Your Independent TV Streamer Guide

Consumer Reports warns that your Roku can be hacked - should you worry?

February 12, 2018 - 20:01 -- RokuGuide

Can your Roku be hacked?Millions of Roku TVs and streaming devices are vulnerable to hackers according to a recent Consumer Reports article. But Gary Ellison, Vice President of Trust Engineering at Roku, Inc. disputes that assessment and calls it "a mischaracterization of a feature." So, what - if anything - should you do to keep hackers out of your Roku?

Consumer Reports led an evaluation of the privacy and security offered by smart TVs, including TVs that operate on the Roku platform. As a result of that evaluation, Consumer Reports claims that "a relatively unsophisticated hacker could change channels, play offensive content, or crank up the volume, which might be unsettling to someone who didn't understand what was happening." CR said that "the problems affect Samsung televisions, along with models made by TCL and other brands that use the Roku TV smart-TV platform, as well as streaming devices such as the Roku Ultra."

Roku, Inc. doesn't dispute the ability for someone to take control of your Roku, but says that this is an intentional functionality that allows the use of 3rd-party remote control apps. Ellison wrote in a blog post last week that "This is achieved through the use of an open interface that Roku designed and published. There is no security risk to our customers' accounts or the Roku platform with the use of this API." For its part, Consumer Reports admitted in its article a hacker would not be able to spy on the Roku user or steal any information.

So, is this something to be concerned about? Should you stop using your Roku? In my opinion, no. According to Consumer Reports, for your Roku to become compromised "a TV user would need to be using a phone or laptop running on the same WiFi network as the television, and then visit a site or download a mobile app with malicious code. That could happen, for instance, if they were tricked into clicking on a link in a phishing email or if they visited a site containing an advertisement with the code embedded."

That means that the Roku itself isn't really compromised - your laptop or mobile device would have to be compromised, and that device, running on the same WiFi network as your Roku, would be sending commands to your Roku. The likelihood of this happening is small. As one commenter posted on Roku's blog, "this is like calling a network attached printer a security risk... Somebody could hack in to your wifi and start wasting all your ink!" (Don't laugh; a hacker recently claimed to have hacked into over 150,000 printers left exposed online.) And if the worst happens and you do download malware onto your tablet and that malware starts randomly pushing Roku buttons (figuratively speaking, of course), the impact would be minimal. Nobody can steal your account information or personal data and, as Consumer Reports put it, the effect would be "like someone using a remote control with their eyes closed."

Roku external control disabledThat being said, some say that Roku has erred in providing an open API, and should require users to give permission for a specific app to control your Roku. Fortunately, if you worry that someone will switch your Roku to Stonerr 420 Weed TV while your youngsters are watching Curious George on PBS KIDS, there is something you can do. From your Roku's home screen menu, go to Settings > System > Advanced System Settings > External Control > Disable to prevent 3rd-party control of your Roku.

Unfortunately, disabling external control will prevent you from using a remote control app with your Roku, including Roku's own app. If you only use a physical remote, you won't have any problems. If you use a mobile app, then you'll just have to be diligent about not letting your mobile device or laptop become infected with malware - which you should be doing anyway.