In fact, there is an option in the system settings called "Collection of watching info:" which is set ON by default. This setting requires the user to scroll down to see it and, unlike most other settings, contains no "balloon help" to describe what it does.LG Smart Ad analyses users favourite programs, online behaviour, search keywords and other information to offer relevant ads to target audiences. For example, LG Smart Ad can feature sharp suits to men, or alluring cosmetics and fragrances to women.Furthermore, LG Smart Ad offers useful and various advertising performance reports. That live broadcasting ads cannot. To accurately identify actual advertising effectiveness.
At this point, I decided to do some traffic analysis to see what was being sent. It turns out that viewing information appears to be being sent regardless of whether this option is set to On or Off.
Here you can clearly see that a unique device ID is transmitted, along with the Channel name "BBC NEWS" and a unique device ID.
Here is another example of a viewing info packet.
GB.smartshare.lgtvsdp.com POST /ibs/v2.2/service/watchInformation.xml HTTP/1.1
Host: GB.ibis.lgappstv.com
Accept: */*
X-Device-Product:NETCAST 4.0
X-Device-Platform:NC4M
X-Device-Model:HE_DTV_NC4M_AFAAABAA
X-Device-Netcast-Platform-Version:0004.0002.0000
X-Device-Country:GB
X-Device-Country-Group:EU
X-Device-ID:2yxQ5kEhf45fjUD35G+E/xdq7xxWE2ghu0j4an9kbGoNcyWaSsoLgyk8JJoMtjRrYRsVS6mHKy/Zdd6nZp+Y+gK6DVqnbQeDqr16YgacdzKU80sCKwOAi1TwIQov/SlB
X-Authentication:YMu3V1dv8m8JD0ghrsmEToxONDI= cookie:JSESSIONID=3BB87277C55EED9489B6E6B2DEA7C9FD.node_sdpibis10; Path=/
Content-Length: 460
Content-Type: application/x-www-form-urlencoded
&chan_name=BBC TWO&device_src_idx=1&dtv_standard_type=2
&broadcast_type=2&device_platform_name=NETCAST 4.0_mtk5398&chan_code=251533454-72E0D0FB0A8A4C70E4E2D829523CA235&external_input_name=Antenna&chan_phy_no=&atsc_chan_maj_no=&atsc_chan_min_no=&chan_src_idx=1&chan_phy_no=&atsc_chan_maj_no=&atsc_chan_min_no=&chan_phy_no=47&atsc_chan_maj_no=2&atsc_chan_min_no=2&chan_src_idx=1&dvb_chan_nw_id=9018&dvb_chan_transf_id=4170&dvb_chan_svc_id=4287&watch_dvc_logging=0
This information appears to be sent back unencrypted and in the clear to LG every time you change channel, even if you have gone to the trouble of changing the setting above to switch collection of viewing information off.
It was at this point, I made an even more disturbing find within the packet data dumps. I noticed filenames were being posted to LG's servers and that these filenames were ones stored on my external USB hard drive. To demonstrate this, I created a mock avi file and copied it to a USB stick.
This file didn't really contain "midget porn" at all, I renamed it to make sure it had a unique filename that I could spot easily in the data and one that was unlikely to come from a broadcast source.
And sure enough, there is was...
Sometimes the names of the contents of an entire folder was posted, other times nothing was sent. I couldn't determine what rules controlled this.
I think it's important to point out that the URL that the data is being POSTed to doesn't in fact exist, you can see this from the HTTP 404 response in the next response from LG's server after the ACK.
However, despite being missing at the moment, this collection URL could be implemented by LG on their server tomorrow, enabling them to start transparently collecting detailed information on what media files you have stored.
It would easily be possible to infer the presence of adult content or files that had been downloaded from file sharing sites. My wife was shocked to see our children's names being transmitted in the name of a Christmas video file that we had watched from USB.
So what does LG have to say about this? I approached them and asked them to comment on data collection, profiling of their customers, collection of usage information and mandatory embedded advertising on products that their customers had paid for. Their response to this was as follows:
It was at this point, I made an even more disturbing find within the packet data dumps. I noticed filenames were being posted to LG's servers and that these filenames were ones stored on my external USB hard drive. To demonstrate this, I created a mock avi file and copied it to a USB stick.
And sure enough, there is was...
Sometimes the names of the contents of an entire folder was posted, other times nothing was sent. I couldn't determine what rules controlled this.
I think it's important to point out that the URL that the data is being POSTed to doesn't in fact exist, you can see this from the HTTP 404 response in the next response from LG's server after the ACK.
However, despite being missing at the moment, this collection URL could be implemented by LG on their server tomorrow, enabling them to start transparently collecting detailed information on what media files you have stored.
It would easily be possible to infer the presence of adult content or files that had been downloaded from file sharing sites. My wife was shocked to see our children's names being transmitted in the name of a Christmas video file that we had watched from USB.
So what does LG have to say about this? I approached them and asked them to comment on data collection, profiling of their customers, collection of usage information and mandatory embedded advertising on products that their customers had paid for. Their response to this was as follows:
I haven't asked them about leaking of USB filenames due to the "deal with it" nature of the above response but I have no real expectation that their response would be any different.Good MorningThank you for your e-mail.Further to our previous email to yourself, we have escalated the issues you reported to LG's UK Head Office.The advice we have been given is that unfortunately as you accepted the Terms and Conditions on your TV, your concerns would be best directed to the retailer. We understand you feel you should have been made aware of these T's and C's at the point of sale, and for obvious reasons LG are unable to pass comment on their actions.We apologise for any inconvenience this may cause you. If you have any further questions please do not hesitate to contact us again.Kind RegardsTomUK: [premium rate number removed] Ireland: 0818 27 6954
Mon-Fri 9am to 8pm Sat 9am-6pmSunday 11am - 5pm
So how can we prevent this from happening? I haven't read the T&Cs but one thing I am sure about is that I own my router and have absolute jurisdiction of any traffic that I allow to pass, so I have compiled an initial list of internet domains that you can block to stop spying and advertising on TVs that we, as customers have actually paid for.
- ad.lgappstv.com
- yumenetworks.com
- smartclip.net
- smartclip.com
llnwd.net- smartshare.lgtvsdp.com
- ibis.lgappstv.com
This will free you from seeing ads plastered on your screen and having your viewing habits monitored, whilst it should still allow firmware updates to be applied.
(Update: removed llnwd domain, see comments)
(Update: 14 Dec 2013 - Changed Imgur images to Blogger to reduce dependencies. Minor formatting, Added mirror of linked Video)
(Update: removed llnwd domain, see comments)
(Update: 14 Dec 2013 - Changed Imgur images to Blogger to reduce dependencies. Minor formatting, Added mirror of linked Video)
Since you are in the UK, it may be worth forwarding this to the Information Commissioners Office: http://www.ico.org.uk/ and pointing out to LG that you have done so... It would be interesting to see how that might affect their next response.
ReplyDeleteIf their data collection collects any personally identifiable information, they are subject to the UK Data Protection Act. That potentially means you can serve them with a Subject Access Request: http://www.ico.org.uk/for_the_public/personal_information
Since it seems they are aiming to be able to track you, it would be interesting to send them one anyway and see what they respond - they can charge you up to 10 pounds to process it, and there are legally mandated response times. Including a full copy of one of the requests should be sufficient to authenticate you and provide them the information they'd need to check their logs...
They would also be subject to the Data Protection Act for things like retention and providing ability for you to have any records they might hold purged.
You may also want to draw LG (and the ICO)'s attention to the fact the request appears to include cookie information, and to the infamous "cookie law"...
Note in particular that it means *nothing* that the script returns a 404: The information may still be in their logs - collecting information this way without actually having anything at the endpoint is an old practice, and more efficient on server resources than making the web server execute anything.
This was very helpful. I wasn't aware of the 404 practice. Good to know.
DeleteIt's easy enough to generate a 'fake' 404 page, complete with proper header which still stores data into a database, for example I have a system running on http://img.overbythere.co.uk/ but I don't want people to see it, so I generate the 404 you see there.
DeleteI can back up the 404 logging practise, as we use it for error collection from client apps at the large online site I work for.
DeleteHmm, per The Register, LG said they'll be issuing new firmware to remove that nonsense "soon".
DeleteWell, the file scanning nonsense. And they also claim that turning off the "what you're watching" "feature" will actually turn it off with the patch.
Thanks for your notifications and good to know it.Thats why I hesitate to choose theirs.I definitely wouldnt buy them at any price.
DeleteI would not block llnwd.net as that is actually a CDN operated by Lime Light networks. They use llnwd.net for a lot of content delivery
ReplyDeleteI was going to mention the same. Blocking llnwd.net would block access to several video content that goes via Limelight CDN.
