Skip to main content
  1. Posts/

Your SmartTV is the Worst Device You Own

·4 mins·
Table of Contents
Probably. You should find out.

During the occasional getaway or house-sitting, I have the misfortune of using someone else’s network and devices. This is frequently a reminder of the poor state of consumer privacy.

In this case, the offender was a Samsung SmartTV. Now, TVs and the companies that manufacture them are generally known to have atrocious privacy policies. If you’ve never read one, I encourage you to at least skim the SmartTV Supplement of Samsung’s Privacy Policy and decide if:

we provide video or audio snippets of the program you’re watching to third-party providers that use this information in order to return content or advertising “synched” to what you’re watching

sounds like something in which you want to participate. This practice (known as ACR) is widespread, and it’s only thanks to legislation like Europe’s General Data Protection Regulation and the 2020 California Consumer Privacy Act that you can even opt-out of such invasive tracking. Unfortunately, these laws do not require opt-in for companies to engage in this behavior in the first place, and therefore the burden of privacy still falls on the consumer.

I trust these devices about as far as they would fall when thrown out the living room window. Exercising control over your own home network has become a requirement for privacy and usability in the same way that adblock has become a de-facto requirement for the modern internet. I’m surprised at the number of even technical people who just run an off-the-shelf wifi router or whatever box their ISP provides as the gateway for their home.

Do yourself a favor and take back your network! There are a number of good, affordable options that don’t require a computer science degree; my recommendation would be pfSense or OPNsense, but any option providing full control and visibility into your core network services (including acting as a DNS resolver with DNSBL support) is viable. You will then be in a much better position to deal with issues of the type described below.

Table Of Contents

The Backstory #

This investigation started not with privacy concerns, but with a minor usability complaint: no one used Samsung’s bundled TV Plus application, and despite several attempts to remove it, the TV would default to that application any time another source was not available. So powering off the DVD player might result in some random channel coming on full-blast.

I poked around myself and came to the conclusion that the application could not be removed, nor could its status as the default fall-back application be changed. User-hostile pattern #1.

Investigation #

I keep an extra Protectli Vault loaded with pfSense for exactly this kind of situation: that is, convincing friends and family to take control of their home networks. You can judge for yourself whether this is helpful or eccentric.

But I find that the main reason folks don’t do this is typically either:

  • They don’t realize the value, or
  • They simply can’t be bothered to figure it out.

If I plug the thing in ready to go, they’re much more open to learning how to use it. For technical folks, Protectli supports coreboot if - like me - you are adamant about no proprietary code on your home network devices. And they’re no more expensive than the wifi routers you’ll find on the shelves at Best Buy. Why are those so expensive, anyway?

Setup #

A default install of pfSense or OPNsense is almost sufficient, and the documentation is adequate, so I won’t elaborate here. Unlike many of these devices, Protectlis have USB ports and HDMI outputs, making them usable for a layperson who isn’t comfortable with console-based installation. But there are a few things you should customize afterward:

Install pfBlockerNG

Installing pfBlockerNG will set up your DNS resolver (Unbound) and DNSBL. See How To Set Up pfBlockerNG for detailed instructions.

Again, the default options are mostly fine, but I’d recommend enabling Wildcard Blocking (TLD):

Enable DNS query logging

This is optional, but I like to enable logging of all DNS queries. There’s no UI option for this, but you can set any Unbound option in the Custom Options section. Add the line:

server:log-queries: yes

Usage #

Right away, we could see the Samsung and TV Plus application kicking off dozens of requests to a number of undesirable domains including:

samsungqbe.com
samsungcloud.tv
samsungcloudsolution.com
samsungcloudsolution.net
samsungnyc.com
samsungads.com

I added these to the DNS blocklists, expecting that to solve the issue, but no - the TV started querying Google’s DNS server at 8.8.8.8! It was ignoring the DHCP-provided DNS options and using a hard-coded external DNS server. User-hostile pattern #2.

Since all clients should now query Unbound for DNS, I simply blocked all client LAN -> WAN DNS traffic, after which the TV Plus app was instantly and permanently disabled:

Thoughts #

I would have preferred to just take the TV off the network, but some other applications were actively used, so that wasn’t an option. Finding the right balance between security and usability is challenging, and it’s sad when companies make that more difficult with dark patterns that ruin the user experience.