The Consumer Reports group has evaluated top smart TV brands and found that popular Roku-based TVs are vulnerable to unsophisticated web hacks which can switch channels, alter the volume, play any content on YouTube, or cut the TV’s wifi connection.

Meanwhile, all tested TVs raised privacy concerns by collecting highly detailed information about viewing preferences. Options to limit this data exodus were commonly concealed or subtly encouraged by interface design, while core and other useful features would often be disabled for those refusing to consent. Consumer Report notes:

The [Sony] set uses Google’s Android TV platform, and consumers have to click yes to Google agreements, even if they don’t plan to connect to the internet. Even though you can’t skip the Google privacy policy, you can say no to the user agreements from Sony itself and from Samba TV, a provider of ACR technology. And, Sony said in an emailed statement, “If a customer has any concerns about sharing information with Google/Android [they] need not connect their smart TV to the Internet or to Android servers to use the device as a television, for example, using cable or over-the-air broadcast signals.”

The latest smart TVs are already doubling as virtual assistants, which further amplifies privacy risks. Over two-thirds of TVs bought in North America in 2017 were internet-capable, many also equipped with microphones for voice commands.

Smart TVs can identify every show you watch using a technology called automatic content recognition, or ACR, which we first reported on in 2015. That viewing information can be combined with other consumer information and used for targeted advertising, not only on your TV but also on mobile phones and computers.

A security flaw enabling malicious remote control of basic functions became apparent when testing a TCL-branded unit running a Roku platform (shared with Hisense, Hitachi, Insignia, Philips, RCA, and Sharp models):

To become a victim of a real-world attack, a [Roku-based] TV user would need to be using a phone or laptop running on the same WiFi network as the television, and then visit a site or download a mobile app with malicious code. That could happen, for instance, if they were tricked into clicking on a link in a phishing email or if they visited a site containing an advertisement with the code embedded.

The flaw lies with a “totally unsecured remote control API” and the only protection comes in the form of disabling the External Control feature (and by extension, the ability to use Roku’s own app).

A Samsung TV was far less vulnerable, requiring its app to have been previously authorized on a mobile device, then a malicious webpage to be opened on the same device. This flaw will be resolved in an imminent Samsung update.

Users can best protect themselves by resetting their TV to factory settings in order to carefully navigate the setup options, then if necessary disable ACR via settings buried “three or four menus deep” (directions compiled here). Alternatively, shut off the wifi connection and add a standalone streaming device carrying less risks.