DeleteTwo questions arise from this:
ReplyDelete1/ Surely, it doesn't matter what is in their T&Cs if the option to switch data collection off doesn't work, then that's a serious matter and needs to be investigated by LG?
2/ Are other Smart TV manufacturers doing the same thing, and not been found out yet?
I expect the "Tom" character in the email response from LG is a lowly figure in the food chain (equivalent to Call Centre staff). To pursue this, one would need to go considerably higher.
Delete"Further to our previous email to yourself, we have escalated the issues you reported to LG's UK Head Office.
DeleteThe advice we have been given is that unfortunately..."
How much higher can you go than the head office?
I understand it may not have been escalated properly by Tom or someone at the head office but Tom went out of his way to give the impression it couldn't go any higher and you would have to "live with it".
Their global corporate office in South Korea.
DeleteYou've gotten to the UK head office. The South Korean head office might not want bad press about televisions spying on customers.
Hello, could you help me to carry out the same checks with telefizor of Samsung?
ReplyDeleteIt's as simple as getting an old hub, putting your TV and a computer on the same hub, connecting hub to your router, and installing wireshark on your computer. It needs to be a hub and not a switch for accurate capture of packets.
DeleteNot all hubs support man in the middle sniffing. Best consult the wireshark wiki for the best way to set this up. Building your self a tap is the best way.
DeleteA Switch that supports Port mirroring would also work if you have one available.
DeleteThe Feature seems to be in a lot of these "Smart" or "Semi-Managed" switches.
You can use an old router with OpenWRT installed to handle the packet forwarding.
Delete@Jeff, yes they do. Hubs are OSI Layer 2 devices, and they broadcast all packets to all other ports. Anything that doesn't do this is not a hub.
DeleteActually more specifically...network hubs are dumb traffic devices that operate at Layer 1 (Physical Layer) to do this. While only the intended target *should* respond, the data is sent to all connected ports to find the correct destination. Switches are more intelligent traffic management and operate at Layer 2 (Data Link) and port destinations are identified by the actual destinations MAC address. There are various methods as to how a switch can handle this, but ultimately in a Layer 2 switch the traffic is sent to a specific port where the registered MAC is, rather than a broadcast to all ports as is done in a hub.
DeleteHello Jeff, it's not really "man in the middle" but a promiscous sniff of traffic in the same broadcast domain. The hub blasts to all ports, and well mannered NIC's are supposed to mind their own business.
DeleteSo it's really a man on the side rather than in the middle. I have not seen a hub used for a while now., and the only ones I have in the shed are all 10BaseT, and decidedly not for HD, but OK for this kind of forensic work.
Sniffing communication between 2 endpoints (TV<-->LG => TV<->YOU<->LG) is a Man In the Middle by definition regardless domains or whatever. The only "man in the other side" is LG. :)
Deletehttp://mathcs.slu.edu/~chambers/spring11/security/assignments/lab04.html#reading
Not quite Rick.
DeleteA man in the middle setup requires the traffic to pass through the middle-man and on to the end. A hub floods traffic out all ports (pedantically - thats not actually a broadcast). The listener doesn't then relay the traffic to the other side. A hub is NOT man-in-the-middle, its more man-on-the-side. Nothing goes from the listener to the other end-point as it does with a router.
The 404 response from the server is meaningless. It could be saving the submitted data regardless.
ReplyDeleteCould be? Is.
DeleteLG's http server, regardless of type, maintains logs of all requests made of it, which include (amongst other things) the user-agent (what browser), the timestamp, and the contents of the request.
Their sysadmin for their webserver merely has to run the logs through a filter to look for all 404-spawning POST requests with the user-agent corresponding to their TVs. This will give him a complete archive of timestamped information suitable for processing for analytics or whatever other purposes they wish.
The fact that this is sent in the clear is also worrisome; anyone capable of intercepting your network traffic now knows you have an LG TV on it, and can (trivially) determine if you are home watching TV, or (some difficulty) research whatever current exploits that kind of TV is vulnerable to.
And yet people ask why a sysadmin like me has a 'dumb' TV and goes through the 'trouble' of hooking up separate boxes to it to watch things...
It doesn't matter what their logs are doing. Anyone can configure a web server to process a request and send a 404 as a response. They could send a 500 response, even a 403. It can still be processed by any type of service they have running. At the very least it's true that they are logging that information in their default configuration, but I bet there's more at play here.
DeleteI keep my TV dumb as well, with seperate boxes attached, but I have no illusions about those seperate boxes as well. Gameconsoles, set top boxes and mediaplayers might also scour your network and call home.
Deleteheader('HTTP/1.0 404 Not Found');
Delete//Do something with the data submitted held in $_POST["query"];
POST data is typically not saved in web server access logs, at least partially because the data can contain a *large* amount of anything, including line breaks which could royally screw up flat file logs. (I don't know that it's even possible to tell Apache to log POST data without modifying the server code.)
DeleteAccess logs typically include: IP, timestamp, method (POST/GET/etc.), path with query string ("/rest/.../search.xml?" in this case), response code (200/404/etc.), response size, and user agent (misspelled "Mozila/4.0" in this case). It is definitely possible that their access logs are set to record those extra X-* headers, though.
This comment has been removed by the author.
ReplyDeleteI concur with Grant. If you get back a 404 there is a server at the other end.
ReplyDeleteThat server may be faking a 404 and log what you sent them so they know of your midget porn! ;)
ICO is the correct people to follow this up with. Regarding the T&C's line LG are going with, it appearers it could be an unfair condition (especially if not pointed out in laymen terms during activation) and the OFT may be interested.
ReplyDeleteIt would be interesting to know what the retailer has to say. Would they be happy that LG is spying on us and blaming them for it?
ReplyDeleteYeh that's kinda creepy. I'll need to check out my Vizio smart set for the same type of shenanigans.
ReplyDeleteNote the different URI than the one where watching habits are posted to; note the "smartshare" in there. LG TVs sport a "Smart Share" feature, so isn't this related to the LG Cloud feature and isn't it just looking for the file in your own "private" cloud?
ReplyDelete(That it does this in clear text is of course ridiculous!)
Well, an LG Smart TV was going to be my next TV but now I'll be looking elsewhere, cheeky £@$7@&*$
ReplyDeleteCode 200 would be a valid response for the peer initiating the POST request, however, they can send back any response code they want and still log the request...
ReplyDeleteSounds to me they're trying to camouflage it a bit.
wait, you didnt agree to any terms or conditions when the tv booted up? nor at purchase time?
ReplyDeletewell, just tell them they owe you $1million for replying to your email. oh they didnt see your T&C for email replies? heh
Dear Richer Sounds,
ReplyDeleteI saw a blog post which reports that LG smart TVs contain spyware which sends to LG detailed information about what is being viewed and even the filenames of any files it discovers.
http://doctorbeet.blogspot.co.uk/2013/11/lg-smart-tvs-logging-usb-filenames-and.html
The author asked LG about it and they disdainfully said it's up to the retailer to make "you agree to being spied upon" (I paraphrase) a contract term at the point of sale. Please see their reply in that blog post.
I purchased a LG smart TV and blu ray player from your Sheffield branch. The sales experience was very good but it was never explained to me that such a contract term did exist. If such a contract term was to exist then it would need to be pointed out at the point of sale, as it is not possible for the manufacturer to add further contract terms after purchase, regardless of whether or not they present me with pages of legalese and an "accept" button. UK law does not allow it.
In addition to contract law, the Consumer Protection From Unfair Trading Regulations does require that all significant terms be made clear at the point of sale. I would argue that this detailed snooping is significant.
I do not consent to any usage information being transmitted to LG (or anyone else) from the products I purchased from you. Had this behaviour been made clear to me at the point of purchase, I would not have made the purchase.
If the blog post is true, and in order to preserve my privacy, I can no longer use these devices. I cannot (and obviously should not) trust them.
So now we have a problem. I may need to return these units to you for a refund, regardless of how long ago the purchase was made.
1. Will you take this issue up with LG on behalf of your customers?
2. Had LG advised you that you must ensure that additional contract terms are explained to your customers as part of the sales contract? Can you please provide me with copies of the materials that LG provided to you about this?
3. Will you update your website, catalogue and in-store materials to make clear which products intrude upon user privacy and the extent to which such intrusion can be minimised?
4. For any customer who has purchased these products without agreeing in advance to this intrusion on privacy, will you provide a full refund, regardless of product age? I'd expect you to reclaim all monies and your costs from LG.
I assume that you were not expecting this problem to land with you, but unfortunately LG's reply does make clear that they are making it your problem. Perhaps they will have greater respect for the purchasers of their products if you get involved.
I look forward to your reply. I will post this message and your reply as comments to the blog post.
VERY nice!!
DeleteWow!
