not just one...

    ReplyDelete
  82. For what it's worth, I checked this on my Canadian LM6400 (2012 model) and it doesn't seem to phone in any of this information. I checked the capture of a short session browsing around the Home screen, insterting a USB device and browsing my Plex media server.

    The only outbound request was providing on the initial display of the Home screen, and it only sent minimal information such as the native resolution, amount of RAM, 3D support, locale and GPU spec. What you'd need to decide which supported SmartTV apps to display on the home screen.

    I will be watching like a hawk should they ever push a software update, however.

    ReplyDelete
  83. Thanks for this useful info. I am not computer literate as others obviously are - but I went into my Sky Router / Security / Block Sites and entered the sites listed at the top of the post; all relatively painless. I have cleared the log and have ticked the box that says record attempts to access blocked sites - I will check back tomorrow to see (if anything) is being sent from my LG TV.

    JTH

    ReplyDelete
  84. I bought an LG smart TV in Finland just a few weeks ago. Unfortunately I had not heard of these finding at the time. If I did, I would not have bought the TV.

    Anyway, I sniffed the traffic my TV generates and the only external address it accesses when I watch tv is safebrowsing-cache.google.com. The traffic is in TSL so I can not tell about the content.

    Can the safebrowsing-cache.google.com be used as a proxy to communicate the same stuff you have been seeing or is this just some harmless anti-phishing protection related traffic?

    Then gain I wonder why it would need to do that, because I do not use the TV browser. I only bought the TV to have a good HD picture in Netflix.

    Best regards,
    Jyri

    ReplyDelete
  85. The R in URL / URI stands for Resource. A resource is a concept, not a file. A 404 response means that the requested resource cannot be provided by this service. But the service itself is running and the request is fully processed and not just logged.

    One of the URLs contains "smartshare", which, according to LG's website, tries to find additional media information. So the resource could be information on a movie / song etc. and the conversation between your TV and LG's server might have been as follows:

    TV:
    Hey server, I want to display a picture, the director, the year of release etc. for the movie "Midget Porn 2013". Gimme that info.

    Server:
    Sorry, I don't have any information on that particular movie.

    The second URL you presented contains "watchInformation" and might be something similar, but for TV programs.

    So while LG's answer to your request is hardly satisfactory and it's reasonable to have privacy concerns, I don't think you have been a victim of Orwell-like spying.

    As for the ad thing, well, that is disturbing, not to say disgusting IMHO.

    ReplyDelete
  86. Just read on the BBC website that LG have promised a software fix to make a "no" setting mean exactly that after admitting they collect viewing information, even after users have disabled the function.

    http://www.bbc.co.uk/news/technology-25042563

    Well done, according to the BBC, to Jason Huntley who highlighted this in his blog . . . . . . .

    Now the BBC are waiting to hear from Sony as it collects info on every blu-ray disc that is played and Samsung who have, so far, refused to comment.

    JTH

    ReplyDelete
  87. Even though my LG has NO setting to allow or disallow data capture, the following is an extract from my router log (Sky) this evening.

    Nov 22 17:14:54 syslog: Access blocked to url/keyword "yumenetworks.com", request from 192.168.0.10
    Nov 22 17:17:23 syslog: Access blocked to url/keyword "yumenetworks.com", request from 192.168.0.10
    Nov 22 17:22:43 syslog: Access blocked to url/keyword "yumenetworks.com", request from 192.168.0.10
    Nov 22 17:23:55 syslog: Access blocked to url/keyword "yumenetworks.com", request from 192.168.0.10
    Nov 22 17:24:15 syslog: Access blocked to url/keyword "yumenetworks.com", request from 192.168.0.10

    Luckily, I added the web addresses yesterday per an earlier blog . . . .

    Thanks to the poster for the useful information

    ReplyDelete
  88. And what about you routers, do you really trust them? If anyone wanted to track your browsing/viewing habits, that would be the obvious choice for planting nefarious firmware. I for one can't help wondering why these things are now cheaper than toilet paper. Just saying.

