On Thu, 11 May 2023 11:37:17 +0100 Laurie Brown laurie@brownowl.com allegedly wrote:
On 11/05/2023 11:22, Peter wrote:
I just got a smart TV (android based), and going through the install process discovered that if you connect it to Internet it transmits a truly astonishing amount of data to a company based in Ireland, which is in turn a subsidiary of another company in Turkey. Neither of which I have previously heard of. I didn't particularly want the smarts, but there don't seem to be any dumb ones available any more, and our old one had expired in its sleep so we had to get something.
Hi Peter,
You have a number of options here. Of course!
Agreed. (FWIW I have a Samsung TV and Blueray device. I got so fed up with the damned things broadcasting everything I do to unknown "cloud" based systems that I simply blocked them completely at my outer firewall. Of course I no longer get software updates, but since Samsung chose unilaterally some time ago to stop giving me updates to apps that I actually wanted (such as jellyfin) I consider that no loss).
Depending on how clever your router is, you should be able to assign a static IP address to your TV via its MAC address, and then use the in-built firewall to stop egress by port number. It probably needs some egress in order to function, so you'll need to use something like WireShark to trace and test closing ports.
I use dnsmasq running on pi(s) to serve DHCP addresses to my networks. The outer network pi assigns static addresses to a variety of devices according to the MAC address table in /etc/ethers. I also use dnsmasq's "additional hosts" file capability to sink hole a vast range of unwanted addresses to local loopback. I have both my own list and a wonderful list from Dan Pollock at https://someonewhocares.org/hosts/
Unfortunately, I find that stopping egress by port number is not helped by the fact that my Samsung (and a shit load of other "smart" devices) tend to default to using https to port 443. (Which is one reason I just turned off networking completely on the TV and blueray).
If not, any device (RPi, NUC, fanless mini-PC, etc.) with 2 NICs capable of running Linux and iptables will do the same thing, probably more efficiently. You could easily put the TV and one NIC in their own LAN, then connect the other NIC to your existing LAN and finely control the traffic in and out. Resources required are few, it can be done with minimal CPU, memory and storage.
If you want a wrapper around it all, then have a look at pfSense, although for this scenario, I'd suggest the learning curve isn't worth the effort as iptables is easy to use.
Or you could run ipfire on a small form factor device and have the blue (wifi) network set specifically for your new android wunderbox. I have my (Chinese) PVA inverter connected to the outside world through an ipfire firewall to isolate it from my other networks. Eventually, when I can figure out a way of collecting the data I want from that device locally (rather than from the bloody chinese cloud) I will turn that access off completely too.
(Incidentally, because I actually use my TV to watch netflix and other streaming services as well as my own internal media server running jellyfin, I of course needed network connectivity. Ironically I found that using an amazon firestick plugged into a spare HDMI port on the TV much more controllable. Of course Amazon now has intelligence about our watching habits, but since that stick is linked to my wife's amazon account - and my wife really, really, doesn't care what amazon knows (sigh) I live with that.)
Good luck
Mick
--------------------------------------------------------------------- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 blog: baldric.net ---------------------------------------------------------------------