How Hackers Hack Smart TVs — and How to Protect Yourself
How attackers target Samsung, LG, Roku and other smart TVs — and how to lock yours down.
🛡️
Defender's Guide
This is a defender-focused resource covering attack patterns at a conceptual level so you can recognise threats and protect yourself or your organisation. The page does not include step-by-step exploitation procedures. If you suspect you are currently being targeted or have been compromised, scroll to the recovery section below.
What attackers want from Smart TVs
Smart TVs have quietly become one of the most-attacked IoT categories. Connected to your home network, running apps with access to microphones and cameras, collecting viewing data, and in many cases running outdated firmware with no realistic path to updates — smart TVs combine the attack surface of a computer with the update cadence of a household appliance. The FBI issued a public warning about smart-TV security in 2019; the situation has not substantially improved.
The realistic threats span remote exploitation (vulnerabilities in TV apps and firmware), privacy intrusion (excessive data collection, microphone access, viewing-tracking), cross-device attacks (TV used as pivot point to reach other devices on home network), and in some documented cases, cameras being accessed by external attackers. Physical-access attacks also matter — any smart TV accepting USB or HDMI-CEC inputs accepts a broader attack surface than the remote interfaces.
For most users, the appropriate framing is that a smart TV is a compromised computer in your living room that you cannot meaningfully secure at the platform level — manufacturer security practices vary dramatically (Samsung and LG are better; off-brand Android TV boxes are frequently worse), firmware updates often stop within 3-5 years of purchase, and the data collection is extensive by design. The defensive strategy is network isolation and intentional feature disabling, not trying to "secure" the TV itself.
How attackers actually do it
Conceptual attack categories, not exploitation procedures. Understanding these patterns is what lets you recognise and defend against them.
Outdated firmware with known vulnerabilities
Manufacturers typically provide firmware updates for 3-5 years after launch. After that, disclosed vulnerabilities remain permanently exploitable. Older smart TVs still connected to internet accumulate known-exploitable issues continuously. Particularly prevalent on Android TV boxes where custom firmware forks abandon updates quickly.
Malicious or compromised apps
Samsung Tizen, LG webOS, Android TV, Roku OS — all support third-party apps of varying quality. Malicious apps or compromised legitimate apps can abuse microphone, camera, and network access. App-store curation varies by platform; Android TV (especially sideloaded apps) has the most frequent issues.
Network-accessible services on the TV
Many smart TVs expose DIAL (Discovery And Launch), DLNA, Chromecast, AirPlay, and other services on the local network. Some have been found to accept commands or expose data without authentication. Attackers on the same Wi-Fi (compromised home network, guest abuse, IoT-device compromise) can often interact with the TV in unintended ways.
ACR (Automatic Content Recognition) data collection
Most smart TVs use ACR to track what you watch — not just on the TV's built-in apps, but HDMI input from cable boxes, gaming consoles, DVD players. This data is sold to advertisers, data brokers, and analytics platforms. Not "hacking" in the traditional sense but relevant to the realistic threat model of data exposure.
Microphone-access abuse by voice-assistant features
Voice-control features (Samsung Bixby, LG ThinQ, Alexa/Google integration) require always-listening microphones. Documented cases of accidental recordings uploaded, microphone transcripts reviewed by contractors, voice data retained for extended periods. Not remote attack in the traditional sense but relevant to whole-threat-model understanding.
Webcam exposure where TVs have built-in cameras
Older Samsung models had built-in cameras; some current high-end models still do. Access to the camera via TV compromise has been demonstrated in research contexts. Physical covers or unplugging cameras if detachable is the reliable mitigation.
Being a pivot point to other home network devices
Smart TV compromise grants attacker a foothold on your home network. From there, scanning and attacking other devices (NAS, home-automation hubs, laptops) is possible. Particularly concerning on flat home networks where IoT devices and main computers share a subnet.
How to recognise compromise
Signs that your smart tvs may have been compromised:
Unexpected apps appearing on the TV
TV home screen showing apps you did not install. Post-compromise pattern, especially on Android TV platforms. Uninstall immediately; factory-reset if pattern persists.
TV behaviour changes unexpectedly
Volume adjusting without input, apps opening by themselves, settings changing, unusual network activity lights on the router during times the TV should be idle.
Netflix, Amazon Prime, Disney+ profile changes, viewing history you did not create, purchases made through the TV store — all signals of account compromise either at TV level or at streaming-service level.
Camera or microphone indicators lighting unexpectedly
If your TV has a camera or microphone indicator, unexpected activation = investigation warranted. Cover the camera with physical tape regardless; microphone cannot be easily disabled physically on most models.
Router logs showing unusual outbound connections from the TV
Smart TVs make lots of outbound connections by design (streaming, ACR, updates); unusual patterns or connections to known-bad domains can be detected via router-level monitoring. Requires router with decent logging capability.
What actually protects you
Concrete actions ranked by impact. Items marked critical are the highest-leverage protections; do those first.
