LG Smart TVs Found Snooping on Home Networks

LG Smart TVs snoop on files shared across a home network and upload file names to an LG-controlled server, according to a new analysis.

The news comes just days after British IT professional Justin Huntley, aka DoctorBeet, found that his own LG Smart TV was uploading his viewing history to LG's servers, even after he had disabled the feature in the device's settings. Huntley's TV also uploaded the names of personal files stored on USB drives attached to the TV.

Yesterday (Nov. 21), LG issued a statement, admitting that DoctorBeet's findings were true, and promised a firmware update that would stop the TV from uploading viewing history if a person has tried to disable the feature. The firmware update would also stop the uploading of external-media file names altogether.

MORE: 7 Ways to Lock Down Your Online Privacy

On the same day, another blogger showed that LG Smart TVs snoop on not just storage devices connected to the TV, but all files shared across the home network to which it is connected. 

The blogger, who calls himself Mark and appears to be a Web developer in northern England, performed a traffic analysis on his home network by setting up his laptop as a middleman between his router and the rest of his connected devices.

His traffic report, published on his blog, shows that when LG Smart TVs are turned on, they send an authentication message to a remote server. When they're turned off, they send a de-authentication message.

These messages give LG precise data on when and how long TV owners use their devices. Mark couldn't find an option to turn off this collection of viewing information on his LG Smart TV.

The analysis also shows that the TV was uploading the names of all the files — though not the files themselves — stored in a shared folder on a computer connected to the home network. 

As in DoctorBeet's posting, Mark's traffic analysis showed that the file names were being sent to a server whose corresponding URL returned a 404 "Page not Found" error. That suggests that the URL may not exist, even if the server associated with the URL's domain name does.  

LG admitted that a system for collecting users' personal filenames was in place, though the company told Tom's Guide that it was not activated and will now be removed.

"While the file names are not stored, the transmission of such file names was part of a new feature being readied to search for data from the Internet (metadata) related to the program being watched in order to deliver a better viewing experience," LG's statement reads. "This feature, however, was never fully implemented and no personal data was ever collected or retained. This feature will also be removed from affected LG Smart TVs with the firmware update."

When asked about the nature of this feature, John Taylor, LG Electronics' vice president of public affairs, gave as an example "pulling album cover art from the internet, when a user plugs in MP3 files."

On his blog, Mark points out that "Even if I did agree to this in any [terms and conditions] presented to me, I doubt guests I have [a]round using my Wi-Fi connection would be too happy with file names from their shared media being dispatched to LG."

LG's Smart TV privacy policy states that it collects both "personally identifiable information" — such as customers' names, email addresses, physical addresses and the LG products they own — and "non-personally identifiable information," which includes users' IP addresses, cookies and product information.

According to the policy, "non-personally identifiable information does NOT identify you personally [capitalization theirs]." However, the policy doesn't address whether product information could be used to link a person's non-personally identifiable information with their personally identifiable information.

LG also collects a type of "non-personally identifiable information" that it calls "viewing information." The conditions for collecting viewing information are as follows: "If you access or use the content recognition service, which may be available as part of the Smart TV service, we collect certain non-personally identifiable information, such as identification of the program the Smart TV set is tuned to."

When asked, DoctorBeet said that he did not enable his TV's content-recognition service. "That option was not present on my TV. I think they differ with region," he told Tom's Guide.

In its list of the types of information it gathers, LG's privacy policy does not mention users' personal media file names, though the company also said in a separate statement that it never stored the file names uploaded from users' TVs.

LG clearly states that it gathers customers' personal information and uses it to suggest content and target advertisements.

"If you do not want LG to have access to this information, please do not visit our sites or use the content-recognition service," the policy reads.

You can perform a similar traffic analysis on your own home router using free network packet-analyzing software, such as WireShark.

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects.