An assortment of indigestible things

Selectively blocking Samsung TVs’ network access

Old television

This TV probably wasn’t spying on you.

You may have read in the recent Wikileaks exposé that the CIA developed the capability of making Samsung TVs spy on their unsuspecting users. While this hack requires physical access (a specially crafted USB stick must be plugged into the telly), it got me thinking about the network traffic generated by smart TVs. I’ve already blocked a few domains that my unit connects to, and this seems like a good time to share my work.

I run a local resolver in my house and I’ve previously written about using it, together with a response policy zone, to block Windows 10 computers’ attempts to connect to Microsoft’s telemetry servers. I’ve added these lines to the zone in an effort to stop my telly connecting to the more suspicious-sounding domains:

log-ingestion-eu.samsungacr.com          CNAME .
devicelog.samsungcloudsolution.net       CNAME .
prderrordumpssm.samsungcloudsolution.net CNAME .

I’m being selective because I still want to use the ‘smart’ features of the set—I still want to watch Netflix and YouTube on it, for example. There’s more work to be done as can be seen from this list of domain lookup attempts by my TV in a period of five days. The Samsumg ones are the most interesting; some are obviously needed for the normal function of the TV’s smart features, but others might be blockable without disturbing them. If you find any that I haven’t listed, or know anything more about them, please leave a comment!

  17688 log-ingestion-eu.samsungacr.com
   2291 pool.ntp.org
   2285 www.worldtime.com
   2283 wwp.greenwichmeantime.com
   1271 time.samsungcloudsolution.com
    794 ns11.whois.co.kr
    726 api-global.netflix.com
    293 Coordinator-TA30-PROD-1091987395.eu-west-1.elb.amazonaws.com
    247 secure.netflix.com
    226 acr0.samsungcloudsolution.com
    220 upu.samsungelectronics.com
    203 appboot.netflix.com
    185 nrdp.nccp.netflix.com
    180 dpu.samsungelectronics.com
    177 d1oxlq5h9kq8q5.cloudfront.net
    161 lcprd2.samsungcloudsolution.net
    139 osb-apps.samsungqbe.com
    139 kpu.samsungelectronics.com
    121 ichnaea.netflix.com
    112 art-1.nflximg.net
     97 art-0.nflximg.net
     86 art-2.nflximg.net
     67 cdn.samsungcloudsolution.com
     63 www.samsungotn.net
     59 noticecdn.samsungcloudsolution.com
     57 googleads.g.doubleclick.net
     53 www.samsungrm.net
     46 ads.samsungads.com
     43 notice.samsungcloudsolution.com
     42 lcprd1.samsungcloudsolution.net
     30 osb.samsungqbe.com
     29 d38cmiae9b0e22.cloudfront.net
     28 www.google.com
     24 go.microsoft.com
     22 multiscreen.samsung.com
     22 config.samsungads.com
     21 otn.samsungcloudcdn.com
     21 cdn-0.nflximg.com
     16 secureclock.playready.microsoft.com
     14 oempprd.samsungcloudsolution.com
     14 ipv6.connman.net
     12 configprd.samsungcloudsolution.net
     11 log-config.samsungacr.com
     11 d3mjsomixevyw7.cloudfront.net
      8 youtubei.youtube.com
      8 www.youtube-nocookie.com
      8 www.youtube.com
      8 www.yahoo.com
      8 www.google-analytics.com
      8 tv.scdn.co
      8 i.ytimg.com
      8 ipv4.connman.net
      8 gpm.samsungqbe.com
      7 otnprd8.samsungcloudsolution.net
      7 otnprd11.samsungcloudsolution.net
      6 sas.samsungcloudsolution.com

Previous

Unattended WSPR in the UK: is it legal?

Next

ksh deliberately segfaults if the last command in a script crashes

5 Comments

  1. Undertheradar

    Ran across this because I got to looking at my chatty Samsung TV. WOW! Talk about spying on us!!! The TV keeps sending stuff to “log-ingestion”. Also I noticed that apps NOT BEING USED are checking in frequently (such as to Amazon…really??? I can only think profiling what I watch to figure out what I might want to buy)

    These marketing folks are becoming more invasive every day. What I do and what I watch is MY BUSINESS!

    I’m setting up selective blocking as well.

