Millions of so-called smart TVs have security vulnerabilities that hackers could exploit.
That’s according to Consumer Reports, which released results on Wednesday of a security review of certain smart TVs, the name given to Internet-connected televisions. They included models sold by Samsung as well as Chinese-TV maker TCL that use a particular feature by the streaming media device company Roku.
Although hackers are unable to steal sensitive data like credit card numbers through the security holes, they could use it to manipulate people’s televisions and play offensive videos, install unwanted apps, or suddenly scroll through channels.
“The process was crude, like someone using a remote control with their eyes closed,” Consumer Reports said. “But to a television viewer who didn’t know what was happening, it might feel creepy, as though an intruder were lurking nearby or spying on you through the set.”
The Consumer Reports study highlights the growing popularity of web-connected televisions that make it easy for people to watch streaming video services like Netflix on their TVs. But being connected online puts these televisions at risk of potential hacking if they have bugs that hackers can exploit.
In 2012, for example, security researchers showed that they could hack and gain control of certain Samsung Smart TVs, according to a report by tech news site Ars Technica.
Consumer Reports tested a TCL Smart TV that came installed with a version of Roku’s streaming media software that it said included a security bug. Other TV makers using Roku’s software include Hisense, Hitachi, Insignia, Philips, RCA, and Sharp, all of which could be affected in addition to some of Roku’s streaming media devices, the publication said.
Get Data Sheet, Fortune’s technology newsletter.
Roku’s streaming video software contains a so-called application programming interface, or API, that third-party developers can use to build their own smartphone apps that act like television remote controls. However, hackers could potentially exploit this API, which Consumer Reports said is “unsecured.”
To get hacked, people would have to be using their smartphones or personal computers on the same Wi-Fi network to which their Smart TVs are connected, and then visit a malicious website or download an app that contains software code that would let hackers take over, the report said.
Roku, however disputes Consumer Reports’ claims and said in a blog post that it presented a “mischaracterization of a feature.”
“There is no security risk to our customers’ accounts or the Roku platform with the use of this API,” Roku said, adding that customers could turn off this particular remote control feature.
Asked about a similar bug found in Samsung Smart TVs that doesn’t use Roku’s software, a Samsung spokesperson told Consumer Reports that it’s investigating the problem and that it would release software update this year that would presumably fix other related errors.