Perhaps you read our piece last year on how some Samsung smart TVs were hanging on your every word. It was a shame, but you had other buying options. Instead, you went out and purchased one of those newfangled Android TVs — perhaps one made by Sony.
Well, bad news: Sony TVs can also listen in on whatever you have to say. The only difference is that rather than the parent company using your conversations for voice recognition, Android TVs could let cybercriminals record them for nefarious purposes.
The information comes from Pen Test Partners, a Buckingham, U.K.-based corporate security service, which also confirmed Samsung's shady audio practices last year. Combining Samsung's approach with a custom-built Android snooping app, the company has accomplished the next logical step: abusing voice recognition on Android-based TV sets.
Here's the good news: Letting a cybercriminal listen in requires active participation on the user's part. The bad news: It's not that hard to fool a user. If you enable "Install apps from unknown sources" on an Android TV set, any troublemaker with a USB stick can install a rogue app.
Still, you're probably not in the habit of letting strangers with USB sticks mess around with your TV. But you do download apps. The Google Play store can be pretty bad about allowing malicious apps slip through the cracks, and users don't seem to pay too much attention when, say, a puzzle game suddenly requests microphone access.
Android TV can recognize words and translate them to text in order to make use of the Google Now voice protocol, so tapping into it is not too hard. Pen Test Partners created an app that records this text and transfers it to a receiving computer or mobile device anywhere in the world.
The company used a Sony Bravia 55X8005C, a European model, for its tests. That model doesn't have an external microphone, so the researchers had to install a USB mic instead. This would not be a problem, they noted, for higher-end models that have microphones built into the televisions or remotes.
There is a question of how much damage a cybercriminal could do with this information, since most conversations in front of the TV are about very mundane domestic things. Users don't often rattle off their credit-card numbers or Social Security information while streaming the latest episode of Daredevil.
However, such a hack could work wonders if there’s a particular target on whom you’d like to eavesdrop. Listen to a user for a week — or a month — and you'd almost certainly learn something you could leverage.
Luckily, users with Android TVs can inoculate themselves the same way they would on a phone or tablet. Simply disable "Install apps from unknown sources" in the settings menu (it's disabled by default) and avoid shady apps in the Google Play store. And, of course, install and run one of our recommended free and paid Android security apps.
If you think you've been compromised, factory reset the TV — and maybe turn the set off before discussing state secrets or your latest plans for a bank heist.