A man-in-the-middle attack has left Vizio TV owners compromised after smart TVs made by the company were found to be broadcasting their viewing habits. This was due to the device not validating the HTTPS certificates of the servers it was connecting to. The TV actually accepted self-signed forged certificates.
The sharing of data was in contravention of privacy policies that owners had subscribed to. Researchers from Avast found further footholds that attacks could use to exploit the device.
In a blog post published Wednesday, the researchers from Avast, who discovered the flaw, wrote:
From this, it is obvious that the same data is being sent to Cognitive Networks servers through UDP and HTTP. This data is the fingerprint of what you’re watching being sent through the Internet to Cognitive Networks. This data is sent regardless of whether you agree to the privacy policy and terms of service when first configuring the TV.
Now, these points aren’t the full picture of what you’re watching. They are simply pre-defined points taken somewhere within the image viewable on the TV. Nevertheless, we can create a graphic representing this fingerprint over time, where each line of pixels represents a second in time, arranged top-to-bottom as oldest-to-newest:
Each horizontal line of various color blocks in the graphic represents averaged patches of color that the TV has captured from specific points of the image displayed on the TV screen.
Each successive line represents another capture in time. With this information, the content recognition service could match a record of these fingerprints from your TV screen to its own fingerprints of the broadcast to determine what you’re watching.
SOURCE: Arstechnica
view the full story here