Sniffing Out LG Smart TV Tracking Protocol

[DoctorBeet] noticed the advertisements on the landing screen of his new LG smart television and started wondering about tracking. His curiosity got the better of him when he came across a promotional video aimed at advertisers that boasts about the information gathered from people who use these TVs. He decided to sniff the web traffic. If what he discovered is accurate, there is an invasive amount of data being collect by this hardware. To make matters worse, his testing showed that even if the user switches the “Collection of watching info” menu item to off it doesn’t stop the data from being phoned home.

The findings start off rather innocuous, with the channel name and a unique ID being transmitted every time you change the station. Based on when the server receives the packets a description of your schedule and preferred content can be put together. This appears to be sent as plain data without any type of encryption or obfuscation.

Things get a lot more interesting when he discovers that filenames from a USB drive connected to the television are being broadcast as well. The server address they’re being sent to is a dead link — which makes us think this is some type of debugging step that was left in the production firmware — but it is still a rather sizable blunder when it comes to personal privacy. If you have one of these televisions [DoctorBeet] has a preliminary list of URLs to block with your router in order to help safeguard your privacy.

[Thanks Radcom]

68 thoughts on “Sniffing Out LG Smart TV Tracking Protocol

  1. It is not necessarily a dead link! I can easily make a script that will return to you what looks like a 404 page, while still collecting and recording all data sent to it via GET & POST…
    In fact, if this were the case, it would while have definitely been done with malicious intent.

    1. No script required. An out of the box apache install will log POST data regardless whether the URL exists or not. Then parse your logs for the gold. An common trick used by the seedier end of the click-through industry for some years apparently.

  2. The comments in that post indicate the 404 doesn’t really mean anything. To quote the last paragraph of the first comment:

    “Note in particular that it means *nothing* that the script returns a 404: The information may still be in their logs – collecting information this way without actually having anything at the endpoint is an old practice, and more efficient on server resources than making the web server execute anything.”

  3. The 404 URL isn’t a left over debugging hook. LG admitted it was for a future feature which hasn’t been implemented yet. It was supposed to request the metadata for the midget pr0n file you’re watching off a USB stick or share. A tad sketchy even as a legitimate feature!

  4. As we speak very large manufacturers and enablers for systems like these are staging to use this violation of “serving the public good” for future marketing of the same saying things like “lets encrypt end to end” so when they lie, the user can’t determine it happened. Personally I think that there have been enough cases in the last century where some government decided to kill citizens, the “public information” was used to kill millions. If a user clicks “don’t send info about me” on their hardware some obscure line in the EULA should not entitle manufacturers to think that its okay to keep sending. No should mean no. The publics good is best served when control of the good of the individual is in each individuals hands. This approach likely speaks to where the printer dot-codes (that say printer vid, date, time, etc… inside anything printed) that gnu/fsf was watching for a few years ago went: encrypted.

  5. well, maybe my comment can be a little “out of focus”, I just want to point the attention to the fact that the ethic of those big TV/electronic producers can be discussed for other things too.
    Just as an example, the s300 missiles that were almost sold to Syria recently, were produced by NPO Almaz in cooperation with Samsung.
    Yes, the same of LCDs and Smartphones and stuff…

    1. Boeing builds passenger jets…and fighter jets. Rolls Royce builds beautiful cars and engines for passenger jets…and fighter jets. The government buys resources to make your water clean, your roads safe…and people in fairly remote countries dead.

      There are always two sides to the medal.

  6. First when I wondered about this possibility was when Blu-Ray players with Ethernet link came around.

    As general rule, every device that has some network interface and is not under direct control of the user, should be considered hostile.

    1. @Kris, There is a real economic cost to that presumed (and often actual) hostility that makes the overall system inefficient. When I buy a product, I am not buying it so that it can wage war (aka wage the art of lies) against me, my family, or the future of my children. Why can’t we make a government that takes sources of the inefficiency or lack of public good and associate a cost to the manufacturer that is at least as large as the perceived benefit?

        1. What is needed is an *easy* way of doing it. People will only do it if it’s easy. And manufacturers won’t take any notice unless many people do it.

          Something like a Raspberry Pi, or a reprogrammed router? Perhaps a settings file that any user can send to their router easily. Adblock Plus does a good job, it’s a good model to base it on.

          Personally I have a computer to do Internet stuff on. If my tv came with a network lead, I wouldn’t plug it in. Games consoles have now decided that their users are their bitches too. It’s insidious, though I’m sure it makes lots of money. I’d like some governments to do something about this, but whose side are they on? I think, mostly, they haven’t a clue and don’t care, followed by motivation #2, do what money and power tells them to.

          1. EASY: http://someonewhocares.org/hosts/

            just copy and paste that on your house router DNS resolution thing… most of them have it.

            if not, sell it on ebay and buy one that does.

            this file will point all DNS requests of ad tracker and shock sites to nothing.

            It vastly improves my overal site speed, as requests to google analytics and such time out instantly.

        2. Most routers can filter URLs based on keywords. A little crude, but it can help.

          Adding things like ‘doubleclick.com’, ‘/ad/’, ‘/ads/’ etc will cut down on a surprising amount of it.

          Like @greenaum says, that’s not exactly easy. (Easy being relative, of course.)

      1. The government stands to benefit from this massive intrusion into privacy, so it will hardly be the one to turn to when stopping the intrusion is the goal. For all the public knows, the data is being sent to the government already. The NSA is already known to be recording texts, phone calls, emails, social media interactions, internet usage data, etc. Is monitoring your tv viewing habits such a reach?

