In the latest round of the security story that never ends, the voice recording on Samsung smart TVs is even less secure than previously believed. The electronics company recently clarified that its TVs' voice recognition software shares voice data with third parties, but a recent study has demonstrated that the voice data lacks encryption and may be open to savvy hackers.
The information comes from Buckingham, United Kingdom-based business security company Pen Test Partners. Researcher David Lodge took a deep dive into a Samsung smart TV to see just how it shares data and found that the results are generally not encouraging.
First, the good news: Samsung smart TVs are not listening to you unless you specifically ask them to, and even then, they usually don't share data with Nuance, their third-party voice recognition service. When you activate voice recognition (usually by saying "Hi, TV"), the TV begins listening. It does not record simple commands, like changing the volume or the channel.
Lodge experimented by asking the TV to run a Web search for the word "Samsung," and discovered that complex voice commands do, indeed, go to Nuance servers. The bad news is that they don't go there securely. Lodge followed the command back to the server and learned that stream does not use a secure HTTPS protocol; in fact, it does not use HTTP at all.
Samsung transmits voice data to Nuance through an unsecure cocktail of XML and binary data, and does not use SSL encryption. If a talented researcher like Lodge could track voice data back to Nuance, a malicious hacker could do the same, provided that he or she had access to your smart TV and home network credentials.
Whether this is really dangerous is up for debate, as most users are not likely to look for anything terribly compromising via voice search on their smart TVs. Still, in a day and age when it's common for both cybercriminals and world governments to try to leverage personal data, it's surprising to see a big company transmit private information without some kind of encryption.