Cox deletes ‘Active Listening’ ad pitch after boasting that it eavesdrops though our phones::undefined
I’m confident this is built in to many smart TVs these days.
Well. Wireshark would confirm that if it were true.
I’m sure it will show HTTPS traffic outbound from your TV.
I’m sure it will show no traffic whatsoever if you don’t connect your TV to your network
There’s a dozen ways they could jump the air gap.
Ultrasonic to a phone or Alexa/Siri/etc, connect to an unsecured network, send data to a neighbor’s smart TV which is connected to Internet, Bluetooth or other to a phone
But this would be proven then?
And with DNS requests and timing you should be able to figure whats in those packets.
Sorry if this is a noob question, but…how?
DNS will tell you the server name and address, which would just be some server owned by the company. Nothing weird there unless they have the chutzpah to name it something telling. They could even bypass DNS entirely with hardcoded IP addresses.
Timing wouldn’t be a great indicator either if they aggregate requests.
They could slide anything nefarious in with daily software update checks or whatever other phone-homing they normally do, and without deep packet inspection or reverse engineering the software, it would be very difficult to tell.
I don’t think Wireshark can do deep packet inspection, can it? Assuming the client is using SSL and verifying certs, maybe even using cert pinning?
Size would be a big indicator if they’re sending full voice recordings, but not if they’re doing voice recognition locally and only sending transcripts, metadata, or keywords.
I’ve never actually done this kind of work in earnest, and my experience with Wireshark is at least a decade out of date. I’m just approaching this from the perspective of “if I were a corporate shitbag, how would I implement my shitbaggery?”
The answer is: it wouldn’t. You’re right on the money, you couldn’t do anything other than speculation.
First, someone would be able to prove that communication is happening. Second, if the keys are stored locally, and the original packets saved, the encryption can be reverse engineered.
Encryption prevents man in the middle attacks. If you have one of the ends, you can usually get the data. If you have the device that’s doing the encryption of the data, and you have the encrypted data, you can decode the data. It’s just a matter of getting through obfuscation at that point.
The reason this hasn’t been done yet is that it’s not happening yet. CMG was lying in their advertising.
Just spitballing here but you might be able to try and correlate the amount of data sent with how much real life activity there was. Say, have silence for a week around the TV then play recorded speech near it for a week and see if that changes the frequency or size of the data being sent back home. Then do this for random 1/2/3 day periods. If offline text to speech is as crap as I’ve heard then the increased data transfer should stick out pretty clearly.
That’s not how that works lol
Chance that it’s just marketing people talking out of their asses again, but then again, we have a lot of cheap smart devices with dubious firmwares so it might be possible on those sketchy devices.
I don’t know why anyone would believe anyone would like that.
I’ve worked with marketers for years. many of them have a blind spot for what they create: they can realize something is irritating, or invasive, but not when it’s their marketing, which is obviously superior and what people want to see. it’s some sort of artist+marketer brainrot.
sorry to generalize, I’ve just seen it a lot over the years.
I imagine this is something like it: we’ll reach them with the perfect message, it’ll be exactly what they want! won’t that be delightful?
…completely ignoring how horrifying it is.
This was a pitch to their customers. They just forgot that we could hear them too.
Many companies already do this, but advertising it is unpalatable. Just be like Google and Facebook. For awhile the Facebook app was so bad about it that it caused significant battery drain and the only way to avoid it was to remove the app.
this was such a weird claim, and I never really understood how it could be true specifically for phones, where they aren’t in control of system software. there’s like a gradient of possibility here:
- Android phones from major manufacturers, and Apple phones: doubt it. those things are too heavily scrutinized, someone would’ve found it, and the companies that make them don’t have the impetus.
- official “smart” voice devices from Amazon, Google, et al: doubt it, same reasoning as above
- Android phones from small players, heavily subsidized models, etc.: sure, could be
- smart TVs from major manufacturers: probably not? medium “maybe”? I bought one of these with a hardware mic switch so I guess that shows my paranoia
- other smart TVs: I dunno, feels highly likely
so: I’m careful about what I use so my risk felt pretty low, but I also feel like if this were true security researchers would’ve discovered it. let alone the fact that what they describe is bandwidth and battery intensive (off-device or on-device respectively, I don’t remember what they claimed as I read the 404 media report some weeks back) but it still makes me wonder: what led them to make these claims then? fascinating, pretty scary.
The spying that’s openly admitted in terms and conditions should be alarming enough — if anyone actually read and understood all the legalese. Consider this: https://time.com/5568815/amazon-workers-listen-to-alexa/
I’ve seen Android phones activate Google Assistant seemingly at random many many many times. They’re only supposed to activate when called by a specific phrase like “okay Google”, but there are plenty of false positives, and every time that happens, an audio recording gets sent to Google. Same deal with Alexa and Siri. This is, of course, allowed by the terms and conditions.
At least Android makes it visible to the user when this happens. I wouldn’t bet on smart TVs doing the same.
At this point there’s not much you can do about it. Even if I secure my own devices and my own home network, that all goes out the window the second anyone else walks in my door with their own smartphone.
That said, I agree that the claim is likely false with third-party apps on modern smartphones from major brands. It’s not easy for background activities to access the camera or microphone without the user’s knowledge on iOS or Android. First-party and second-party spying is hard to avoid, though.
Except Siri processing is actually done on your device, as of iOS 15. Which kind of blew my mind when it was announced.
Nothing is sent to Apple unless you request an online service (such as weather, maps, etc.) or unless you allow your recordings to be sent.
Try it: in airplane mode on an iOS 15 device: Siri still works at a basic level. Language processing happens locally.
Thanks for the correction. More details here: https://www.macrumors.com/guide/ios-15-siri/
My take is two fold: 1- Marketing over selling their product (common practice) 2- The “always listening” devices are mainly their Smart Remotes that have a microphone built in.
#2 Seems the most likely as is a device fully in their control and can pull as much ad marketing / information gathering details from it as they want.
It’s especially weird when the existing targeting can be so effective for much cheaper.
For tvs for example, they can see what you watch, when, what ads you mute and which you don’t, what you display over HDMI (content ID), the other devices on your network, your location, your accounts for every streaming service, what you search for. Then if you install their companion app they learn the other apps on your phone, your location habits, the media you play on your phone (looking at you Bose connect app…), bluetooth and network devices you are near (connecting you to other profiles they know), and probably a lot more.
Tom Wamsgabs in shambles.