DeleteJust to note that I've had a helpful email and phone call from Richer Sounds. They are unimpressed at LG, have tried to raise the issue with them and are getting only the bland "Customer privacy is a top priority at LG Electronics" reply.
DeleteWe had a short chat about the Sales of Goods Act aspects of a product whose manufacturer unilaterally changes the contract some time after purchase (mine being a 2012 model that has picked up the spyware in a recent update).
Although Richer Sounds were keen to be helpful, we decided to await a fuller response from LG.
Richer Sounds passed on the fuller response when it came. Rather than bury it here, I've pasted it at the end of the comments (dated 22 November 2013 12:55)
DeleteIt's possible the filename thing is attempting to identify the show in order to provide content information - for example with open source MythTV has a feature whereby you end up seeing the show logo and text about an episode if it identifies from the filename what the program is about. This must be using some form of web service to do it. It's possible the 404 you are getting back is not because the URL isn't found, but because it couldn't find any information about the program (for a REST API this would be a legitimate way of sending that sort of response)
ReplyDeleteIf (as is the case with MythTV) this was optional behaviour, then it would be OK, and potentially a useful feature, however, if you can't turn off (as in this case), then it is definitely an invasion of privacy...
There is a lot of encrypted traffic to ipg.content.glb.gracenote.com which I would expect is being used for media metadata.
DeleteIf this is not unlawful, it bloody well should be.
ReplyDeleteAnd now please add some irony with this article from 2010:
ReplyDeletehttp://torrentfreak.com/lg-shows-how-to-play-pirated-movies-on-tv-100205/
Awesome, I love it.
DeleteKeep in mind that just because the page is giving you a 404 doesn't mean that it doesn't exist. It's trivial to spoof a header, and most people (myself included) would take it at face value.
ReplyDeleteBut when they're quietly tracking information like this, they could easily have faked it to have plausible deniability. "Sure, the information is sent, but there's nothing at that location to save the data."
While LG may or may not fail to log this, rest assured that the intelligence apparatus of our benevolent governments have not.
Delete"your concerns would be best directed to the retailer. "
ReplyDeleteI bought a 55" LG LED 3D TV on Amazon five weeks ago. One week too late to return given Amazon's return policy.
No mention of this activity appears on the Amazon page for this TV.
Please join me in (at the very least) hitting them on twitter. @LGBlog @LGUS and @LGUK.
Here is my complaint to them that caused them to blame the retailer. Note this was before I discovered the filename leaks and the broken opt-out
DeleteDear Matt,
Thank you for replying to my query regarding advertising and user-behaviour tracking on my Smart TV.
Unfortunately, what you have told me makes me more certain than before that LG is in serious breach of EU Directive 95/46 on "Data Protection" in regard to the collection of data using my product.
Firstly: I purchased the TV from a high street dealer intending to use it for viewing digital TV and YouTube online content. The product is prominently labelled as having this feature on the box.
Upon setting up the TV, I did notice the user agreement that you pointed out and I initially refused to accept the terms. It became clear that not doing so rendered many features of the TV unavailable including many that were my reason for buying this product. Additionally, it was difficult to use the TV as it nagged me to accept the terms repeatedly - which I did after about a day.
I could not return the TV for a refund as the retailer's policy prohibits this once the box is opened. There was no way that I could be expected to give my informed consent to be tracked without unpacking the TV, and once this had been done there was no realistic way for me to decline the terms without accepting a crippled product that did not fit the description of what I purchased.
LG cannot insist that I submit to being spied on in order to use a product that I purchased, unless this is made perfectly clear at the point of sale when I can still decline without losing money.
Secondly: the data collection option in the system menu labelled "Collection of watching info" is defaulted to "ON" - even when the user chooses to decline the terms. This means that informed consent is not being obtained prior to data collection and tracking.
I intend to report this offence to the Office of the Information Commissioner and OFCOM tomorrow. I would urge LG to prepare a firmware update as soon as possible to rectify this situation.
I am speechless that LG would choose to treat its paying customers in this way; by stealthily monitoring them and selling the resulting information to advertisers for additional profit.
regards
The US Government should be interested in this too - it has to violate HIPPA if there's anything personally identifiable in the filename, like the patient name and/or number(*) and the disease name for a Case Study.
ReplyDelete(* = And that Patient ID number is often the Social Security Number in whole with a few letters or digits tacked on at one end to disguise it - or signify sex and birthdate, which would be an additional bonus. Nevermind it's been illegal to use the SSN as an I.D. number {in whole or part} for decades, virtually all major hospitals health plans and insurers all use it. Unless you see it and scream bloody murder.)
And think how handy it would have been for Hitler's staff to see a briefing video filename like (old example everyone should get) "Operation Overlord 06061944 Normandy" come across from a TV in a Pentagon briefing room a few weeks or months ahead... Huge Military Security Breach here we come.
Unfortunately, HIPPA only applies to health care workers. In other words. LG is not bound by it.
DeleteFurthermore, The Privacy Act of 1974 with a few exceptions applies to government agencies. Not the private sector.
The best you can do here in the USA is have some judge void the T & C as a "contract of adhesion".
It's HIPAA, not HIPPA. And while I agree that it's a pretty wild stretch to think this circumstance would result in a violation of the privacy rule, it is categorically *not* true that HIPAA only applies to health care workers. For example, any company that conducts administrative and/or financial transactions defined in 45 CFR § 160.103 (and others) could be subject. In fact, I'm currently preparing responses for my companies HIPAA compliance audit because we partially self-insure. We have nothing to do with health care, and much as I'd love you to be right, we are subject to HIPAA.
DeleteI discovered similar activity from my Lg TV shortly after I bought it last year. I was infuriated to see budweiser and mcdonalds banner ads shortly after setting the TV up. I also discovered quite a lot of links being generated to a lot of non-lg sites for ad serving and activity tracking, with many of URLs going to blank or 404 pages. I think the activity tracking is a lot worse in the U.S.. I received a similar response from lg support, with excuses that the ads and tracking allow them to provide a better experience blah blah blah. I have blocked all the hosts via my router. I'm not playing this game over a device I OWN.
ReplyDeletePlease post a list of URLs that you are blocking, as I plan to do the same ASAP. Thanks!
DeleteThe fact that their server is returning HTTP 404 response does not mean that they are not collecting data. They may be returning 404 on purpose, so in the event that they are sued, they can say their collection URL was not implemented, yet the may collect the data anyway.
ReplyDeleteTo those of you who seem to be aghast at this - how exactly did you think your SMART TV was getting it's SMART's? And as we laughed at many of the comments here at the office - do you really think that your other media devices aren't sending data on you back 'home'? You live in a connected world where much of the free services you use are powered by advertising - because things like hosting, development and so on costs money and if you aren't going to pay someone else has to. The point is not to worry about the fact that your TV is sending your viewing habits and penchant for midget porn to LG. The point to worry about is that they offer to stop sending this data as an option but don't honour that contract. I'm pretty sure that's no legal but I'm not a lawyer.
ReplyDeleteLG TVs are not "free".
DeleteLG smart TVs are a premium-priced paid-for product not a free service. You see the difference?
DeleteNothing supplied on LG TVs requires advertising and/or tracking. The streaming services these TVs have are either paid for via their own subscriptions or their own in app advertisements, same with the 3rd party apps in their app store. The price paid for the TV should be enough to cover the cost of development and to included the often lackluster media center options. If it isn't, then they need to reconsider how much they're going to charge for these products. The idea that LG customer service is trying to absolve themselves of responsibility and make the retailer to blame, at least in the U.K., is absurdity at its finest.
DeleteYou are _paying_ to get advertising on your TV ?
Deletedoesnt sound very smart to me.
Yeah, it a miracle that people pay for Sky, isn't it?
DeleteI know for a fact that most (not all) of my smart devices don't spy on me, because I too keep an eye on network traffic. But don't let facts get in the way of your unfounded and illogical blathering.
DeleteThis comment has been removed by the author.
ReplyDeleteObviously it's time to start spamming the daylight out of the endpoints with data that *could* be real but isn't. Make the data harvested as close to worthless as possible.
ReplyDelete+1
DeleteQuite so, Irregular Shed. Spurious spontaneous irregular and unconventional harvesting of massively misleading content is a guarantee of chaos delivery to madness and mayhem.
DeleteAnd if not a solution to encourage development change then also an application for Clouds Hosting Advanced Operating Systems to micromanage macro disorder and possibly smarter hostile user base energies for increased controlled and controlling powers with imaginative synergies and virtually elusive and/or attractively divisive distractions/sweet sticky passions which breed insatiably satisfying needs and feeds ...... Immaculate Source Seeding of QuITe Sublime IntelAIgent Services to Servers with Global Operating Devices for the COSMIC Application ProgramMING Environments ..... Mined Intelligence/Mind Infiltration Networking Games Grids for Live Operational Virtual Environments and the Sheer Pure Hell of IT’s Addictive Pleasures and Fiat Treasures.