Put the TV on a segregated IoT Wi-Fi network
Separate guest or IoT network, isolated from your main Wi-Fi where laptops and phones live. Limits blast radius of TV compromise — attacker cannot pivot to your main devices even with TV foothold. Single most important protection for any smart TV.
Disable unused features and unnecessary permissions
Disable voice-assistant features you do not use, ACR data collection (buried in settings but usually disableable), Bluetooth and NFC if not used, remote control via network if not used. Turn off what you do not need; reduce attack surface proportionally.
Disable ACR (Automatic Content Recognition) data collection
Varies by brand — search "disable ACR [TV brand]" for specific instructions. Samsung: Smart Hub → Terms and Privacy → disable "Viewing Information Services". LG: About This TV → User Agreements → disable "Viewing Information". Roku: Settings → Privacy → Smart TV Experience. Does not impact TV functionality; eliminates ongoing data exfiltration.
Apply firmware updates promptly when available
Enable auto-update where possible. Check manually periodically if auto-update unavailable. Replace TVs that have reached end-of-support; continuing to use them accumulates exposure.
Only install apps from the TV's official app store
Avoid sideloading Android TV apps from unknown sources. If your use case requires sideloading, accept that you are operating with reduced security and mitigate accordingly (network isolation, minimal use, no account login).
Use strong unique passwords on streaming-service accounts
Netflix, Amazon, Disney+, HBO — each needs a unique strong password via password manager. Password reuse with other accounts means breach-based credential stuffing compromises your streaming accounts routinely.
Physical webcam cover if TV has a camera
Simple piece of tape, or physical camera covers designed for the purpose. Resolves webcam concerns regardless of software state.
Consider using a separate streaming device (Apple TV, Roku)
Apple TV and premium Roku devices have more focused, better-maintained software than built-in smart TV platforms. Using the TV as a "dumb" display with a separate streaming device often provides better security posture, especially for older TVs approaching end-of-support.
Factory-reset the TV if compromise suspected
Resolves app-level issues. Re-configure minimally after reset — only essential apps, with fresh passwords.
Frequently Asked Questions
Yes, in the ordinary sense — almost all smart TVs collect viewing data via ACR, and many combine this with other telemetry (app usage, network information, account information). This data is sold to advertisers and data brokers as part of the TV manufacturer's business model. You can often reduce this via settings (look for "ACR", "Viewing Information Services", or similar); you cannot eliminate it entirely without disconnecting the TV from internet. For most users, the realistic framing is accepting some data collection while limiting it via available controls.
Defensible for high-privacy users. You lose streaming-app functionality but can connect a separate streaming device (Apple TV, Roku) that you have more control over. Trade-off: loses smart-TV functionality that you paid for, gains meaningful privacy and security improvement. For users buying new: consider buying a "dumb" TV (becoming rare but still available in commercial display segments) plus a dedicated streaming device if this matters to you.
Samsung and LG are generally considered the most security-attentive among consumer brands — active firmware support, better app-store curation, more documented privacy controls. Sony (Android TV, uses Google's platform) is reasonable. Off-brand Android TV boxes from large marketplaces are frequently problematic — outdated firmware, preloaded malware in some documented cases, no security support. For security-conscious purchasers: avoid off-brand TVs; accept premium-brand trade-offs or use dumb TV plus dedicated streaming device.
For TVs with built-in cameras — yes, theoretically, and demonstrated in research contexts for older Samsung models. For microphones — easier, since most smart TVs have always-listening microphones for voice features. Practical mitigations: physical cover over any camera, disable voice features if not used, segregated network. The realistic probability of a targeted camera-hack against a typical consumer is low; the probability of microphone data being collected and analysed as part of normal TV operation is much higher.
Accumulating risk, yes. Disclosed vulnerabilities in the firmware never get patched. Options: (1) keep using with network isolation and minimal sensitive interaction, (2) disconnect from internet and use with separate streaming device, (3) replace the TV. The right choice depends on how you use it and your risk tolerance. Heavy streaming-app usage on an outdated TV is worse than mostly-HDMI-input use with occasional streaming.
Modern routers support Guest Network or IoT Network functionality — creates a separate Wi-Fi SSID with restricted routing (cannot reach other devices on main network). Enable it, connect the TV to that network instead of main Wi-Fi. Higher-end routers (Ubiquiti, Aruba, pfSense, OPNsense) support VLANs for finer control. Basic consumer routers with just guest-network capability achieve most of the security benefit with modest setup.
Roku platform is reasonably well-maintained, but Roku itself is also an advertising-driven business that collects viewing data extensively. Security-wise Roku is reasonable; privacy-wise Roku is comparable to or worse than some built-in TV platforms. Apple TV is generally considered the most privacy-respecting major streaming device — less advertising focus, more aligned with Apple's privacy-marketing positioning.
Yes, in principle, if both are on the same network and the TV is compromised. This is why network segregation matters — TV on its own IoT network cannot reach your laptop even after TV compromise. On flat home networks without segregation, compromised smart TVs have been used as pivot points in documented cases. Segregation is a straightforward fix for this concern.