LOS ANGELES —Buyer beware. If you've snapped up a smart TV, with built-in Netflix, YouTube, Hulu and other Web connections, heads up on this warning—your smart TV could make you vulnerable to hackers and is probably monitoring more of your viewing than you realize.
Consumer Reports just analyzed smart TVs from the five biggest US TV brands — Samsung, LG, Sony, TCL and Vizio — and found several problems. All are tracking what consumers watch, as long as they agree during the set-up process, and two of the brands failed a basic security test.
How bad is the security? So poor, according to its report, that it was able to take over complete remote control of the TVs from Samsung and TCL's branded Roku TV, which included changing channels, upping the volume, installing new apps and playing objectionable content from YouTube.
"What we found most disturbing about this, was the relative simplicity of," how easy it was to hack in, says Glenn Derene, Consumer Report's director of content.
He called it "frightening," that someone remotely could type something into the search bar, launch and install apps, knock the TV off the Wi-Fi network and use the hack to "harass and frighten someone."
It was easy to break in, said Derene, because "basic security practices were not being followed." Both Roku and Samsung told Consumer Reports the companies would take a closer look at the issues and address them, it said.
Smart TVs represented over half of all TV sales in the first half of 2017, according to market researcher GFK, and at this point, most sets being marketed are "smart." Consumers opt for them because they save people the hassle of changing their settings when they want to stream media from the Internet.
These new TVs have a technology add-on called Automatic Content Recognition, which monitors what you watch, in an attempt to do a better job than Nielsen at measuring viewership.
So hypothetically you could watch the show "This is Us," and the next thing you know, your computer and phone will start showing you ads for the NBC show, similar to how we're tracked online.
Consumer Reports says there's an easy fix. Turn it off.
That's one choice. Your other two are to turn off Wi-Fi while you're watching, which doesn't make sense if you like to stream, or buy a dumb TV and stream the old-fashioned way, via a set-up box.
But that still may leave you open to hackers. Consumer Reports found that the Roku streaming box, which used the same operating system it tested on Roku-branded TV's sold by TCL, was also vulnerable. It didn't mention testing the Amazon Fire TV or Apple TV boxes, because those operating systems aren't widely available, if at all, within other TVs.
Hacking risk aside, the report found that the smart TVs it evaluated asked for permission to collect viewing data and other information, but it wasn't necessarily easy for users to understand what information they were agreeing to share, and there was a tendency to request oversharing — such as monitoring everything a TV watcher did, whether it was streaming, playing a DVD or watching paid TV.
Consumers are used to letting Internet-streaming services Netflix, YouTube, and Hulu track everything they watch on their services, in order to recommend other shows. So is it so bad if NBC and CBS, via the set manufacturer, get the same information?
Derene's view: It's just not the expectation of consumers that their TV will be tracking everything they watch, particularly if theyre not streaming.
Regulators have also started to look more closely on the information gathered by Web-connected TVs. A year ago, Vizio agreed to pay $2.2 million to settle claims from the Federal Trade Commission and the Office of the New Jersey Attorney General over collecting viewing data without consumers' consent. That information, along with demographics data including sex, age, income, marital status and home ownership, was sold to third parties who used it for targeting advertising and other purposes, the agencies charged.
Consumers have voiced concerns about smart speakers from Amazon and Google in the home that are "always on," and listening, but the companies have insisted that the speakers only come to life when they are awoken by saying the words "Alexa," or "Hey Google."
Follow USA TODAY's Jefferson Graham on Twitter, @jeffersongraham
(Disclosure: Comcast is parent of NBCUniversal's NBC and CNBC. NBCUniversal is also an investor in Hulu.)