TVs from Sony, Samsung, LG, Vizio and TCL, which makes sets branded as "Roku" models featuring a built-in Roku streaming player, were tested by Consumer Reports and most had a feature called Automatic Content Recognition that tracks what shows you're watching.
Working with engineers from security firm Disconnect, Consumer Reports found the flaws rather easily.
Our security testing focused on whether basic security practices were being followed in the design of each television's software. However, company spokeswoman Tricia Mifsud tells NPR that "a consumer could click on something that exposes their computer", and the remote control app does allow for changing the volume or channel.
A Roku spokeswoman said via email, "There is no security risk to our customers' accounts or the Roku platform with the use of this API", and pointed out that the External Control feature can be turned off in the settings. And with smart TVs becoming more readily available - only 16 of more than 200 midsize to large sets rated by Consumer Reports are of the dumb variety - it more important that consumers are aware of what they are getting themselves into when purchasing these types of devices.
Roku says that feature can be disabled.
You can also turn off the WiFi connection.
If you want to keep your binge-watching and late-night surfing private, you can turn off the monitoring - but you'll have to go back into the original setup menus, the one you likely flipped right through in your eagerness to start watching.
CR found consumers who race through the process of setting up the Smart TV end up agreeing to sharing too much; calling it "oversharing by design".
But that still may leave you open to hackers. "It could be exploited only if the user had previously employed a remote control app on a mobile device that works with the TV, and then opened the malicious webpage using that device". And, to be fair, streaming services like Netflix and Hulu are already tracking what you watch. So is it so bad if NBC and CBS, via the set manufacturer or software vendor, get the same information? These include what they're watching and searching.
Regulators have also started to look more closely on the information gathered by Web-connected TVs. "But to a television viewer who didn't know what was happening, it might feel creepy, as though an intruder were lurking nearby or spying on you through the set". Before collecting any information from consumers, we always ask for their consent, and we make every effort to ensure that data is handled with the utmost care.