And it would be pure speculation to imagine and posit that such as is freely shared there is a pre-emptive dump of info and intel in response to what be lost to Snowden from the Wild Wacky West and delivered in rapturous capture to the Exotic Erotic East .... but that in no way is to suggest that all or anything at all there is false whenever all is perfectly true.
Hi amanfromMars. Nice words. Would you please send us a link to the tool you used to generate your comment. It is terrific. There's a book called _Infinite Jest_ that does you one better: it makes sense.
Deletecan you share the packet capture? I'd like to see those http headers
ReplyDeletehttp://pastebin.com/5Kp2kC56
Deleteawesome, thanks. can you grab one for the channel change too?
Deletesetting up adtrap to block all this.. well, not block, but alter it so it's unusable to them. I'll probably just put in block rules if the tv will be normal if it can't get to those servers.
Deletehttp://forums.getadtrap.com/forums/viewtopic.php?f=8&t=2261&p=8369#p8369
notify flipping on.. forgot earlier
DeleteI hadn't heard of AdTrap, good work!
Deletehttp://pastebin.com/kQY4qKNm
Also, you see that last parameter? &watch_dvc_logging=0
I've just discovered that this is what the on screen opt-out seems to be changing...
Doctorbeet, when you check / uncheck the data collection box does the POST address change?
DeleteNo. The only change is that parameter. I'm not very impressed with this as an implementation to say the least.
Deletelol, thanks! Are you familiar with charles proxy? you can setup a transparent firewall rule to forward the requests into it, and then it'll give you a breakdown of all the http requests. It's MUCH easier to deal with than a packet capture for actually seeing what's going on. plus you can spoof a https certificate and possibly get a visual on that traffic too.. some things don't like it though, and I'm not sure how you'd accept the cert on a tv...
DeleteI wonder where that jsessionid came from, aren't those server assigned?
Yes airdamien. jsessionid is created by (I believe Java-based HTTP services) as a fallback in case the client does not support cookies for session tracking.
DeleteTypically an HTTP session ID, in this case from a Java Web server as jsessionid, is for the current session and unlike a cookie would not be stored on the client side from session to session. It maintains data that should accompany subsequent requests for the life of the session and it can be used so that a load balancer will always return the same user's requests to the same server, i.e. for session affinity because that particular server might be caching session data for that user. So better performance, response time, etc.
DeletePeople use facebook, twitter, google+, gmail and they get stressed because LG knows what they are watching? No sense! :)
ReplyDeleteI use none of those.
DeletePeople don't pay hundreds/thousands of dollars for facebook, twitter, and google. Most people don't have a problem with free services collecting data.. Most people DO have a problem when their expensive toys spy on them without their consent.
DeleteValdemir - in my opinion ANY non public person posting their photo and other personally identifiable information, thus enabling ALL unstoppable mismanagement and abuse of these in the future through all kinds of commercial and legal actors, IS AN OBVIOUS MORON, not deserving any discussion with adults at all. Morons belong to kindergarten schooling about privacy and data security. That's all. Cheers.
DeleteThere is an easy way to stop this, just send LG a notice that your consulting fees are £500 per day or £1 per byte of data transmitted, whichever is greater, and then bill them for using your information that they so desperately want from you.
ReplyDeleteI traced mine, just opening the Applications menu and then opening Netflix. As part of that I see a request to
ReplyDeletehttp://ae.amgdgt.com/ads/?t=de&p=9372&pl=d3155b14&cat=portal.homelivecard.360x150&aid=&did=&dom=938rMmOsPSB&mod=&ref=&cip=&dou=&gender=&age=&rnd=3144535663689619721
followed by another request (truncated):
http://ad-emea.doubleclick.net/N8549/ad/lgtv.nc3.nl.smartclip/portal.homelivecard.360x150;appid=;devid=;gender=;age=;dom=938rMmOsPSB;sz=1x1;dt2=%26amgid%3D349426c0-e83c-4b0f-b8a6-d1889627f33b%26client%3Dlg%26a
And another truncated one:
http://ad.smartclip.net/delivery/tag?sys=4&sid=42049640&zid=42858680&size=1x1&aid=113899520&dt1=&dt2=%26amgid%3D349426c0-e83c-4b0f-b8a6-d1889627f33b%26client%3Dlg%26appid%3D%26devmod%3D%26ref%3D%26cip%3D
Note the "gender" and "age" parameters in that URL, albeit with empty values. This is for a TV registered in the Netherlands.
This comment has been removed by the author.
ReplyDeleteThis settlement with Google may have bearing on such devices in the US. "The settlement requires Google to not bypass cookie settings without a user’s consent, nor may it fail to inform consumers of how Google serves personalized ads to them via their browsers. In addition, Google must expire the cookies placed on Safari browsers from June 1, 2011 through Feb. 15, 2012 by February of next year."
ReplyDeletehttp://threatpost.com/google-pays-17m-privacy-settlement-to-37-states/102966
Great idea suggested by Irregular Shed about just spamming those endpoints. Wonder what legal issues would kick up if you had a linux box (or Raspberry Pi?) on the same hub as your wireshark tap that simply spewed spoofed packets constantly reporting random data? It seems dicey for them to charge you with unauthorized access to systems making unauthorized access to your information...
ReplyDeleteFound this info on the company behind the LG data collection:
ReplyDeletehttp://www.theregister.co.uk/2013/09/02/cognitive_lands_lg_as_its_first_tv_oem/
http://vimeo.com/22276085
My US lg looks similar but there is not option to disable data collection. It would be limited to usb and dnla played content because of our screwed up cable system that requires a box.
ReplyDeleteThe privacy concern here isn't that your data is being collected. You bought a smart TV, obviously the manufacturer has data on your usage of it. The issues are twofold.
ReplyDelete1. The end user is not being explicitly told their data is being collected, and they have no way of opting out
2. They're allowing third parties to collect the data directly from your device without telling you
Smartclip and Doubleclick are advertising companies. LG just gave them the keys to tag up your TV.
Similar to how websites have third party tracking from ad tech companies, the Smart TVs are inviting these companies to track directly as well. Those companies are doing a few things with the data.
1. Building a profile for your device based on data signals
2. Selling ad inventory targeted to the type of users they believe you are
3. Using your network data to cross-stitch to your phone, iPad, laptop etc.
Don't be surprised to get an ad for a fancy suit on your TV, then get it a few seconds later while you're browsing the web on your iPad. Then the next day on your Samsung galaxy... while you're walking past the fancy suit store.
Again, the biggest concern here is a lack of opt-out mechanism and transparency to the end user. At the end of the day, the ads aren't going away. Opting out won't make it so advertisers will stop messaging you, it will just make those messages less relevant.
"You bought a smart TV, obviously the manufacturer has data on your usage of it".
DeleteI don't see why this is 'obvious'. A Smart TV is a TV with an Internet stack, a Web browser and streaming clients for various OTT video protocols. End of story. It has no business whatsoever reporting any local activity back to the manufacturer whatever the user is forced to accept.
This isn't some subsidised mobile device where you have signed away your first born to an operator in return for a nearly free bit of kit, this is a generic TV bought full price at retail. Actually it amazes me that people even accept advertising in the manufacturer's portal in the first place (as opposed to services they may use, which is fair enough).
The irony is that LG probably wasn't using the data anyway - I know that 404's can be spoofed, of course, but never attribute something to malice that can be explained by incompetence...
Paul (Smart TV UI developer, among other things)
If I owned an LG Smart TV, and knowing they were collecting information in this way I would have a little fun. Here are a few suggestions.
ReplyDelete1. Place a rubber band over the channel change button on the remote control and point it at the tv so it continually changes channels. Do this once or twice a week when you plan to be out of the house for at least an hour.
2. Whenever you upload a video file to your USB, rename it things like "jihad for beginners", "101 to plan before your rampage", "Yes, I killed your dog" and "LG UK HQ blueprints". Get creative and have fun with it.
3. Use their packets as a template to send extra packet data to their servers. Randomize the the device ID and send random, non-tv related content. Pub quiz trivia might be a good place to start for content.
There is plenty more you can do. I feel like blocking it out is missing an opportunity...
This comment has been removed by the author.
