A Defensive Computing Checklist
by Michael Horowitz
TV WATCHES YOU
Streaming boxes such as Roku, Apple TV and FireTV: Leave them powered off when not in use. Less spying and you save on electricity.
Privacy of Streaming Apps and Devices: Watching TV That Watches Us from Common Sense Media (Aug 2021). There are two things here, a large report on extensive testing that they did and a short privacy rating for assorted streaming hardware boxes and streaming services.
Roku: Check these settings:
System -> Advanced System Settings -> Control by Mobile Apps -> disable "Network Access" (verified on Roku OS 9.1.0)
Privacy -> Advertising -> turn the Limiting of ad tracking on and reset the Advertising ID
Privacy -> Microphone -> Channel microphone access -> Never allow
System -> Screen Mirroring -> set Screen Mirroring Mode to either Prompt or Never Allow
Fire TV: Go to Settings -> Preferences -> Advertising ID. Then, disable Interest based ads. This may be old (I don't have a Fire TV). If so, try: Settings -> Preferences -> Privacy Settings. From there, disable Interest-based Ads, Device Usage Data and Collect App Data Usage. Also do: Settings -> Preferences -> Data Monitoring and turn it off.
Apple TV: Go to Settings -> General -> Privacy -> Tracking and turn it off
Roku TV: From How to Disable Interactive Pop-Up Ads on Your Roku TV by Chris Hoffman October 2019. As of Roku OS 9.2, the TVs display pop-up advertisements over commercials on live TV. If an advertiser has partnered with Roku, that advertiser can display an interactive pop-up ad over the normal commercial. This only applies to Roku TVs, not the external sticks or boxes. To disable it: Settings -> Privacy -> Smart TV Experience -> disable "Use info from TV inputs".
Turn it off: How to Turn Off Smart TV Snooping Features by Consumer Reports. Last updated: September 2019. Smart TVs collect data about what you watch with a technology called ACR. Only covers TVs, nothing on Roku, Apple TV or Chromecast. Your smart TV is spying on you. Here are step-by-step instructions to stop it by Jefferson Graham in USA TODAY (Jan 2020). Covers Fire TVs, LG, TCL/Roku, Samsung, Sony and Vizio.
Things are bad: You watch TV. Your TV watches back by Geoffrey Fowler for the Washington Post September 2019. No defense offered. Discusses ACR (automatic content recognition) on Smart TVs. Quote: "some TVs record and send out everything that crosses the pixels on your screen. It doesn’t matter whether the source is cable, an app, your DVD player or streaming box." They watched the data a TV transmits using IoT Inspector software from Princeton University.
Things are bad: From Lily Hay Newman in Wired (Sept 2019) On Roku and Amazon Fire TV, Channels Are Watching You. The article discusses academic research from Princeton University and the University of Chicago that found over 2,000 streaming apps doing tracking even when told not to (see the Settings at the top of this topic). 89 percent of Amazon Fire TV channels and 69 percent of Roku channels contained easily spottable trackers that collected information about a viewing habits and preferences, along with unique identifiers. No defenses offered. Here is an article by the researchers: Watching You Watch: The Tracking Ecosystem of Over-the-Top TV Streaming Devices (Sept 2019) and their more formal research paper
Watching You Watch: The Tracking Ecosystem of Over-the-Top TV Streaming Devices (PDF) by Hooman Mohajeri Moghaddam, Gunes Acar, Ben Burgess, Arunesh Mathur, Danny Yuxing Huang, Nick Feamster, Edward W. Felten, Prateek Mittal and Arvind Narayanan.
Defense: The article above notes that a profile is formed based on the public IP address of your home. One defense is to connect the TV to a router running VPN client software. This hides your public IP address.
Defense: a router that supports outbound firewall rules, such as the Pepwave Surf SOHO, can block the TV from phoning home. First, watch where it sends data, then block these transmissions one a time (in case some of them are necessary). Using a Raspberry Pi running Pi-Hole for DNS should also be able to block a TV from phoning home. Or, a free account at OpenDNS lets you audit the DNS on your home network and block some domains.
Defense: one type of attack comes from the LAN. Roku, and perhaps competing devices, can accept commands using HTTP from the LAN. To prevent this, isolate the streaming box. If using Wi-Fi, connect it to a Guest network. Some, not all, routers will isolate Guest network users from each other, blocking this type of attack. More advanced users can put the streaming box in a VLAN. The first suggested Roku setting above, should also block this, but it only applies to Roku and may change in the future.
Defense: The ultimate defense is not to connect a Smart TV to the Internet (other than maybe to update the firmware).
Defense: How to Stop Smart TVs From Snooping on You by Lance Whitney in PC Magazine (April 2020).
There are many articles about blocking Roku monitoring by blocking access to assorted domains and sub-domains. For a long time now I have blocked all access from my LAN to scribe.logs.roku.com and cooper.logs.roku.com. My Roku box works just fine without these. I chose them because they were the most popular logs my Roku box was accessing.
If your TV has a camera, cover it with tape. From the October 22, 2019 episode of the Hackable podcast.
Background: Smart TV Makers Will Soon Make More Money Off Your Viewing Habits Than The TV Itself by Karl Bode (May 2021). We can not buy a "dumb" TV that's just a display with HDMI ports because consumer data is so profitable.
Roku networking: I have seen a Roku 2XS running firmware 9.1.0 make outbound requests to the Google DNS server at 220.127.116.11, port 53, using TCP. This is suspicious for multiple reasons, one being that the router assigns other DNS servers. Thus, the use of 18.104.22.168 is hard coded into either the Roku system or one of the channels. One reason to do this is to avoid DNS based restrictions in the router. Also, UDP is the norm for DNS, not TCP. I have not captured the actual packets.
More Roku networking: I always see the same Roku 2XS box making outbound connections to IP address 172.29.243.255. This should never occur as this is a private IP address, one that can never exist on the Internet. These connections use UDP and both the source and destination port are always 1975. This seems to be part of the OS, I see it even when just powering on and not using any channels. I contacted Roku about this and they would not explain why this happens.
Netflix: login to netflix.com with your userid/password. Click on the profile icon in the top right corner, then click Account. To see all the info Netflix has on you, click on
"Download your personal information". To remove something from your viewing history: start at Account info, then click on a profile, then Viewing History. To remove an item, click the circle on the far right.
Hulu: Log in to Hulu.com and open the Account page. Go to Privacy and Settings. Select Manage Nielsen Measurement and opt out. Select California Privacy Rights. Under Right to Opt Out, click Change Status and opt out. To clear the watch history: Under Manage Activity, click Watch History, then Clear Selected.
Amazon Prime video suggested settings are in the Amazon section
FYI: Samsung can remotely disable their TVs worldwide using TV Block by Sergiu Gatlan of Bleeping Computer (August 2021)
FYI on audio: For many reasons, the audio on TV sets is poor such that it makes it hard to understand what people are saying. Some TVs have a feature to boost the dialog or reduce loud noises.
On Samsung look for the Amplify feature. On LG, look for Clear Voice II. On Roku TVs look for Dialog Enhancement or Speech Clarity. If you can afford to, connect the TV to a stereo system or a sound bar that has a center speaker.
| This page: 4 views per day (over 63 days) Total views: 225 Created: March 26, 2023|
Copyright 2019 - 2023