Is Your Smart TV Spying on You?

The truth about smart TV security and that FBI warning

Smart TVs. They’re listening, watching and judging our bad bingeing choices. They might even be a portal for nefarious thieves, tricksters, and nation states looking to see if we really paired that chocolate-colored couch with bright orange wall paint.

These are the only conclusions I could draw after hearing about an apparent nationwide FBI alert about the smart TVs millions of us are buying this holiday season.

Man in front of TV
 Lifewire / Lance Ulanoff

The warning, which was released days before Thanksgiving by the Portland, Oregon, FBI office, sent shockwaves around the nation, perhaps with good reason. It painted a pretty bleak picture of the inherent risks of one of our favorite new technologies: 

“Beyond the risk that your TV manufacturer and app developers may be listening and watching you, that television can also be a gateway for hackers to come into your home. A bad cyber actor may not be able to access your locked-down computer directly, but it is possible that your unsecured TV can give him or her an easy way in the backdoor through your router.”
Girl in front of TV
Is your smart TV this scary?.  Fox 2000 Pictures

A Notice

I saw the news stories—and there were a lot of them—with headlines that made it clear. This was fresh and frightening news. Now even the FBI is warning about your Smart TV security, read one typical headline. I knew we reached peak freak-out mode when friends and family started asking me, “Did you see that thing about smart TVs?” They’d ask me because they always assume that tech issues are somehow my fault and they emphasized “thing,” so they didn’t have to say, “privacy or security,” as if the very thought of either frightened them.

As the hubbub over the initial alert died down, I decided to walk back through the story to understand why the FBI chose this moment to warn Americans and to measure just how clear and present the smart TV danger really is.

A History

Family in front of TV
Virtually all new TVs, including this Hisense, are smart.  Hisense

The truth is this warning sounded familiar. One FBI warning section in particular reminded me of a story I worked on a few years ago:

"Hackers can also take control of your unsecured TV. At the low end of the risk spectrum, they can change channels, play with the volume, and show your kids inappropriate videos. In a worst-case scenario, they can turn on your bedroom TV's camera and microphone and silently cyberstalk you," wrote the FBI.

In 2017, Wikileaks uncovered an alleged massive treasure trove of CIA counter cyber espionage tactics and published them on the Web in something called Vault 7. One section dealt with a vulnerability hackers discovered in early Samsung Smart TVs that would’ve let someone potentially take control of the microphone (and, if one was available, the TV’s camera). To do, so however, the hackers would need direct access to the Samsung Smart TV and its USB port, which meant this was an unlikely scenario outside of James Bond circles. More importantly, the vulnerability does not even exist on new Samsung sets.

Why the Warning

Even so, there had to be a reason the FBI issued that warning. Right?

Not so much.

Ever since I found the warning, I wondered why the FBI chose to issue it from a random, Northwest Coast field office. Maybe there’s been a breach out there and the FBI wanted to use the incident as a sort of bully pulpit from which to launch a strongly worded alert.

'Yes exactly. Local PSA. NOT a national warning.'

There was something else, though. The headline for the warning, which read, “Oregon FBI Tech Tuesday: Securing Smart TVs,” sounded more like an “FYI” than an alert.

I decided to contact the source, FBI Public Affairs Portland Division’s Beth Anne Steele. Steele wrote the release herself. In her email reply, Steele outlined a few key facts:

  • These Tech Tuesday posts are basic tips on things to watch
  • They do not come from FBI Headquarters
  • They’re PSAs
  • The Portland FBI Public Affairs team produces them as “generally-accepted cyber safety protocols”
  • They expect small (read local) newspapers and radio stations to use them
  • The tips were sourced from other online sources (meaning not FBI resources)
  • Steele was thinking of older, still in use Smart TVs and not necessarily ones that might be available in stores today

One key takeaway here is that this PSA was not based on a new threat.

In fact, it sounds like the entire thing kind of got away from the Portland FBI office.

Via email, I told Steele that it sounded like “most media took this as a fresh, national FBI warning and not a local PSA, which is how you intended it. Is that accurate?”

“Yes exactly. Local PSA. NOT a national warning,” Steele replied.

Simpsons with TV
It's okay to love your Smart TV. Fox Television

In the Clear

To say that the Portland FBI’s PSA was poorly handled by virtually all national media is an understatement, but they are not wrong to take such reminders seriously.

When I asked Cybersecurity researcher and Founder and Editor-in-Chief of Cybercrime Magazine Steve Morgan via Twitter DM how seriously we should take this alert, adding that there have been no new reported cases of actual smart TV hacks, he responded cryptically:

"There was never a virus before the first virus.”

“But when consumers hear these warnings, they assume there is a clear and present danger,” I countered.

Morgan told me that experienced people (I believe he was talking about himself) take these threats more seriously. “No one took viruses seriously except the virus authors and hardcore security pros. Then the Internet happened,” he reminded me.

“Will that be enough to concern people? Or does something worse have to happen first?” wrote Morgan.

So What

I don’t think the media did a good enough job of putting this local FBI PSA in context and needlessly scared a lot of consumers. On the other hand, it is a good reminder that Internet-connected devices represent a weak point in our privacy firewall. Poor and unchanged passwords can essentially throw the door open to hackers.

Consumers who live in a fog of confusion about what these systems can and can’t see, what they can hear, and who might be listening do themselves a disservice. Being smart about security protocols and a little tech savvy can go a long way to ensure that your smart TV experience doesn’t turn into a privacy and security nightmare.

As the FBI’s Steel told me:

“I hope that what folks take from this particular, local PSA is that as we bring more and more technology into our homes and lives that we need to be aware of its capabilities, its limitations, and some basic questions people should ask relative to its presence in their lives.”

Like this column? Get more like it delivered directly to your inbox. Sign-up for Untangled, a more sensible approach to technology.