Samsung is still lying about the encryption on its Smart TVs

Samsung is still lying about the encryption on its Smart TVs

When news broke that Samsung’s Smart TV’s listened to conversations and sent them to a third-party server company, the Korean manufacturer countered by claiming that all data transmissions to and from its televisions were encrypted. When testing demonstrated that the data in question wasn’t encrypted (despite being sent via Port 443, which is typically used for HTTPS traffic), Samsung modified its stance, claiming that new TVs were encrypted properly but older sets were not. This, too, has now been proven false.

After last week’s findings, we spoke to the security researchers at Pentest Partners to ascertain the make and model of the TV they’d tested. The initial model was a UE46ES8000, a top-end TV for its day, but now two years old. This time around, the team tested a UE55HU7500. This screen currently retails for £1,569.86 in the UK according to Amazon. Reviews date from June 2014 through Jan 2015 and the unit is widely available — it is, in other words, a “current” Samsung TV by any reasonable sense of the word.

The team tested the new television in the same manner as the old and found that data is still being transferred in plaintext.

Samsung is still lying about the encryption on its Smart TVs

Still, there was a chance that a firmware update to the television would solve the problem, since the new set has been shipping for some months. An update was available, and the team applied it — to absolutely no effect. The data remains unencrypted.

Bad security will destroy the Internet of Things

After the Lenovo Superfish disaster, it’d be easy to dismiss what’s going on with Samsung’s encrypted televisions. While the Lenovo situation is orders of magnitude worse, I’d argue that both issues actually stem from the same root problem — a failure to verify that security procedures have been followed and implemented at every level.

Security is difficult, time consuming, and expensive. By its very nature, it does not respond well to corner-cutting. Companies like Samsung, with huge, cost-optimized product divisions and an emphasis on shipping a huge number of SKUs are ill-suited to the kind of lengthy test cycles that are required to properly lock down products and equipment, and unlikely to want to invest in the sort of device evaluation that’s necessary to guarantee that data is handled properly.

It’s easy to dismiss such rigor as unnecessary and to pretend that the entire burden rests on Microsoft or Google, but that attitude will kill most IoT devices in the long term. If Smart TVs acquire a reputation for risking user security due to high profile hacking incidents, consumers will learn to avoid them. Translate that across the IoT ecosystem, and the long-term market will be fundamentally compromised.

It’s time for Samsung and other manufacturers to directly name the devices they’ve locked down, the devices that remain unencrypted, and a timeline for fixing this problem.


Iran blocks encrypted messaging apps amid nationwide protests

For the past six days, citizens have taken to the streets across Iran, protesting government oppression and the rising cost of goods. Video broadcasts from the country have shown increasingly intense clashes between protesters and riot police, with as many as 21 people estimated to have died since the protests began. But a complex fight ...

Bitcoin Exchange Has Been Forced to Close After Second Cyber-Attack

A South Korean Bitcoin exchange has been forced to close after suffering another major cyber-attack. Youbit claimed it was “very sorry” but has filed for bankruptcy after it suffered the cyber-attack, less than eight months after the first. In a statement in Korean on its homepage the firm said it had lost 17% of its ...

It is difficult for the FBI to crack most smartphone encryption

The FBI is struggling to decode private messages on phones and other mobile devices that could contain key criminal evidence, and the agency failed to access data more than half of the times it tried during the last fiscal year, FBI Director Christopher Wray told House lawmakers. Wray will testify at the House Judiciary Committee ...

Texas Church Shooting: More Calls for Encryption Backdoors

US Deputy Attorney General, Rod Rosenstein, has decided to use the recent mass shooting at a Texas church to reiterate calls for encryption backdoors to help law enforcers. The incident took place at the First Baptist Church in Sutherland Springs, killing at least 26 people. Deceased suspect Devin Kelley’s mobile phone is now in the ...