Is Your IoT Device Spying on You?

I was born on the cusp of the internet revolution. As a kid, my friends and I roamed the streets and were more or less off the grid. Once we left the house, we were untraceable. We had to run to a friends house or a pay phone (remember those?) to get in touch with a parent.

It takes effort to do that today. I take for granted that my phone is connected to the internet, my thermostat and smoke detector are internet connected and can be monitored from my phone. A few years ago, we cancelled cable and started using internet connected streaming devices like the Apple TV and Amazon Fire stick.

Basically, our lives are centered around devices that connect to the internet. They are invisible and ingrained in our daily lives.

But, while we are blissfully watching TV and zoning out, our TVs are watching us and reporting back to the mother ship.

I’m not a tin-foil hat wearing, faraday cage building conspiracy theorist. This is actually your TV might really be spying on you.

In 2014, Vizio began adding a special ingredient to their line of internet connected TVs; the ability to collect data on your TV watching habits and returning it to Vizio. Older internet connected Vizio TVs were silently updated to collect and send data. Any time your TV is on, it would collect a few pixels and match them to a database of commercial and TV content. Vizio was also able to collect data from service providers, set-top boxes, streaming devices, DVD players, and over-the-air broadcasts using an antenna. Somewhere around 100 billion pieces of data were being collected every day you used your Vizio TV.

Some products, Operating Systems and web browsers for example, have a configuration so you can opt in or out of sending data back to the company that made them. These software makers usually claim that the data is collected so they can learn about product failures and optimize future releases. The user is always given the choice to opt out, though. Vizio TVs on the other hand were collecting the data without consumer consent, and then selling off that data to advertisers and content producers.

After being caught, Vizio settled the issue for $2.2 million dollars in total; part fine paid to the FTC and part payment to the New Jersey Division of Consumer Affairs.

Vizio had $2.9 billion in revenue in 2015. And, they made some of that by selling illegally collected consumer data. Let that sink in for a second. At a cost of $2.2 million, collecting data from consumers and selling it is still a profitable business. My guess is that Vizio will continue collecting data because the profit margin is still in their favor.

Collecting data on your TV watching sounds fairly benign, but many (me for example) have their TVs connected to things like Netflix, Hulu, and iTunes that are all connected to billing information.

I read a lot about IoT security issues and the possibility of a bad guy lurking around somewhere trying to swipe information from my phone, or Apple Watches, or even cars. Thinking of cyber criminals is fun and inspires reports on the local news. But, it turns out the real risk at the moment is product manufacturers collecting and selling data with almost nonexistent consequences. 

By: Justin Rohrman