LG says it will push out firmware update for spy TVs, but fails to apologise

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

LG says it will push out firmware update for spy TVs, but fails to apologise

Smart TV manufacturer LG, which is embroiled in a controversy after reports that their devices were spying on what channels viewers were watching, has issued a statement.

Here it is:

At LG, we are always aiming to improve our Smart TV experience. Recently, it has been brought to our attention that there is an issue related to viewing information allegedly being gathered without consent. Our customers’ privacy is a very important part of the Smart TV experience so we began an immediate investigation into these claims. Here’s what we found:

Information such as channel, TV platform, broadcast source, etc. that is collected by certain LG Smart TVs is not personal but viewing information. This information is collected as part of the Smart TV platform to deliver more relevant advertisements and to offer recommendations to viewers based on what other LG Smart TV owners are watching. We have verified that even when this function is turned off by the viewers, it continues to transmit viewing information although the data is not retained by the server. A firmware update is being prepared for immediate rollout that will correct this problem on all affected LG Smart TVs so when this feature is disabled, no data will be transmitted.

It has also been reported that the names of media files stored on external drives such as USB flash devices are being collected by LG Smart TVs. While the file names are not stored, the transmission of such file names was part of a new feature being readied to search for data from the internet (metadata) related to the program being watched in order to deliver a better viewing experience. This feature, however, was never fully implemented and no personal data was ever collected or retained. This feature will also be removed from affected LG Smart TVs with the firmware update.

LG regrets any concerns these reports may have caused and will continue to strive to meet the expectations of all our customers and the public. We hope this update clears up any confusion

So, let’s look at the statement bit by bit:

Information such as channel, TV platform, broadcast source, etc. that is collected by certain LG Smart TVs is not personal but viewing information.

Surely what *I* watch on *my* TV in my *own* home is personal information? I don’t want to share it with anyone else. Although I agree it would be more troublesome if it could be easily identified with me specifically.

This information is collected as part of the Smart TV platform to deliver more relevant advertisements and to offer recommendations to viewers based on what other LG Smart TV owners are watching.

More relevant adverts? I’m not sure how that really tunes in with “improve [the] Smart TV experience”. I would imagine that many LG Smart TV owners would, like me, choose to not have any adverts at all introduced by their television.

Recommendations? Okay, well maybe. But that’s something I’d like to have the choice of opting into, rather than have to try to find a way of avoiding.

We have verified that even when this function is turned off by the viewers, it continues to transmit viewing information

LG options screen. Source: DoctorBeet
LG options screen. Source: DoctorBeet

Oh dear oh dear. Clearly whoever coded that part of the LG Smart TV firmware forgot the part about how “customers’ privacy is a very important part of the [LG] Smart TV experience”.

although the data is not retained by the server.

Well, that’s something I suppose. Although presumably it is retained for *some* period of time, otherwise how would the adverts and recommendations be possible?

A firmware update is being prepared for immediate rollout that will correct this problem on all affected LG Smart TVs so when this feature is disabled, no data will be transmitted.

Good. Let’s hope people apply the firmware update.

But why not go one step further, LG, and have data transmission turned *off* by default – and put the onus on consumers to enable the functionality if they actually want adverts and recommendations? At least then they will be more aware that they are sharing information with LG.

It has also been reported that the names of media files stored on external drives such as USB flash devices are being collected by LG Smart TVs.

Which, you have to admit, could be embarrassing if you are watching a file called Midget_porn_2013.avi.

Network traffic from LG Smart TV mentioning "Midget_Porn_2013.avi". Source: DoctorBeet
Network traffic from LG Smart TV mentioning “Midget_Porn_2013.avi”. Source: DoctorBeet

While the file names are not stored, the transmission of such file names was part of a new feature being readied to search for data from the internet (metadata) related to the program being watched in order to deliver a better viewing experience.

Presumably LG was also planning to enable this “feature” by default?

This feature, however, was never fully implemented and no personal data was ever collected or retained. This feature will also be removed from affected LG Smart TVs with the firmware update.

Glad to hear that it’s being removed with the firmware update, but how on earth do features that have only been partially implemented manage to ship in hundreds of thousands (maybe millions) of TVs that end up in consumers’ front rooms?