DeleteNow THAT is a great idea. However, I'd be careful about which bogus titles I used for the videos. You don't want the local cops, CIA, FBI, (or depending on where else you may reside, MI6, Mossad, etc.) showing up at your house... ;-)
DeleteHere's another way to capture this traffic that worked for me without a hub. I have a Linksys WRT54GL router with dd-wrt custom firmware. I used telnet into the router to setup iptables to forward all traffic from the TV to my PC with wireshark capturing the traffic. Example:
ReplyDeleteiptables -t mangle -A POSTROUTING -d 192.168.1.100 -j ROUTE --tee --gw 192.168.1.101
iptables -t mangle -A PREROUTING -s 192.168.1.100 -j ROUTE --tee --gw 192.168.1.101
This is a good method if you have a router with flashable firmware. I used an Xubuntu PC with two NICs and configured it as a router.
DeleteFor those with custom firmware, this might be useful for blocking:
Deletehttp://www.howtogeek.com/51477/how-to-remove-advertisements-with-pixelserv-on-dd-wrt/
I wonder if they display this file data on a web interface somewhere. Try script injecting them.
ReplyDeleteI have not found this information anywhere in your post, so may I ask you which firmware version is running on the TV? Thanks!
ReplyDeleteI soo much hope there are enough people who stumble upon this post, and understand its implication, for this to go viral!!!
ReplyDeletehelp us put an end to this https://github.com/MarsVard/Everything-is-bugged
ReplyDeletegetting a 404 error from the server does not mean it doesn't process the data. it can process the data and send an 404 error back, just to obscure the fact that it is really collecting data... this is outrageus.
ReplyDeleteWell, this is an interesting coincidence -I was starting to look at the same things after a software update to my LG TV popped up a 50 screen "update our new privacy policy" sequence on reboot. You are ahead on me on wiresharking
ReplyDeleteIf there are group of people interesting in playing with what we can do here -serving up images, analysing the data, deanonymizing it or simply co-authoring letters to the ICO, i'd be up for joining
@steveloughran
meanwhile, here are my screen shots of the privacy policies as declared on the device, which doesn't differentiate web access from device access, but does say they consider MAC addrs, cookies and TV watching to be non-personal info, and they can do what they want with it. Personal details are name and address, and they can do what they want with that too
http://www.flickr.com/photos/steve_l/sets/72157637867348596
Thank you for posting this.
Delete"We may collect your first and last name and mailing addresss and may tie that information to your Non-Personally Identifiable Information), in an effort to track your usage of our products and services so that we can deliver products and services to you that meet your needs."
This would almost certainly place LG in violation of the Data Protection act and the EU DP directive. I have been unable to match my device serial number to the device ID that was being transmitted - but this statement indicates that they can and do match it back to your name.
Thanks for this information.
If some information contains enough information to tie it to "personally identifiable" information, I would think that the information should legally be considered "personally identifiable" - surely only aggregate information that fundamentally can't be tied back to a single person would be considered non-personal?
DeleteThis also seems relevant: http://www.out-law.com/page-8060 - it seems that IP addresses can become "personal data" in some cases, even if they aren't tied to your name. I would imagine the same would be true of the device ID (i.e. your viewing habits associated with a device ID would probably fall under the data protection act as "personal data" even if they aren't associated with your name and address, since they are still linking the information with a single specific (unknown) person in a non-aggregate way.
I've written to John Lewis customer services pointing out this article, and how LG are fobbing this issue off onto them. I've asked them to get LG to explain what the hell they are playing at.
ReplyDeleteI have just got myself one of these tv sets, and have now emailed Currys asking the same information as the person above who asked Richer Sounds. I will post any replies I get.
ReplyDeleteI the meantime I have set up url filters on my router to block traffic.
Many thanks for the heads up
Today I have had a reply from Currys
DeleteIt reads,
Dear John,
Thank you for your email dated 20th November 2013. Please accept my apologies for the delay in response.
The terms & conditions of the EULA (End User License Agreement) states that LG can gather information from the TV and you would have agreed to this as it would have come up when you set up the TV.
Therefore we will not be offering a refund or an exchange as you agreed to the terms and conditions, and the item has been used.
Thank you for contacting KNOWHOW™.
Kind regards,
Mohammed Ansar
The KNOWHOW™ Team
This was my issue; you've purchased the TV and have to unpack it and connect it up to read the Licence Agreement. Then if you disagree - tough you've bought it now so there's nothing you can do.
DeleteThere needs to be laws to protect users against "omnipotent" licence agreements that we are not aware of at the point of purchase.
AFAIK there is... all Ts and Cs are agreed at point of sale, and cannot be altered thereafter. Hence all these I agree buttons etc when you fire the device up are meaningless in contract law.
DeleteRetailers need to be made to adhere to the law, and to aid this they should display openly such conditions at the point of sale.
I think I might try my local MP
Nice Job BTW Doc B in bring this to everyone's attention, and ultimately this leading to a firmware update... It is not often one man makes a difference, but you definitely have.. Kudos
Another thing many dont consider. When you have a device that is expecting a response over IP communications, if there is any issue with that like, DNS timeout, unreachable IP etc it can lead to a laggy experience. Most system software developers do not properly thread the code to let this communication process spin off on its own.
ReplyDeleteWill certainly be blocking this tonight. Personally i'm not as fussed over watching habits being reported but the transmission of what is on external media is ridiculous. I need to get a copy of the terms you accept when you start the TV. If there is a breach of the Ts&Cs the target IP (for gb.ibis.lgappstv.com) resides in a block of IPs managed by RIPE, who will investigate misuse of its network (http://www.ripe.net/data-tools/db/faq/faq-hacking-spamming)
ReplyDeletePut a firewall block outgoing from TV ip to internet, ip tables.
ReplyDeleteor hack the tv and install a proxy.
yea..
Delete1 Buy TV which can show Netflix and Hulu
2 Block that TV from internet..
Is this only if you are watching TV through the inbuilt tuner? What if you have cable box (eg Sky)? I assume they can't track what you are viewing then?
ReplyDeleteDear Sir or Madam,
ReplyDeleteI was thinking about purchasing one of your smart televisions, but have just discovered that you collect all viewing information, including what programmes are being watched, who is watching them and for how long, and that you are also collecting data from any usb connection to the television. This even includes file names and names and names of children on those files. I understand that you also offer an option to “opt out” of this, rather than “opt in” and that even when the opt out is selected you still collect the information. You don’t offer any guarantees regarding the safety or security of this information, you are allowing it to be passed over the internet unencrypted where anyone can collect it. If you could confirm these points for me before I purchase the television, I would be extremely grateful. I see also that you say that it is the responsibility of the retailer to inform the customer, and that it has nothing to do with your company or televisions...Are your retailers aware of this procedure. I always thought that when I purchased a television it was for the purposes of receiving information rather than divulging persona information for free. Is this the way of the future for L.G.? Would you like your children’s information, or your own private information spread over the internet, without your being aware or being asked for your consent?
Yours sincerely,
Douglas Rankine.
P.S. Have you checked with the Data Commissioner that what you are doing is perfectly legal and good practice for the protection of private Data?
Dear LG UK,
ReplyDeleteI'm furious to discover via the media that my "smart" TV has been sending details of every button press to you.
1. Please inform me the version number of the TV firmware where this snooping commenced.
2. On what date did that version become available for download by the 2012 smart TV range?
3. How was "informed consent" obtained such that each individual user of the upgraded 2012 television fully understands and agrees to the data collection?
4. How can users of a 2012 television seek recompense for the unilateral change of contract term if they do not agree to it? The UK Consumer Protection From Unfair Trading Regulations prohibit such unilateral changes in terms.
5. What are the contact details of your data controller (the Data Protection Act requires that you have one) and do you propose to charge a fee for a Subject Access Request under the Act?
I look forward to your prompt reply.
I use opendns.com as an easy way of filtering what sites can be easily accessed from my home network. Any restricted domains (I add), or sites containing certain types of info (drugs, web spam etc) can also be blocked.
ReplyDeleteVisiting those sites returns a configurable access denied type page.
You simply configure your router to use opendns servers, then you can create an account and setup 'web content filtering'.
I've added the sites listed in this post. This whole thing is pretty disgusting. I really must try and setup some form of traffic analysis myself. Would appreciate any good articles out there on doing this
Yes, but then what do you do about opendns.com tracking your DNS history?
DeleteThis is true, I guess you get nothing for free. Just like trusting Google with all your searches.
DeleteI trust opendns to do the right thing, more than LG. Is this really any worse than trusting your ISP with the same DNS history...
I have logged a complaint with the Irish Data Protection Commissioner today.
ReplyDeleteI will update you with any feedback.
We have an lg smart tv too, but the tv does not allow us to turn this off - it's greyed out! That's rather naughty!!
ReplyDeleteBBC News Online seem to have picked this up now, midget porn and all:
ReplyDeleteI got the URL for this post from a link on nbcnews.com, which has an article about it.
DeleteJust a note - llnwd.net is the generic top-level domain for the Limelight CDN. As far as I'm aware, it's not possible to collect data using a Content Delivery Network (it's for *delivering* *content*). Other than that, interesting article.
