A man-in-the-middle attack has left Vizio TV owners compromised after smart TVs made by the company were found to be broadcasting their viewing habits. This was due to the device not validating the HTTPS certificates of the servers it was connecting to. The TV actually accepted self-signed forged certificates.
The sharing of data was in contravention of privacy policies that owners had subscribed to. Researchers from Avast found further footholds that attacks could use to exploit the device.
In a blog post published Wednesday, the researchers from Avast, who discovered the flaw, wrote:
Now, these points aren’t the full picture of what you’re watching. They are simply pre-defined points taken somewhere within the image viewable on the TV. Nevertheless, we can create a graphic representing this fingerprint over time, where each line of pixels represents a second in time, arranged top-to-bottom as oldest-to-newest:
Each horizontal line of various color blocks in the graphic represents averaged patches of color that the TV has captured from specific points of the image displayed on the TV screen.
Each successive line represents another capture in time. With this information, the content recognition service could match a record of these fingerprints from your TV screen to its own fingerprints of the broadcast to determine what you’re watching.
view the full story here