rokuConsumer Reports this week posted a story that raises questions about the security and data stewardship of Roku devices. Roku, in turn, released a statement that said its products are safe to use. The Consumer Reports, Roku exchange focuses on two areas.

The first is that smart TVs using Roku products can be taken over by hackers. The second is that the detailed information collected by the televisions can be combined with other data to paint an uncomfortably precise picture of the user’s tendencies and habits.

Consumer Reports, Roku Exchange Fire
The findings emerged from a privacy and security study of televisions from Samsung, LG, Sony, Vizio and others. The televisions use the Roku TV smart TV platform and streaming devices such as Roku Ultra, CR says. The testing was part of CR’s new Digital Standard, which was developed by the company in partnership with cybersecurity companies and privacy organizations.

The first vulnerability would allow what CR described as “a relatively unsophisticated hacker” to control channels, display content of their choosing and change volume levels. It would not allow the hacker to spy or steal information. The flaw was traced to an application programming interface that enables developers to make their products work with Roku, which CR claims is done in an unsecured manner. The flaw apparently is well known and the subject of chat discussions since 2015.

The collection of data on programming preferences uses a technology called automatic content recognition. ACR can be turned off, but the user may not have the technical acumen to do so.

Moreover, doing so would severely limit the device’s functionality, according to the CR investigation.

Gary Ellison, whose LinkedIn profile says he is Roku’s Vice President of Trust Engineering, said in a company blog post that Roku TVs and players are not vulnerable to hacking and that the CR story was based on a “mischaracterization of a feature.”

“Roku enables third-party developers to create remote control applications that consumers can use to control their Roku products. This is achieved through the use of an open interface that Roku designed and published. There is no security risk to our customers’ accounts or the Roku platform with the use of this API. In addition, consumers can turn off this feature on their Roku player or Roku TV by going to Settings>System>Advanced System Settings>External Control>Disabled.

Ellison also wrote that the customers must opt-in to use the ACR feature and provided instructions for disabling it.

The goal of the Digital Standard is to set expectations about how to handle privacy, security and other digital rights, CR says. Test results will be included in CR’s recommendations in the future.