ReplyDeleteI think you're right and some others have pointed this out too. At the time I suggested blocking LL I had intercepted packets served on behalf of YuMe Inc.
DeleteI will try and update the list with a note.
This really just happened:
ReplyDelete"Hello, LG support"
"Hi, I'm calling about your smart TVs"
"What is your address and postcode?"
"Why do you need to know?"
"In case we want to write to you"
"It's excessive data collection that I am calling about..."
You know, now that I think about it, I'm not sure what's worse about the mention of encryption. I mean, it can be intercepted if its not encrypted (not like LG would care, they just want the data, so what to them if others spy on your viewing habits) but on the other hand if this WAS encrypted then it wouldn't have even been discovered..
ReplyDeletehttp://gb.lgappstv.com/appspc/footer/footer/movePrivacyView.lge
ReplyDeleteQuote: "you do not want LGE to collect your personally identifiable information, please do not provide it to us." #Sigh
It does mention at the end though: "If you have any questions about this privacy policy or our privacy practices, please contact us at [hiral.gandhi@lge.com]"
Good luck with that though I guess - Good write up and well spotted sir.
Heh... reading the BBC article now, I love it when companies change their tune about looking into something when it becomes a much larger audience.
ReplyDelete--------------------- From: http://www.bbc.co.uk/news/technology-25018225
When the consultant - Hull-based Jason Huntley - contacted the South Korean company he was told that by using the TV he had accepted LG's terms and conditions, and that any remaining concerns should be directed to the retailer who had sold him the screen.
But when the BBC contacted LG, it indicated it was looking into the complaint.
"Customer privacy is a top priority at LG Electronics and as such, we take this issue very seriously," said a spokesman.
LG user interface
Mr Huntley said details of what channels he had been watching had been sent even after a privacy setting had been changed
"We are looking into reports that certain viewing information on LG Smart TVs was shared without consent.
---------------------
Great. First they try to get away with it. When it goes public they suddenly make it a top priority to "look into it". It's always the same.
ReplyDeleteSidenote: 47LK950S with 06.01.24 and current 06.01.28 do not show any channel- or filenames so far - guess its too old to be "smart enough" ;)
ReplyDeleteIf the feature to turn it off isn't working, then I'd consider it a malfunction, and request a repair under terms of the warranty.
ReplyDeleteIt would be interesting to see how they respond to that!
This comment has been removed by the author.
ReplyDeletefor those making comments such as what Jason Miller stated above "it's not possible to collect data using a Content Delivery Network" this is completely incorrect, had any of you actually researched this you would be able to denote the fact that "Content Delivery Network" servers are still running functioning web servers which store requests in the access log.
ReplyDeleteas far as the server they are making these data acquisition requests to giving 404 errors, the key note here is that they are returning an error which denotes the fact that these requests are stored in an easily accessible manner in the access_log of the webserver in which they control
This comment has been removed by the author.
ReplyDeleteThe Register reported this was coming:
ReplyDelete"The trick up the sleeve of Cognitive Networks is to move content recognition to the cloud, and place a thin client on a device, which makes porting far easier, in this case it believes that one day the smart TV will be the best device to have such a client on, and that in this way it can offer a number of advanced services across the board – mostly advertising-related.
"The system grabs tiny fragments of content from small regions on the screen and throws them to the cloud for recognition, picking them from 10 different frames in each second. Collette told us that the ser-vice would be on 10 million TVs by mid-2014 and now it is headed for LG smart TVs being sold in the 2013 range as well as being downloadable to those in the 2012 range."
http://www.theregister.co.uk/2013/09/02/cognitive_lands_lg_as_its_first_tv_oem/
also: http://www.theregister.co.uk/2013/11/20/lg_smart_tv_data_collection/
Hi Sue,
DeleteYou can relax about Cognitive. I contacted their CEO at the same time as LG and received a reply saying that they have not used this technology in the UK yet.
He also stated that the picture information is sent as a digital signature meaning that it cannot be used to reconstruct a picture of anything you are watching. It can only be used to say whether it is (or isn't) X-Factor for example.
What's the model? I want tor report the device to the Canadian and Ontario privacy comissioners, as well as ensure that I do *not* have one of them.
ReplyDelete--dave
Hi, it's: 42LN575V-ZE
Deletei got ping responses and a full trace rout from that "GB.smartshare.lgtvsdp.com" (IP address 193.67.216.137)
ReplyDeletehttp://i.imgur.com/WQ0uktI.png
This comment has been removed by the author.
ReplyDeleteEben Moglen has given warning to attacks like these on our freedom of thought in his talks. To freely think, read without be judged for example. The problem is not what you publish but what you read.
ReplyDeleteHis talks lead/help you to shift your mind over a hill to an understanding. In other words, watching and thinking about the talks will be a bloody good investment of a few hours of your time in your 70 year life.
http://multimedia.aross.me/eben_talks/ (my mirror of his talks.)
http://snowdenandthefuture.info/
If it sends the data in a HTTP_POST to the server, it is trivial in PHP to still capture the information, and send back a realistic 404, even though there is really a file there.
ReplyDeleteMy software, ZB Block, sends back 403s and 503s all day to bots and other hostile connections. Yes there is a file there, but it decides on the fly how to respond based on several criteria.
Don't EVER trust server response codes. Your data can still be logged, and the 404 just makes you feel good. I personally would find a way to stop it from connecting to the server, and send it to a real black-hole 404 on that request.
And if you have a cruel streak, try posting something nefarious, like the EICAR test file to that supposed 404 page. On the other hand, you could have some fun sending it things like "White_House_Morning_Security_Briefing_12-16-13.avi" and wait to see if they then attempt to download it (whatever it is) from you. Make sure it's a fat file.
If that happens and you think on it, it could be this exists for espionage reasons, and LG has been co-opted by an enemy government, and their electronics will need to be removed from all governmental establishments.
you are aware that these fake responses are easily detectable right, also your suggestions regarding the EICAR file and the "White_House_Morning_Security_Briefing_12-16-13.avi" are meaningless because they are steps ahead of you as far as this is concerned and will not attempt to make any requests for this content, its not like they are microsoft or apple.
DeleteI did send Twitter message to LG Nordic
ReplyDelete@LGNordic I will never buy any LG device, with or without ethernet, if there is not acceptable answer http://doctorbeet.blogspot.co.uk/2013/11/lg-smart-tvs-logging-usb-filenames-and.html … for #spying
As stated many times above, the 404 means nothing. There's just no web server running on port 80. But it can listen on many other ports. A port scanner could find out which ones are open.
ReplyDeleteActually, if you are going to play on technicality, 404 DOES MEAN that there's a web server running on port 80.
Delete404 is an HTTP protocol's status code. That can happen ONLY if there's a web server listens for connections and replies back.
If there was no web server on port 80, his TV would not be able to stable connection at all and he wouldn't be able to see all those requests sent to LG.
I have a USB stick in my TV with family pictures on it. Seemed like a good idea at the time. Would it sometimes take these JPG files, without my consent and send them across the www to LG?
ReplyDeleteNOT HAPPY.
No. Only the names of files are sent.
DeleteHere is the reply I received from the company. Nice to see all this concern and activity. Mustn't encourage the paedophiles and terrorists must we, by inadvertently making honeytraps out of our children. They must be getting quite busy with all those queries. Lots of time wasted in dealing with customers and the various arms of the state investigating can help to make the whole thing unprofitable and they may have to re-write it. As Robert Burns used to say, "The weel laid plans o' mice an men, gang aft agley, and lea us nocht but grief and pain for promised joy"...:-).
ReplyDeleteP.S. Perhaps someone should tell Which Magazine. The company are so proud of the award they won, that they display it on their emails. The Consumers Association needs a bit of enlightenment too, I should think... :-)
Good Afternoon
Thank you for your e-mail.
Customer privacy is a top priority at LG Electronics and as such, we take the issue very seriously.
We are looking into reports that certain viewing information on LG Smart TVs was shared without consent. LG offers many unique Smart TV models which differ in features and functions from one market to another so we ask for your patience and understanding as we look into this matter.
We expect to have more information for you very shortly.
If you have any further enquiries, please do not hesitate to contact us.
Kind Regards
Emma Hills
LG Customer Service Escalations Team
LG Electronics UK Helpdesk
Tel: 0844 847 5454
Fax: 01480 274 000
Email: cic.uk@lge.com
UK: 0844 847 5454 Ireland: 0818 27 6954
Mon-Fri 9am to 8pm Sat 9am-6pm
Sunday 11am - 5pm
Engadget - LG promises to stop your Smart TV spying on you - http://www.engadget.com/2013/11/21/lg-admits-smart-tv-data-collection/
ReplyDeleteThanks for posting this - this is really interesting. It's a step in the right direction.
