Nope, Samsung doesn't actually encrypt Smart TV voice data

If Samsung thinks it's already safe from the latest Smart TV scandal, it better put its PR team into action again. The company publicly stated that its Smart TVs were not eavesdropping on users and that it follows security best practices when transmitting voice queries, and only voice queries, to a third-party company for processing. Apparently, for the Korean consumer electronics giant, such "best practices" don't actually include encryption, leaving owners' voice commands, or practically anything they say to the TV, open for hackers to hear.

David Lodge, a researcher from UK security firm Pen Test Partners, was curious to put Samsung's claims to the test. Initially, it seem that all was well as Samsung Smart TVs used port 443 to send voice data to Nuance Communications, the third-party named in the incident. Port 443 is used for HTTPS or HTTP with SSL (Secure Sockets Layer), a protocol that most of the time gives the guise of security. Most of the time. In this case, however, it might just be a farce.

Lodge discovered that the data traveling through the pipes were actually not encrypted. It appeared to be a mix of a file in XML format as well as binary packets of data. In short, nothing to deter or hinder a well-seasoned hacker from cracking. Worse, the data coming from Nuance Communications itself back to the Smart TV was also unencrypted. If Samsung itself isn't eavesdropping on Smart TV owners, it is definitely giving others an easy backdoor access.

Samsung's public statements do say that they use encryption to protect such personal information. But if Lodge's claims are true, then Samsung has been caught in a lie. Of course, it's a he said, he said kind of thing that might need further evidence.

So why use the HTTPS port at all if you're not going to encrypt the data passing through it? Lodge thinks it's because port 443, more often than not, isn't blocked by network firewalls, like in schools or offices, because it is presumed secure. Of course, Samsung reminds the public that one can always opt out of sending voice data across the tubes, at the expense of also opting out of one of the key features of a smart TV.

VIA: PCWorld