    ReplyDelete
  89. The "Creepy Corporate Video" link is currently down for, ahem, "maintenance".

    ReplyDelete
    Replies
    1. Oh you're joking. I hope someone grabbed a copy for reference.

      Delete
  90. Richer Sounds received a response from LG and forwarded it to me yesterday evening then followed up with a phone call today. I got the impression they'd have been prepared to return my TV to LG but, as there is a firmware update coming, I felt it would be easiest to await that.

    I'm now preparing a dossier for the Information Commissioner.

    --------

    LG RESPONSE

    "At LG, we are always aiming to improve our Smart TV experience. Recently, it has been brought to our attention that there is an issue related to viewing information allegedly being gathered without consent. Our customers' privacy is very important part of the Smart TV experience so we began an immediate investigation into these claims. Here's what we found:



    Information such as channel, TV platform, broadcast source, etc. that is collected by certain LG Smart TVs is not personal but viewing information. This information is collected as part of the Smart TV platform to deliver more relevant advertisements and to offer recommendations to viewers based on what other LG Smart TV owners are watching. We have verified that even when this function is turned off by the viewers, it continues to transmit viewing information although the data is not retained by the server. A firmware update is being prepared for immediate rollout that will correct this problem on all affected LG Smart TVs so when this feature is disabled, no data will be transmitted.

    It has also been reported that the names of media files stored on external drives such as USB flash devices are being collected by LG Smart TVs. While the file names are not stored, the transmission of such file names was part of a new feature being readied to search for data from the internet (metadata) related to the program being watched in order to deliver a better viewing experience. This feature, however, was never fully implemented and no personal data was ever collected or retained. This feature will also be removed from affected LG Smart TVs with the firmware update.

    LG regrets any concerns these reports may have caused and will continue to strive to meet the expectations of all our customers and the public. We hope this update clears up any confusion."

    --

    ReplyDelete
  91. I think there is a problem with LG's claim that "Information such as channel, TV platform, broadcast source, etc. that is collected by certain LG Smart TVs is not personal but viewing information."

    They claim this because they think it will avoid them having to comply with data protection legislation.

    However the ICO say that information is personal if it can be combined with personal information that the company already holds. As many/most smart TV users will have signed up the an account on their app store, they can combine the viewing information with it.

    Therefore viewing information is personal data.

    Sorry LG! Remember how "Customer privacy is a top priority at LG Electronics"? Prove it by complying with the law! Your data collection must be opt-in, not opt-out, and you must clearly inform users about exactly what is being collected, not bury it in a 30 page privacy policy.

    ReplyDelete
  92. Thanks, Sue. Just turned my TV on and there is a software update for installation - version 06.01.28. I have an LG 550. Hopefully, this will close the loophole until the next one is found.

    JTH

    ReplyDelete
  93. I think we are forgetting that a lot of this sort of information and more is available and used on all digital platforms - PC, Mobiles and Laptops. It is pretty standard. It does not however allow a company to personally identify a user and that is where the law steps in. I would rather have a relevant ad than one that is not useful for me. Advertising is a necessary requirement and allows consumers of the luxury of free content. I would rather have relevant ads than pay for content. It is a trade off. I think LG's response was the right one. I have many of their products and think they provide quality products at good prices. I too have an LG Smart TV and to be honest most of the ads I see are not relevant. I see a lot of car ads and I don't even drive!

    ReplyDelete
    Replies
    1. You miss the point - I do not mind targeted ads where I am using free services (Google Mail etc.) but where I have PAID for a product and SAID NO to information gathering, then I have every right to object to someone (LG in this case) data mining my usage.

      Delete
    2. You don't drive. That's why they are trying to get you to buy a car.

      Delete
  94. I'm curious if the HTTP 404 response is connected to the "Collection of watching info", i.e. if you set the setting back to Yes, would it hit a good URL?

    ReplyDelete
    Replies
    1. That wouldn't happen. The 404 response is either a default setting or an intentional 'misdirection' on their part. 404's can be generated in response to anything, so there's quite likely a script that processes the information and just spits out a 404. Hell, they might even have the TV set to recognize a 404 as the correct response.