What does this say for LG’s quality control if surplus code, which hasn’t been properly tested, that sends details of what should be confidential filenames in *plaintext* across the internet, doesn’t get picked up before the product is bought?

LG regrets any concerns these reports may have caused and will continue to strive to meet the expectations of all our customers and the public. We hope this update clears up any confusion

And there we have it.

LG Smart TVLG is sorry if the media reports concerned you.

But they’re not sorry about what they did.

At least, I assume they’re not sorry because they’ve passed up the opportunity to apologise to the consumers who may find it disturbing that their TVs were spying on their viewing habits, and the files on their USB sticks.

And they’re not saying sorry to the users who may have realised what LG was logging, and turned off the feature – not realising that the TVs still behaved precisely the same, even when the feature was seemingly disabled through the options screen.

All they had to do was say, “We’re sorry. We screwed up”. How hard is that?

Sign up to our free newsletter.
Security news, advice, and tips.

What’s gone so wrong with big companies that they can’t simply say *sorry* when they screw up?

See also: LG fumbles response to Smart TV spying revelation, withdraws Smart Ad video


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

16 comments on “LG says it will push out firmware update for spy TVs, but fails to apologise”

  1. Sam Spade

    Here's something to ponder. 1) Was the info
    transmitted with a unique ID? ("UID") 2) Could
    that UID be tied to, for example, a TV serial number? 3) Can that
    serial number be tied to, for example, warranty or other owner
    registration? If the answers are yes, then guess what, any
    information transmitted with such a UID that can be tied, even
    after two or three steps, to PII, becomes PII itself.

  2. John

    I think they're simply being sincere. They aren't sorry, so why do you expect them to apologize? Having worked in the field, this type of data collection is fawned over by pretty much all the higher ups.

  3. paul

    Nothing to comment, but I swear my next TV is not from
    LG.

  4. Matt

    It's interesting how their first response to DoctorBeet was basically "you bought the TV, deal with it", but they quickly changed their tune when one complaint turned into a PR disaster.

    LG – We don't give a stuff about your problem unless it costs us sales.

  5. qsaxffo

    today my tv upgraded to new software version; in this new
    so called fix they have done two things. 1. option to collect info
    in main menu has gone. 2. new service agreement forced on user,
    where he/she agrees to give personal information this information
    can be shared with thirdparty and sent to south korea. if i dont
    agree to this agreement, my tv is just dumb tv, none of the options
    work. is that they call fix ? looks like lawyers fixed this
    problems than the RD team.

  6. StuC

    I am Pretty sure that several of the other Manufacturers are up to similar tricks. My Phillips TV needed to be in pretty much constant contact with the Internet based EPG in order to record anything – no Internet then no recording. Since I record most of what I watch in order to avoid advertisments it is clear that they recieved pretty much all my viewing information.

    My Solution: I bought a cheap non IP enabled reciever that uses the transmitted EPG and use a Rasberry PI (+ XBMC) for the digital stuff.

  7. Brian

    Was drawn to this when my "telly" asked
    me to update firmware / software 9mins. When I tried to access the
    "home page" I got a whole book on LG updating
    it's "privacy" policy. I took it that
    they wanted me to sign up to them spying (agree) or
    "disagree" which left me without the
    "smart" part of my "telly". As
    a retired sick of tech used to be into tech (first PC circa 1978)
    I'm sick to death of this implanted stealth software that
    beams anything and everything it can gather and sends it back to
    Big Brother central. There is not alot you can do even if you are
    of technical mind it should just not be there in a democratic
    country like the UK. I have nothing to hide but I do fear
    totalitarianism. Anyhoo I got my horse before my cart and learned
    (because I wouldn't press agree without thinking) that
    this is infact the update to stop spying that I've had no
    idea about. So thanks Graham and I'm a guy who doesn’t
    write or say a thing unless I have to. These corporates must learn
    and I will remember this LG when I next purchase a TELLY.

  8. Cody

    John is spot on and I would think that Graham knows this instinctively but he is trying to be fair and/or giving them the benefit of the doubt. Aside from that, no, LG is not sorry and so they won't apologise (or if they do it would surprise me).

