After DoctorBeet’s blog post detailing his LG TV’s shady logging practices I decided to have a look at what my own was doing.
To start off I couldn’t seem to find an option to disable logging of my watching activity, I’d guess we are using different firmware. Either way I set up a laptop as a middlebox and went about logging communications. The first thing I noticed was authentication to the server, and when you turn your TV off to standby there is also a request to deauth the session. I’m not sure how unusual this practice is but it gives LG a pretty precise measurement of when and how long you are using the TV.
Auth:
GET /rest/sdp/v3.0/c2.4/authentication.xml HTTP/1.1
Host: GB.lgtvsdp.com
Accept: */*
Content-Length:0
X-Device-ID:{SNIPPED}
X-Device-Product:BROADBAND DTV 4
X-Device-Platform:GP4I
X-Device-Eco-Info:01
X-Device-Model:HE_DTV_GP4I_AFAAABAA
X-Device-Country:GB
X-Device-Country-Group:EU
X-Device-Language:eng
X-Device-Sales-Model:42LS570T-ZB
X-Device-Netcast-Platform-Version:0003.0004.0002
X-Device-Publish-Flag:Y
X-Device-ContentsQA-Flag:N
X-Device-FW-Version:04.41.03
User-Agent:Mozila/4.0
Response 200 OK
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><authentication><deviceSecret>{SNIPPED}</deviceSecret><sessionID>{SNIPPED}</sessionID></authentication>
DeAuth:
DELETE /rest/sdp/v3.0/c2.4/authentication.xml HTTP/1.1
Host: GB.lgtvsdp.com
Accept: */*
Cookie: JSESSIONID=C3F3C57B0AB40CDB723FD489B78EC3A0.node_sdp011; Path=/
Content-Length:0
X-Authentication:{SNIPPED}
X-Device-ID:{SNIPPED}
X-Device-Product:BROADBAND DTV 4
X-Device-Platform:GP4I
X-Device-Eco-Info:01
X-Device-Model:HE_DTV_GP4I_AFAAABAA
X-Device-Country:GB
X-Device-Country-Group:EU
X-Device-Language:eng
X-Device-Sales-Model:42LS570T-ZB
X-Device-Netcast-Platform-Version:0003.0004.0002
X-Device-Publish-Flag:Y
X-Device-ContentsQA-Flag:N
X-Device-FW-Version:04.41.03
User-Agent:Mozila/4.0
Response 200 OK
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
Network:
Digging a little further, I was seeing the same requests DoctorBeet was seeing when it was logging his media from a USB mounted drive, except I had no USB mounted drive plugged in. It turns out it was pulling filenames from my shared folders over the network and broadcasting those instead. I moved all the media out of the folder and put a few duds in named “GiantPorn”, turned the TV off and on and it was still broadcasting the old filenames. The TV couldn’t see those files whilst browsing manually so I’d hazard a guess it’s caching some of these locally. It didn’t take long though to pick up the new ones:
POST /rest/sdp/v4.0/c1.0/smartshare/search.xml? HTTP/1.1
Host: GB.smartshare.lgtvsdp.com
Accept: */*
Cookie: JSESSIONID=C3F3C57B0AB40CDB723FD489B78EC3A0.node_sdp011; Path=/
X-Authentication:{SNIPPED}
X-Device-ID:{SNIPPED}
X-Device-Product:BROADBAND DTV 4
X-Device-Platform:GP4I
X-Device-Eco-Info:01
X-Device-Model:HE_DTV_GP4I_AFAAABAA
X-Device-Country:GB
X-Device-Country-Group:EU
X-Device-Language:eng
X-Device-Sales-Model:42LS570T-ZB
X-Device-Netcast-Platform-Version:0003.0004.0002
X-Device-Publish-Flag:Y
X-Device-ContentsQA-Flag:N
X-Device-FW-Version:04.41.03
User-Agent:Mozila/4.0
Content-Length: 713
Content-Type: application/x-www-form-urlencoded
query={SNIPPED PERSONAL FILES}/sample%5Fmpeg%34:/mpegGiantPorn:/mp%34GiantPorn
Response 404 Page Not Found
Although a 404 is returned it’s pretty trivial to collect the data and serve a 404 anyway. Obviously I don’t know how/if they are logging the data but I’d prefer it wasn’t sent at all.
Now the clear problem I see with this is even if I did agree to this in any T&Cs presented to me, I doubt guests I have round using my WIFI connection would be too happy with filenames from their shared media being dispatched to LG. Personally I’m not too happy that files you assume aren’t leaving the network are having their names broadcasted to LG, even worse so that it’s unencrypted.
Again I’d like to thank DoctorBeet for bringing this to light, and I’ll be having a good look over the comms from my LG TV at the weekend.
Rambles 
