Your Sound Bar Is Spying On You
Christmas Eve, 2019. My wife is wrapping gifts, my kids are playing with the dog, reading, and generally doing whatever kids their age do. How do I spend my Christmas Eve, you ask? By reviewing my firewall logs, of course.
Sidebar: I run pfSense on custom hardware and have a variety of packages installed and enabled that block malicious IPs, content, and ads, and filter things my teenager thinks he should be able to search for but shouldn’t really.
I recently bought a new Vizio sound bar on Black Friday. Connected it up, didn’t think much about it after that.
Until I started browsing my firewall logs.
I noticed a LAN address my DHCP server had handed out that I didn’t recognize (I’m pretty anal about knowing what’s on my network). Curious, I searched the vendor of the MAC address. Turns out it’s Vizio!
Strange, I thought. I never connected any Vizio device to my wireless. So I created a static DHCP assignment for the MAC address and added a rule to my firewall to block that address and log any hits. It didn’t take long for them to show up in my logs. Who is my sound bar trying to communicate to, you ask? Why, none other than Google and Amazon!
Leighs-MBP:~ leigh$ whois 172.217.9.227
[bla bla bla]
NetRange: 172.217.0.0 - 172.217.255.255
CIDR: 172.217.0.0/16
NetName: GOOGLE
NetHandle: NET-172-217-0-0-1
Parent: NET172 (NET-172-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS15169
Organization: Google LLC (GOGL)
RegDate: 2012-04-16
Updated: 2012-04-16
Ref: https://rdap.arin.net/registry/ip/172.217.0.0
Leighs-MBP:~ leigh$ whois 52.45.38.18
[bla bla bla]
NetRange: 52.32.0.0 - 52.63.255.255
CIDR: 52.32.0.0/11
NetName: AT-88-Z
NetHandle: NET-52-32-0-0-1
Parent: NET52 (NET-52-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Amazon Technologies Inc. (AT-88-Z)
RegDate: 2015-09-02
Updated: 2015-09-02
Ref: https://rdap.arin.net/registry/ip/52.32.0.0
In the past three hours since I enabled a rule to block my sound bar from communicating with the Internet, there have been over 5,000 hits in my firewall’s logs.
This lead me to the privacy policy, which I found my searching for the manual of the sound bar’s model number. Wouldn’t you know it, Vizio collects all kinds of information about what you’re watching! They use it to sell you ads.
VIEWING DATA SUPPLEMENT TO THE PRIVACY POLICY
Viewing Data -- Overview
Like many internet-connected TVs, VIZIO Smart TVs or other display units are equipped with Automated Content Recognition (ACR) technology that (when enabled) is able to use video and audio data to recognize what is playing on the TV and send information back to VIZIO about what is showing (“Viewing Data”).
This feature was formerly called “Smart Interactivity,” but we are referring to the feature in our policies and settings today and in the future as “VIEWING DATA.”You have the option to turn this feature off at any time directly from the Settings menu of your TV or video display.Viewing Data will only be collected from units that choose to “AGREE” to collection and use of Viewing Data. Thereafter, at that time, and any time after, you will have the option to change the setting for the ACR feature/Viewing Data collection off or on. Disabling Viewing Data will not, however, affect or limit Activity Data collection through the SmartCast Product. Reminder for SmartCast Product users: Viewing Data may be combined and associated with a myVIZIO account name if you create one or link to it. Please review the SmartCast Supplement for further information.The information we collect about what is playing on the TV or video display will be used by VIZIO in the aggregate to help improve the design of our products, software and services, and by media companies and advertisers to gain insights at a summary level about programming and ad effectiveness.Viewing Data may also be used to tailor the ads or content you see on devices that share the same IP address as the VIZIO device.VIZIO’s data partners are sometimes authorized to enhance Viewing Data with household demographic data and other online and offline data (e.g. purchases, location, and other consumer behaviors they have separately collected, including on devices also associated with the same IP Address as the VIZIO products).
By now it’s no surprise to anyone that smart TVs collect this information, and even your headphones aren’t immune. I didn’t expect my damn sound bar to be spying on me, though.
To be fair, Vizio clearly states in their privacy policy what data they collect, and what they do with it.
However.
I’m one of those people that reads the privacy policies of every app they install, and every service they use or sign up for. I never would have agreed to this privacy policy or clicked ‘AGREE’ on anything. How did this happen? Two possibilities exist:
I agreed to this without realizing it.
The sound bar is communicating without my consent.
The first option is highly unlikely. I’m a pretty shrewd customer, as they say, and don’t blindly click ‘agree’ or ‘accept’ on anything. Though, I am human, and thusly won’t rule out the possibility that a privacy policy got snuck in somewhere without my noticing.
As for the second? Impossible to tell, as the outbound stream is encrypted.
What is my sound bar sending? I have no idea. According to their privacy policy, which has other sections that are at least as disturbing as the above (including the personalization of your data should be be foolish enough to have and sign in to their SmartCast app with a Google or Facebook account), it could be anything and everything around my viewing habits.
Of deeper concern, however, is what this means for the average user. I’m not the mostly technically savvy of users, but I’m more so than others at least, and if my paranoid self was unwitting, how are most people supposed to protect themselves against this?