    I've had issues with LG before too (including rude support and when I asked to speak with a manager they claimed they were a manager which may or may not have been a lie but either way I've never liked LG since). That was years ago and nothing to do with TV (I don't actually watch TV).

    As for the following:
    "Glad to hear that it’s being removed with the firmware update, but how on earth do features that have only been partially implemented manage to ship in hundreds of thousands (maybe millions) of TVs that end up in consumers’ front rooms?

    What does this say for LG’s quality control if surplus code, which hasn’t been properly tested, that sends details of what should be confidential filenames in *plaintext* across the internet, doesn’t get picked up before the product is bought?"

    I think its fair to say that it was implemented this way purposely and that it has nothing to do with quality control but rather claiming to care about security but only under their terms (or definition of security). The files shouldn't be transferred at all even (and that it does makes me think of spyware more than anything else). In other words, you're absolutely correct: they will apologise only about the report concerning them and nothing else. If it wasn't discovered (and made public) they would almost assuredly keep it that way (and not because it is a bug in the programming sense – not known – but rather it was intentional). And yes, you're also spot on about it being kept for some duration (and realistically even transferring it is enough of a problem) and that it is still a problem. I would argue it is hardly better than keeping it indefinitely (in some ways it is worse because it is hiding the truth: they get the details they want and then they remove the evidence!).

    1. Anon · in reply to Cody

      I will not consider LG for my next purchase. 100quid
      cheaper than the 'other' brand I have had good
      experiences with. What did I get? A spy in the lounge which had the
      slowest software & broke down after 8months! Then was
      greated with poor customer service – about as quick as their
      software! They treat their customers like a dodgy 2nd hand car
      salesman!

  9. BD

    Am I missing something here? I have a Samsung F6800 – 2013
    smart TV which appears do exactly the same in terms of data
    gathering as the LG smart TV set however; Samsung do not provide
    any opt out provision. Why has nothing been published about
    Samsung? Samsungs response to questions in this regard where, to
    say the least, vague.

  10. Anirud

    Now here is the problem I see. Can I trust a company which
    was silently doing all these things and confesses to the action
    only when confronted? I would like to ask people here whether they
    really trust LG when it says that it will remove the USB collection
    feature in the smart TVs. Yes, we have removed that feature but we
    have put in another feature which collects even more information
    and we did not tell you about it because you never asked? And one
    more thing— in America all these things somehow become
    transparent and subject to scrutiny. Perhaps in much of western
    Europe, and may be in places like Australia and to some extent in
    India. But what about regimes like China, some countries in Africa
    etc? Would not those regimes love to hvae their citizenry using
    these smart TVs and then these companies are abetting that
    ?

  11. Cata

    Let me tell you something interesting about one of this Lg
    Smart Tv models. I am from Romania and you see how Graham picture
    looks like, the one from "Option" with UK in
    Country section, well let me tell you that when you select Romania
    or any other country from it's menu (most of them in that
    menu being from East Europe) there is no option like
    "Collection of watching info" section, there is
    straight "balloon helper"… now i will admit
    that i've made the new update 2 day's ago. So is
    the new firmware or is just a software created without this option
    to be turned off for east europe?

  12. John

    My LG TV just performed an update and when it was complete it prompted me to agree to their T&C and Privacy Policy. The privacy policy basically says that they have the right to gather whatever information that they want, personal or otherwise including your voice commands if you have a smart remote. If you don't agree to these policies then the majority of the smart features on your TV will not work. I can't believe that they can legally make a change like that after you have purchased the TV. One of the main reasons I purchased this TV was so I could use the smart features that are now inoperable unless i agree to their privacy policy. Emails to their support and customer service have gone unanswered.

    1. Pyotr Magpie · in reply to John

      John! I just received the same message on my 3D LG – what the … ???

  13. I have another concern which is the use of my Broadband service. I want compensation for what is essentially the theft of a service that I pay for!

  14. Graham Thomas

    Tie the mac address down in your router. And use the firewall features to block everthing and whitelist netflix iplayer and amazon prime.

    I'll admit I only gave it a little thought and I use a zyxel USG device. So this avenue may not be open to all

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.