Consumer Reports recently published a report warning people of security vulnerabilities found on a number of popular smart TV brands including those that run on the Roku platform. The latter immediately released a statement saying Consumer Reports was “wrong.”
Consumer Reports tested five different brands of smart TVs that included the Samsung UN49MU8000, the TCL 55P605, Sony’s XBR-49X800E, the LG 49UJ7700, and Vizio P55-E1 SmartCast TV. It also used its Digital Standard tool which it developed with partner companies in an effort to include a “digital privacy and security standard” in reviewing consumer products.
It was also noted that the five tested smart TVs were powered by different platforms. The TCL product runs on Roku while the Sony and Vizio TVs used a variety of Google-developed systems. The Samsung and LG units used their own systems on their smart TVs known as Tizen and webOS, respectively.
Security issues were reportedly found on the Samsung and TCL TVs. According to Consumer Reports, its security system was flawed and allowed their researchers to remotely control the TVs.
“They allowed researchers to pump the volume from a whisper to blaring levels, rapidly cycle through channels, open disturbing YouTube content, or kick the TV off the WiFi network,” Consumer Reports explained.
The report indicated that the hack did not work on the tested LG, Vizio, and Sony TVs.
Meanwhile, it was also clarified that Consumer Reports’ test did not seem to show more serious vulnerabilities where attackers could perform more complicated threats such as stealing sensitive information.
The found security issue reportedly applied to other TVs (Hisense, Hitachi, Insignia, Philips, RCA, and Sharp) running on the Roku platform. Consumer Reports and their partner cybersecurity firm, Disconnect, also stated that even Roku’s own hardware products were not secured.
Disconnect lead engineer Eason Goodale said in the report that Roku products used “a totally unsecured remote control API” which was also the default tool used on Roku devices. “This means that even extremely unsophisticated hackers can take control of Rokus,” Goodale added.
Roku responded to Consumer Reports’ review and said that the organization “got it wrong.”
Roku’s VP of trust engineering, Gary Ellison, said in their own statement: “This is a mischaracterization of a feature. It is unfortunate that the feature was reported in this way. We want to assure our customers that there is no security risk.”
Ellison also claimed that the supposedly unsecured remote control API could only be activated when users choose to.
“In addition, consumers can turn off this feature on their Roku player or Roku TV by going to Settings>System>Advanced System Settings>External Control>Disabled,” the Roku executive further explained.