Is Your Smart TV Spying on You? Auditing IoT Traffic

Smart TVs have transformed our living rooms, offering instant access to streaming platforms, voice assistant controls, and unified smart home hubs. However, behind the sleek high-definition panels lies a massive data collection engine. Modern Smart TVs monitor user behaviors through a process called **Automatic Content Recognition (ACR)**, which logs what you watch, cataloging over-the-air broadcasts, streaming video, gaming sessions, and external media inputs.

To report this telemetry data back to corporate databases and receive control instructions, these TVs maintain continuous, highly talkative connections to your local network. This guide breaks down the communication mechanics of Smart TVs and shows you how to audit their local activity using standard network analysis techniques.

How Smart TVs Advertise on Your LAN

Before a Smart TV can communicate, it must make itself discoverable so that remote control applications on your phone or casting buttons on your laptop can route packets to it. To achieve this zero-configuration discovery, TVs broadcast advertisements across your local subnet using two primary protocols:

1. SSDP (Simple Service Discovery Protocol)

SSDP is the foundation of **UPnP (Universal Plug and Play)**. It uses UDP multicast address 239.255.255.250 on port 1900. When a TV boots up, it broadcasts an SSDP packet announcing its location URL (typically an XML file containing the TV's manufacturer, model, serial number, and supported features).

2. mDNS / Bonjour

Like SSDP, mDNS broadcasts names and service profiles over UDP multicast address 224.0.0.251 on port 5353. It registers services such as _googlecast._tcp (for Chromecasts built into Android TVs) or _airplay._tcp (for Apple AirPlay compatible TVs).

Conducting a Smart TV Port Audit

If you perform a port sweep of a modern Smart TV (manufactured by Samsung, LG, Sony, or Roku), you will discover several open TCP ports. These ports host embedded API servers that handle control schemes and casting. Auditing these ports is crucial to understanding the TV's communication pathways:

Common Ports	Protocol / Service	Functional Purpose
8008 / 8009	Google Cast (Chromecast)	Receives video casting commands and coordinates application startup.
8060	Roku ECP (External Control)	Allows unauthenticated HTTP GET/POST queries to navigate menus and query app states.
7000 / 7100	Apple AirPlay	Handles audio and video screen mirroring streams.
8001 / 8002	Samsung SmartView API	Hosts WebSocket connections for mobile app pairing and channel controllers.

How to Audit Your TV's Network Footprint

1. Identify the TV's IP Address: Use an active network sweep tool like LAN Lens to scan your subnet. Identify the TV's vendor block (e.g. Samsung Electronics, LG Electronics, or Roku, Inc.) via OUI lookup.
2. Inspect Services: Analyze the mDNS and SSDP headers. Check if the TV is broadcasting extra profiles that are not in use (e.g. disable AirPlay or HomeKit in the TV system settings if you only use Android devices).
3. Conduct a Port Scan: Check for open ports listed in the audit table. Unused ports represent potential entry vectors and should be monitored.

Steps to Restrict and Secure Smart TVs

• Opt Out of ACR (Automatic Content Recognition): Go deep into the TV's system settings. Under Privacy or Terms of Service, opt out of viewing data collection, interest-based advertising, and voice recognition storage.
• Set Up an IoT Guest Network: Configure your home router to host a secondary, isolated "Guest" network. Put all Smart TVs, smart plugs, and smart home appliances on this isolated subnet. This prevents a compromised TV from scanning or accessing personal computers, NAS storage, and phones.
• Disable UPnP on Your Router: While UPnP makes connection setup easy, it also allows smart devices to automatically open inbound ports on your wide-area internet connection. Disabling UPnP at the router firewall layer is a key security step.