      A feature like this would either A) do nothing at all, or B) phone home anyway, in the case of being set to off. It woudn't just send data to the wrong place instead, and the 404 couldn't be genrated based on whether the feature was on or off unless the packet contained the status of the feature (which would be pointless anyway since the TV would still be sending that packet in the first place).

      Delete
  95. I just picked up an LG 42LN5700 at Costco in Canada. Brought it home & decided to read some reviews and found this blog. Thanks for making this public! I am considering taking my TV back. If they want the data, they should have to ask for it, not hope that I never notice. I just tweeted this:

    @LGCanada has this stopped? LG TVs log & report file names from USB devices & viewing habits. http://bit.ly/1jjCLrx #privacy #dontspyonme

    I would like to know if firmware upgrades have made the opt out option effective. It is none of their business what is on my USB storage! I shouldn't have to give them access to me so that I can get access to the internet.

    ReplyDelete
  96. I have a LG 47LM669 smarttv and just update to 4.51.07 being forced to agree to LG's term of use before being able to use my TV's smart functions. It is a nordic/scandinavian model.

    My TV does not have a collection option to turn off or on, so this leaves me slightly pussled and worried. Does it collect or not, and why is the options missing.

    Can anyone confirm this, or does anyone have more information on this?

    ReplyDelete
    Replies
    1. I do not have the option either in my Finnish model. I have been sniffing the network traffic while watching the TV, but I have only seen some encrypted communication with safebrowsing-cache.google.com (see my comment above). So far I have not upgraded the SW, not sure if I will.

      Delete
  97. I see there is a software update now available but have not downloaded it yet (considering legal action so may need to preserve evidence).

    Can anyone who has tried it tell me:

    1. Is there still a "collection of watching info" setting?

    2. Does it still default to On? (may need a factory reset to find out).

    thanks

    ReplyDelete
    Replies
    1. Hi Sue,

      The "collection of watching info" option is still there on mine. It was set to off before the upgrade and it remained off afterwards. I haven't had time to check the comms yet but I have received reports that it is effective.

      I went from 04.02.03 to 04.04.07.

      Regard

      Delete
  98. Hi there!

    I'm from Slowenian and I have a LG 47LA6678.
    In my settings there is no "collection of watching info".

    I have looked at my Linksys with DD-WRT log and there were 3 IP's that my TV is connecting to. Because I don't have much time to play around I did not sniffed the traffic jet and I must see what data are send from my USB.

    Will post when I try.
    Regards

    ReplyDelete
  99. I am not surprise at all hence why I don't have a smart TV. But what amazing me is people shocked about it. I mean information is a gold mine for those manufacturers and giving the Xbox one story why are you all shock about it.
    Anyway thank you very much for the nice post and you work on it. We should spray the words.

    ReplyDelete
  100. Hi DoctorBeet, I appreciate your work on this, it's highlighted a major problem with LG's privacy policy and data handling. I have a 42LN575V set which was dialling home, until I blocked the domains in my router. Smart functions are still working (Lovefilm / BBC iPlayer / Smart Share etc.)

    I have also downloaded the latest firmware 04.04.07. Can you say when you will have time to test the privacy option with this firmware?

    ReplyDelete
    Replies
    1. That's the same model as mine. I'm still looking at the firmware, the spying traffic has disappeared but I'm still slightly suspicious about some of the other comms.

      Delete
    2. I was looking at something the other day that may be able to show the delta between 2 firmware packages... Check out: https://code.google.com/p/binwalk/