DeleteNice work on sussing this out. Without your post, I doubt they would've taken any action (at least, not so quickly).
DeleteHi,
ReplyDeleteafter finding out about your findings via a German news site, I did some wiresharking on my German LG LM660S and noticed exactly the same behavior es you did.
USB directory file names were transmitted to some server, Apparently the server does not exist, but who knows whether such a response is spoofable..
URLs are now blocked,
Thanks for finding this out!
Where do they draw the line? What about surreptitiously activating video cameras in the TV's and sending the data back to HQ?
ReplyDeleteI also saw this,
ReplyDelete"Since the issue became public it has emerged that Sony's PlayStation also collects data from every Blu-ray disc that is played"
On a news site, The PS3 has LONG since been known to do FAR more spying than that (reporting back the model of TV you have and file names on storage as well as any device seen on your home network etc) but nothing ever happened about it (god knows why not)
Can we just make sure that ALL companies guilty of breaking EU data laws get punished here not just one...
For what it's worth, I checked this on my Canadian LM6400 (2012 model) and it doesn't seem to phone in any of this information. I checked the capture of a short session browsing around the Home screen, insterting a USB device and browsing my Plex media server.
ReplyDeleteThe only outbound request was providing on the initial display of the Home screen, and it only sent minimal information such as the native resolution, amount of RAM, 3D support, locale and GPU spec. What you'd need to decide which supported SmartTV apps to display on the home screen.
I will be watching like a hawk should they ever push a software update, however.
Thanks for this useful info. I am not computer literate as others obviously are - but I went into my Sky Router / Security / Block Sites and entered the sites listed at the top of the post; all relatively painless. I have cleared the log and have ticked the box that says record attempts to access blocked sites - I will check back tomorrow to see (if anything) is being sent from my LG TV.
ReplyDeleteJTH
I bought an LG smart TV in Finland just a few weeks ago. Unfortunately I had not heard of these finding at the time. If I did, I would not have bought the TV.
ReplyDeleteAnyway, I sniffed the traffic my TV generates and the only external address it accesses when I watch tv is safebrowsing-cache.google.com. The traffic is in TSL so I can not tell about the content.
Can the safebrowsing-cache.google.com be used as a proxy to communicate the same stuff you have been seeing or is this just some harmless anti-phishing protection related traffic?
Then gain I wonder why it would need to do that, because I do not use the TV browser. I only bought the TV to have a good HD picture in Netflix.
Best regards,
Jyri
The R in URL / URI stands for Resource. A resource is a concept, not a file. A 404 response means that the requested resource cannot be provided by this service. But the service itself is running and the request is fully processed and not just logged.
ReplyDeleteOne of the URLs contains "smartshare", which, according to LG's website, tries to find additional media information. So the resource could be information on a movie / song etc. and the conversation between your TV and LG's server might have been as follows:
TV:
Hey server, I want to display a picture, the director, the year of release etc. for the movie "Midget Porn 2013". Gimme that info.
Server:
Sorry, I don't have any information on that particular movie.
The second URL you presented contains "watchInformation" and might be something similar, but for TV programs.
So while LG's answer to your request is hardly satisfactory and it's reasonable to have privacy concerns, I don't think you have been a victim of Orwell-like spying.
As for the ad thing, well, that is disturbing, not to say disgusting IMHO.
Good work fella!
ReplyDeleteJust read on the BBC website that LG have promised a software fix to make a "no" setting mean exactly that after admitting they collect viewing information, even after users have disabled the function.
ReplyDeletehttp://www.bbc.co.uk/news/technology-25042563
Well done, according to the BBC, to Jason Huntley who highlighted this in his blog . . . . . . .
Now the BBC are waiting to hear from Sony as it collects info on every blu-ray disc that is played and Samsung who have, so far, refused to comment.
JTH
Even though my LG has NO setting to allow or disallow data capture, the following is an extract from my router log (Sky) this evening.
ReplyDeleteNov 22 17:14:54 syslog: Access blocked to url/keyword "yumenetworks.com", request from 192.168.0.10
Nov 22 17:17:23 syslog: Access blocked to url/keyword "yumenetworks.com", request from 192.168.0.10
Nov 22 17:22:43 syslog: Access blocked to url/keyword "yumenetworks.com", request from 192.168.0.10
Nov 22 17:23:55 syslog: Access blocked to url/keyword "yumenetworks.com", request from 192.168.0.10
Nov 22 17:24:15 syslog: Access blocked to url/keyword "yumenetworks.com", request from 192.168.0.10
Luckily, I added the web addresses yesterday per an earlier blog . . . .
Thanks to the poster for the useful information
And what about you routers, do you really trust them? If anyone wanted to track your browsing/viewing habits, that would be the obvious choice for planting nefarious firmware. I for one can't help wondering why these things are now cheaper than toilet paper. Just saying.
ReplyDeleteThe "Creepy Corporate Video" link is currently down for, ahem, "maintenance".
ReplyDeleteOh you're joking. I hope someone grabbed a copy for reference.
DeleteRicher Sounds received a response from LG and forwarded it to me yesterday evening then followed up with a phone call today. I got the impression they'd have been prepared to return my TV to LG but, as there is a firmware update coming, I felt it would be easiest to await that.
ReplyDeleteI'm now preparing a dossier for the Information Commissioner.
--------
LG RESPONSE
"At LG, we are always aiming to improve our Smart TV experience. Recently, it has been brought to our attention that there is an issue related to viewing information allegedly being gathered without consent. Our customers' privacy is very important part of the Smart TV experience so we began an immediate investigation into these claims. Here's what we found:
Information such as channel, TV platform, broadcast source, etc. that is collected by certain LG Smart TVs is not personal but viewing information. This information is collected as part of the Smart TV platform to deliver more relevant advertisements and to offer recommendations to viewers based on what other LG Smart TV owners are watching. We have verified that even when this function is turned off by the viewers, it continues to transmit viewing information although the data is not retained by the server. A firmware update is being prepared for immediate rollout that will correct this problem on all affected LG Smart TVs so when this feature is disabled, no data will be transmitted.
It has also been reported that the names of media files stored on external drives such as USB flash devices are being collected by LG Smart TVs. While the file names are not stored, the transmission of such file names was part of a new feature being readied to search for data from the internet (metadata) related to the program being watched in order to deliver a better viewing experience. This feature, however, was never fully implemented and no personal data was ever collected or retained. This feature will also be removed from affected LG Smart TVs with the firmware update.
LG regrets any concerns these reports may have caused and will continue to strive to meet the expectations of all our customers and the public. We hope this update clears up any confusion."
--
I think there is a problem with LG's claim that "Information such as channel, TV platform, broadcast source, etc. that is collected by certain LG Smart TVs is not personal but viewing information."
ReplyDeleteThey claim this because they think it will avoid them having to comply with data protection legislation.
However the ICO say that information is personal if it can be combined with personal information that the company already holds. As many/most smart TV users will have signed up the an account on their app store, they can combine the viewing information with it.
Therefore viewing information is personal data.
Sorry LG! Remember how "Customer privacy is a top priority at LG Electronics"? Prove it by complying with the law! Your data collection must be opt-in, not opt-out, and you must clearly inform users about exactly what is being collected, not bury it in a 30 page privacy policy.
Thanks, Sue. Just turned my TV on and there is a software update for installation - version 06.01.28. I have an LG 550. Hopefully, this will close the loophole until the next one is found.
ReplyDeleteJTH
I think we are forgetting that a lot of this sort of information and more is available and used on all digital platforms - PC, Mobiles and Laptops. It is pretty standard. It does not however allow a company to personally identify a user and that is where the law steps in. I would rather have a relevant ad than one that is not useful for me. Advertising is a necessary requirement and allows consumers of the luxury of free content. I would rather have relevant ads than pay for content. It is a trade off. I think LG's response was the right one. I have many of their products and think they provide quality products at good prices. I too have an LG Smart TV and to be honest most of the ads I see are not relevant. I see a lot of car ads and I don't even drive!
ReplyDeleteYou miss the point - I do not mind targeted ads where I am using free services (Google Mail etc.) but where I have PAID for a product and SAID NO to information gathering, then I have every right to object to someone (LG in this case) data mining my usage.
DeleteYou don't drive. That's why they are trying to get you to buy a car.
Delete:)
DeleteI'm curious if the HTTP 404 response is connected to the "Collection of watching info", i.e. if you set the setting back to Yes, would it hit a good URL?
ReplyDeleteThat wouldn't happen. The 404 response is either a default setting or an intentional 'misdirection' on their part. 404's can be generated in response to anything, so there's quite likely a script that processes the information and just spits out a 404. Hell, they might even have the TV set to recognize a 404 as the correct response.