    Thanks for your list. Here is partial of mine when I’m watching Pluto (DNS lookups removed to reduce noise):

    2 6 21:49:49 Samsung TV (172.2.1.105) 34.225.153.50 (log-ingestion.samsungacr.com) HTTPS 3.23 KB / 6.13 KB close
    4 6 21:49:41 Samsung TV (172.2.1.105) 34.204.239.34 (log-ingestion.samsungacr.com) HTTPS 2.14 KB / 5.97 KB close
    5 6 21:48:49 Samsung TV (172.2.1.105) 52.44.210.24 (log-ingestion.samsungacr.com) HTTPS 3.23 KB / 6.13 KB close
    8 6 21:48:31 Samsung TV (172.2.1.105) 34.205.103.15 (t.pluto.tv) HTTPS 645 B / 496 B close
    9 6 21:48:16 Samsung TV (172.2.1.105) 34.205.103.15 (t.pluto.tv) HTTPS 928 B / 5.55 KB close
    12 6 21:47:49 Samsung TV (172.2.1.105) 34.197.38.22 (log-ingestion.samsungacr.com) HTTPS 3.27 KB / 6.18 KB close
    15 6 21:47:28 Samsung TV (172.2.1.105) 13.33.252.62 (silo.pluto.tv) HTTPS 645.98 KB / 29.10 MB close
    16 6 21:47:06 Samsung TV (172.2.1.105) 35.169.131.5 (stitcher.pluto.tv) HTTPS 652 B / 496 B close
    17 6 21:47:06 Samsung TV (172.2.1.105) 35.169.131.5 (stitcher.pluto.tv) HTTPS 935 B / 5.55 KB close
    20 6 21:46:49 Samsung TV (172.2.1.105) 52.45.232.13 (log-ingestion.samsungacr.com) HTTPS 3.85 KB / 7.49 KB close
    22 6 21:45:52 Samsung TV (172.2.1.105) 54.85.74.14 (log-ingestion.samsungacr.com) HTTPS 3.27 KB / 6.18 KB close
    24 6 21:45:31 Samsung TV (172.2.1.105) 34.197.56.101 (t.pluto.tv) HTTPS 928 B / 5.55 KB close
    29 6 21:44:48 Samsung TV (172.2.1.105) 52.22.134.185 (log-ingestion.samsungacr.com) HTTPS 3.32 KB / 6.25 KB close
    31 6 21:44:40 Samsung TV (172.2.1.105) 52.22.220.25 (log-ingestion.samsungacr.com) HTTPS 2.10 KB / 5.97 KB close
    35 6 21:44:09 Samsung TV (172.2.1.105) 52.50.124.229 (lcprd1.samsungcloudsolution.net) HTTPS 2.70 KB / 2.57 KB close
    40 3 21:43:51 Samsung TV (172.2.1.105) 172.217.12.14 (smartlock.google.com) HTTPS 2.08 KB / 1.57 KB close
    41 6 21:43:48 Samsung TV (172.2.1.105) 34.194.142.54 (log-ingestion.samsungacr.com) HTTPS 3.92 KB / 7.42 KB close
    43 6 21:43:20 Samsung TV (172.2.1.105) 34.205.103.15 (t.pluto.tv) HTTPS 1.97 KB / 5.97 KB close
    44 6 21:43:17 Samsung TV (172.2.1.105) 52.3.161.174 (k.pluto.tv) HTTPS 1.91 KB / 5.97 KB close
    48 6 21:42:48 Samsung TV (172.2.1.105) 34.230.166.162 (log-ingestion.samsungacr.com) HTTPS 3.92 KB / 6.43 KB close

  2. Since Samsung’s Smart TV’s started to show ads and automatically install the even more hated McAfee, I decided to accept the fight. The standard router I use at home is not very useful, however it allows me to add dns-entries and guide those requests to a non existing address.

    The firewall at my work however is very good at showing which traffic the Samsung tv generates, and indeed: That’s a lot. The set of DNS-rules do help, but it also seems to connect to a bunch of IP-addresses directly using TCP port 5223. So I blocked that too.

    The best way is probably to disconnect the tv from the internet and use another solution for the apps. Another workaround may be to block all traffic, and start allowing specific traffic.

  3. 0949er

    5/14/2020

    Found this website while searching what ‘samsungcloudsolution.net’ was. I was having issues on my smart TV playing Hulu and this was one of the DNS lookups that was blocking HULU from video playback . I also notice all the items mentioned above (as far as chatty smart TV). Its interesting how much data these devices are sending while on (and what data); (Time on, time off, what was watched, for how long, at what volume, etc.)

    Good luck guys, stay safe

  4. Pedro

    Thankfully I have a machine always running, serving network shares, now running my DHCP server and an DNS Server (PiHole) this rules will help shut up my chatty tv thx.

  5. Craig Whitley

    In addition to all the UNAUTHORIZED traffic from my Samsung TV there is one which absolutely floods my logs and makes NO sense as I have assigned a STATIC IP address to the TV yet I am getting non-stop DHCP requests attempting to use “localhost” which is beyond stupid.

    dhcp[1729]: not giving name localhost to the DHCP lease of 192.168.1.24 because the name exists in /etc/hosts with address 127.0.0.1″

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Powered by WordPress & Theme by Anders Norén