    2. I hope you’re aware that your cable box is already doing this, too. It’s reporting what you watch, when you time shift, and when you fast forward or rewind. And because it’s on the cable (not on your side of the network interface) it’s not possible to create your own firewall.

      And this is not new. Tivo used this data to report that Janet Jackson’s “wardrobe malfunction” was the most instant-replayed TV event ever, and that was in 2004.

        1. I dont use adblocker on this site. The advertisments here arent really that bad. “Oh no there is an ad for a microcontroller showing up because they figure i must be interested in it, must turn adblocker on so i dobt see it”

          1. And the Germans spy on the U.S.

            Read the book “Friendly Spies” once…

            France has an entire section of the intelligence agency which does nothing buy steal U.S. business secrets.

  7. I can not understand why you do not expect things to move into this direction, when there has been such inspirations in the past (hint, hint).

    Screens gathering data? Try screens gathering footage, radios that can not be turned off, just down, and a Big Brother watching into your very homes.

    Go to the nearest library, borrow and read George Orwell’s 1984.

    The big irony is that those things doesn’t seem to come through communism (though they tried for all they was worth, look for example at Stasi), but from fear of terrorists and greed for government contracts. With all the news about various intelligence agencies worldwide skimming through communications (though the very most of us probably wont have our communications skimmed) I sometimes wonder where we are going.

        1. Just because something happens in a book doesn’t prevent it from happening in real life. Although in 1984’s case, that was the idea.

          Even if Lucky Goldstar don’t end up founding the Ministry of Love, and editing things out of history (which is actually really easy, since you can no longer trust an image, still or moving), my dwarf pr0n is none of their damn business. What I watch on TV is none of their business. That’s why they’re so sneaky about it, you think anyone would buy a TV that they know does that?

          And WTF is a TV doing showing adverts anyway!? Ads on TV are supposed to pay for the programmes, that’s the deal. I’m not gonna watch extra adverts on a TV I fucking paid for! Perhaps TV advertisers would be a force to use against this, altho of course they’re as likely to be the people using it.

          This thing either needs a widespread, popular hack, or more news coverage. Of course the bad thing about democracy is that you could mince half the populace into hamburgers and the other half would barely notice. Gotta have burgers, right?

          1. your dwarf pr()n can be used for leverage. You know, “It came to our attention that you know X Y Z individual through 6 connections, we would like to know everything that you know, or you watching dwarf pr()n goes viral. Thank you for your cooperation”
            Or alternatively for lawsuits: ” The metadata from your USB drive indicate that you illegaly downloaded copyrighted dwarf pr()n. Pay now of suffer exposure later.”

    1. All that being said, I’d might be a slight bit less frustrated about this if they would be open about it, and about what they use the data for. (And by that I do not mean merely mentioning it in an EULA or privacy policy, though in this case I do not think they mentioned it there either.)

      Now it looks and feels really sneaky and intrusive.

  8. as an owner of an LG tv i was waiting for something like this, the last firmware update required me to agree to a new privacy policy.
    I was a little suspicious skimming through it, but i agreed anyway and pulled the network cable out. A quick search confirmed my suspicions and it has remained unplugged since.

    It’s comforting to know there are others out there who take the time to investigate things like this.

    I wont be returning my tv, i’m hooked on ‘smart’ tv’s since it can decode pretty much any file i can throw at it, plus now that it’s out in the open they will have to pull something pretty spectacular out of the bag to do any snooping.

  9. Internal release notes for Version 0.1 of the firmware:

    … snip … remove boring stuff … snip …

    TODO: encrypt all data to prevent any bad press from US spying on customers.

    /end-of-sarcasm

    1. Is it a bad thing that all I could think during that video was “Well, at least there will be some upside if the North Koreans eventually snap and zerg-rush across the DMZ…”?

    2. what I still don’t understand is why LG thinks that consumers would want to click on ads that show up in the middle of content screens… srsly? I mean, if I’m wanting to watch a movie (assuming I don’t know what I want to watch already, because you know, mindless screen watching is no one’s friend), what on earth makes them think that I’m going to be sooo distracted by an ad for the “McDonald’s value menu” that I’m going to want to click it and watch some schlocky corporate treacle??? Do I not know what’s on the value menu (assuming I care enough to have paid attention to it)? If I don’t, why would I??? I could say the same for any advertiser. Why on earth would I want to reward even a company that I might have been interested in (but wouldn’t be now!) who has invaded my private space, by clicking on a stupid ad??? Unless they’re just hoping for erroneous clicks, I don’t see the point.

      Maybe I’m disconnected and the avg TV watcher/buyer/deep-user is just that brain-dead… but I sure hope not.

  10. The wireshark capture clearly shows that there has already been sent a
    reasonable huge tcp packet full of information to the “GB.ibis.lgappstv.com”
    server, after querying the DNS for the IP (may be cached by the app).
    The servers response means NOTHING, it may fake-respond anything or even
    nothing at all, however here its a valid tcp ACK and 200 OK response.

  11. Seems like those programmers who are outraged would just write a “thingy” to have anyone who was outraged as well send them fake viewing habits from phantom LGs…

    Or, If I owned an LG and copy of wireshark, I’d just make them think I watch barney videos 24×7…

  12. when “crazy” people are right more percent of the time then “normal” people …
    lolz
    “non-crazy” people are stupid! hahahaha

    PS: i knew a long time ago … “In the future all TVs will watch us back.”

Leave a Reply to LukeCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.