DeleteA feature like this would either A) do nothing at all, or B) phone home anyway, in the case of being set to off. It woudn't just send data to the wrong place instead, and the 404 couldn't be genrated based on whether the feature was on or off unless the packet contained the status of the feature (which would be pointless anyway since the TV would still be sending that packet in the first place).
I just picked up an LG 42LN5700 at Costco in Canada. Brought it home & decided to read some reviews and found this blog. Thanks for making this public! I am considering taking my TV back. If they want the data, they should have to ask for it, not hope that I never notice. I just tweeted this:
ReplyDelete@LGCanada has this stopped? LG TVs log & report file names from USB devices & viewing habits. http://bit.ly/1jjCLrx #privacy #dontspyonme
I would like to know if firmware upgrades have made the opt out option effective. It is none of their business what is on my USB storage! I shouldn't have to give them access to me so that I can get access to the internet.
I have a LG 47LM669 smarttv and just update to 4.51.07 being forced to agree to LG's term of use before being able to use my TV's smart functions. It is a nordic/scandinavian model.
ReplyDeleteMy TV does not have a collection option to turn off or on, so this leaves me slightly pussled and worried. Does it collect or not, and why is the options missing.
Can anyone confirm this, or does anyone have more information on this?
I do not have the option either in my Finnish model. I have been sniffing the network traffic while watching the TV, but I have only seen some encrypted communication with safebrowsing-cache.google.com (see my comment above). So far I have not upgraded the SW, not sure if I will.
DeleteI see there is a software update now available but have not downloaded it yet (considering legal action so may need to preserve evidence).
ReplyDeleteCan anyone who has tried it tell me:
1. Is there still a "collection of watching info" setting?
2. Does it still default to On? (may need a factory reset to find out).
thanks
Hi Sue,
DeleteThe "collection of watching info" option is still there on mine. It was set to off before the upgrade and it remained off afterwards. I haven't had time to check the comms yet but I have received reports that it is effective.
I went from 04.02.03 to 04.04.07.
Regard
Hi there!
ReplyDeleteI'm from Slowenian and I have a LG 47LA6678.
In my settings there is no "collection of watching info".
I have looked at my Linksys with DD-WRT log and there were 3 IP's that my TV is connecting to. Because I don't have much time to play around I did not sniffed the traffic jet and I must see what data are send from my USB.
Will post when I try.
Regards
I am not surprise at all hence why I don't have a smart TV. But what amazing me is people shocked about it. I mean information is a gold mine for those manufacturers and giving the Xbox one story why are you all shock about it.
ReplyDeleteAnyway thank you very much for the nice post and you work on it. We should spray the words.
Hi DoctorBeet, I appreciate your work on this, it's highlighted a major problem with LG's privacy policy and data handling. I have a 42LN575V set which was dialling home, until I blocked the domains in my router. Smart functions are still working (Lovefilm / BBC iPlayer / Smart Share etc.)
ReplyDeleteI have also downloaded the latest firmware 04.04.07. Can you say when you will have time to test the privacy option with this firmware?
That's the same model as mine. I'm still looking at the firmware, the spying traffic has disappeared but I'm still slightly suspicious about some of the other comms.
DeleteI was looking at something the other day that may be able to show the delta between 2 firmware packages... Check out: https://code.google.com/p/binwalk/
DeleteOK I did the update on Thursday and the TV aint calling out any more confirmed from my old Netgear DG834 where I had blocked the offending addresses
ReplyDeleteexample
Thu, 2013-11-28 19:47:48 - TCP Packet - Source:192.168.0.3,59919 Destination:193.67.216.128,80 - [BLOCK]
Thu, 2013-11-28 19:47:53 - TCP Packet - Source:192.168.0.3,59974 Destination:193.67.216.128,80 - [BLOCK]
Thu, 2013-11-28 19:47:57 - TCP Packet - Source:192.168.0.3,60015 Destination:193.67.216.128,80 - [BLOCK]
Thu, 2013-11-28 19:52:56 - TCP Packet - Source:192.168.0.3,34000 Destination:193.67.216.128,80 - [BLOCK]
Thu, 2013-11-28 19:57:57 - TCP Packet - Source:192.168.0.3,34148 Destination:193.67.216.128,80 - [BLOCK]
Thu, 2013-11-28 19:59:27 - TCP Packet - Source:192.168.0.3,34194 Destination:193.67.216.128,80 - [BLOCK]
Fri, 2013-11-29 08:06:19 - Send out NTP request to time-g.netgear.com
Fri, 2013-11-29 08:06:21 - Receive NTP Reply from time-g.netgear.com
Sat, 2013-11-30 20:06:01 - Administrator login successful - IP:192.168.0.2
Sat, 2013-11-30 22:02:00 - TCP Packet - Source:192.168.0.3,60639 Destination:199.127.204.213,80 - [BLOCK]
Sat, 2013-11-30 22:18:11 - Administrator login successful - IP:192.168.0.2
This is in the UK on a 47 LG led 2013 smart model
I have followed this thread with great interest from here outside Washington DC. I JUST BOUGHT an LG 47LN5700, and have been quite concerned since stumbling on this news of LG's spying a couple days ago.
ReplyDeleteMy problem is that I am rather unknowledgable when it comes to network routers. I don't know exactly how to block those domains on a Verizon Actiontec router. However, I know that my TV did at least two firmware updates in the past 3-4 days. Can I safely assume that I am safe from LG's spying, as long as I have turned off "collection of watching info"?
Thank you for shining a light on this, DoctorBeet.
Hi Dave,
DeleteYou're probably safe but who knows.
Here is a guide I found that may help you block the domains I listed above. By doing this you should find that the advertisements disappear too.
http://www.ps3news.com/forums/ps3-guides-tutorials/how-block-traffic-actiontec-mi424-router-verizon-fios-118160.html
Thanks for uncovering this, DoctorBeet. I'd just read this after having purchased a LG 42LN5758 which does send filenames from USB too. There were some additional issues that annoyed me
ReplyDeletehttp://blog.techflaws.org/2013/12/04/lg-42ln5758-why-lg-why-indeed/
so I'm gonna return the device.
Please keep us updated on if you see a firmware update come out, and if it really fixes the issue.
ReplyDeleteFor now I'll be blocking the ads because its unacceptable to show ads on a tv i own.
Hi DoctorBeet,
ReplyDeleteaccording to German computer magazine c't, LG has changed what data is being transferred with their current update 04.20.29 for LN and LA models. Apparently there's no unencrypted transmissions (of filenames) anymore. I've uploaded a small dump to my blog, I'm not quite sure everything is a-ok, what is your take on this?
That seems to be the case from what I'm seeing. LG released 04.04.07 shortly after their press release and I was offered 04.20.29 on Saturday (14th).
DeleteAll the unencrypted monitoring traffic has vanished but I have detected NEW data being sent to GB.info.lgsmartad.com which is encrypted. I have blocked this traffic since it looked suspicious to me.
Thanks for uploading, I'll try to take a look soon.
Please, let us know when the problem is resolved to download the latest version. Thank you so much!
ReplyDeleteWell the monitoring traffic appears to have stopped so you should probably update if you have firmware from before the end of November.
DeleteI'm still working on this so follow me on Twitter if you can @DoctorBeet.
My 47LN5700 just downloaded v. 5.00.30 of the software about three days ago. However, I have no idea, nor any way of determining, what that version does.
ReplyDeleteI was offered it too but there's no way I was working on it over Christmas :-)
DeleteThis is the third update they've sent since my blog post.
I got your post from an Amazon Review.
ReplyDeleteI am not computer savvy, but have been trying to search out why my LG is hogging all my data bandwidth. I am alloted 150GB a month. and for years we on average use 50GB a month.
Last month we exceeded our 150GB in the first 15 days of our billing cycle! So we turned off our internet router and waited for the rest of the cycle to pass. Then we experimented and each day all other devices were unplugged and only one internet device was connected to the internet. And they only drew .5 to 1 GB in a day.
When it came to the day where the TV was hooked to the internet, it was drawing 16GB in one day!!!!
I contacted Netflix and changed the settings, to lowest playback possible, and same with HULU. but TV is still draw 13GB a day!!!
We haven't used the internet feature in over a month. we don't have any other apps we are using at this time, cause we are trying to pinpoint what is going on.
LG has already had to replace the motherboard once, because it will not stay connected to the wifi so it is connected with an Ethernet.
After reading your article, I am wondering if I need to be reading what is going on in the network router, or whatever device, but I really have no idea where to start, what to look for, or how to fix what I would find.
Is there a place either you or your readers could point me to?
Cause LG just tells me to unplug the TV and hold the power button down for 30 sec. and that does nothing helpful.
Thanks