Several Smart TVs from Samsung and others using the Roku TV platform, as well as media players from that company, are susceptible cyberattacks, according to Consumer Reports, a claim denied vehemently by Roku.
Consumer Reports said the flaws are in the various APIs used to control different aspects of the devices, such as changing channels or setting volume. The product review publisher said the vulnerabilities do not result in personal information being pulled from the products. It was discovered that Roku's remote control API is delivered unsecured by default allowing even a novice hacker to gain control.
In order to take advantage of this flaw an attacker would have to be connected to the same Wi-Fi network as the television or streaming device. Many TV manufacturers, including TCL, Hisense, Hitachi, Insignia, Philips, RCA, and Sharp along with Roku's own Ultra media streaming device use this API, Consumer Reports said.
Gary Ellison, Roku's VP of Trust Engineering, wrote in a blog that the Consumer Reports review is incorrect and the API is secure.
“Roku enables third-party developers to create remote control applications that consumers can use to control their Roku products. This is achieved through the use of an open interface that Roku designed and published. There is no security risk to our customers' accounts or the Roku platform with the use of this API,” Ellison said.
He added that the remote control app function can also be disabled by the user in settings.
The issue with the Samsung models tested also involved an API and could only be exploited if the TV owner had previously used a remote control app from a mobile device with the TV and then opened a malicious webpage with that device. Which webpage was not mentioned.
Samsung told Consumer Reports that it will patch the issue with an upcoming update.