      Delete
  101. OK I did the update on Thursday and the TV aint calling out any more confirmed from my old Netgear DG834 where I had blocked the offending addresses

    example
    Thu, 2013-11-28 19:47:48 - TCP Packet - Source:192.168.0.3,59919 Destination:193.67.216.128,80 - [BLOCK]
    Thu, 2013-11-28 19:47:53 - TCP Packet - Source:192.168.0.3,59974 Destination:193.67.216.128,80 - [BLOCK]
    Thu, 2013-11-28 19:47:57 - TCP Packet - Source:192.168.0.3,60015 Destination:193.67.216.128,80 - [BLOCK]
    Thu, 2013-11-28 19:52:56 - TCP Packet - Source:192.168.0.3,34000 Destination:193.67.216.128,80 - [BLOCK]
    Thu, 2013-11-28 19:57:57 - TCP Packet - Source:192.168.0.3,34148 Destination:193.67.216.128,80 - [BLOCK]
    Thu, 2013-11-28 19:59:27 - TCP Packet - Source:192.168.0.3,34194 Destination:193.67.216.128,80 - [BLOCK]
    Fri, 2013-11-29 08:06:19 - Send out NTP request to time-g.netgear.com
    Fri, 2013-11-29 08:06:21 - Receive NTP Reply from time-g.netgear.com
    Sat, 2013-11-30 20:06:01 - Administrator login successful - IP:192.168.0.2
    Sat, 2013-11-30 22:02:00 - TCP Packet - Source:192.168.0.3,60639 Destination:199.127.204.213,80 - [BLOCK]
    Sat, 2013-11-30 22:18:11 - Administrator login successful - IP:192.168.0.2

    This is in the UK on a 47 LG led 2013 smart model

    ReplyDelete
  102. I have followed this thread with great interest from here outside Washington DC. I JUST BOUGHT an LG 47LN5700, and have been quite concerned since stumbling on this news of LG's spying a couple days ago.

    My problem is that I am rather unknowledgable when it comes to network routers. I don't know exactly how to block those domains on a Verizon Actiontec router. However, I know that my TV did at least two firmware updates in the past 3-4 days. Can I safely assume that I am safe from LG's spying, as long as I have turned off "collection of watching info"?

    Thank you for shining a light on this, DoctorBeet.

    ReplyDelete
    Replies
    1. Hi Dave,
      You're probably safe but who knows.
      Here is a guide I found that may help you block the domains I listed above. By doing this you should find that the advertisements disappear too.

      http://www.ps3news.com/forums/ps3-guides-tutorials/how-block-traffic-actiontec-mi424-router-verizon-fios-118160.html

      Delete
  103. Thanks for uncovering this, DoctorBeet. I'd just read this after having purchased a LG 42LN5758 which does send filenames from USB too. There were some additional issues that annoyed me

    http://blog.techflaws.org/2013/12/04/lg-42ln5758-why-lg-why-indeed/

    so I'm gonna return the device.

    ReplyDelete
  104. Please keep us updated on if you see a firmware update come out, and if it really fixes the issue.

    For now I'll be blocking the ads because its unacceptable to show ads on a tv i own.

    ReplyDelete
  105. Hi DoctorBeet,

    according to German computer magazine c't, LG has changed what data is being transferred with their current update 04.20.29 for LN and LA models. Apparently there's no unencrypted transmissions (of filenames) anymore. I've uploaded a small dump to my blog, I'm not quite sure everything is a-ok, what is your take on this?

    ReplyDelete
    Replies
    1. That seems to be the case from what I'm seeing. LG released 04.04.07 shortly after their press release and I was offered 04.20.29 on Saturday (14th).

      All the unencrypted monitoring traffic has vanished but I have detected NEW data being sent to GB.info.lgsmartad.com which is encrypted. I have blocked this traffic since it looked suspicious to me.

      Thanks for uploading, I'll try to take a look soon.

      Delete
  106. Please, let us know when the problem is resolved to download the latest version. Thank you so much!

    ReplyDelete
    Replies
    1. Well the monitoring traffic appears to have stopped so you should probably update if you have firmware from before the end of November.

      I'm still working on this so follow me on Twitter if you can @DoctorBeet.

      Delete
  107. My 47LN5700 just downloaded v. 5.00.30 of the software about three days ago. However, I have no idea, nor any way of determining, what that version does.

    ReplyDelete
    Replies
    1. I was offered it too but there's no way I was working on it over Christmas :-)
      This is the third update they've sent since my blog post.

      Delete