Malware in Appliances


Nonfree (proprietary) software is very often malware (designed to mistreat the user). Nonfree software is controlled by its developers, which puts them in a position of power over the users; that is the basic injustice. The developers and manufacturers often exercise that power to the detriment of the users they ought to serve.

This typically takes the form of malicious functionalities.


If you know of an example that ought to be in this page but isn't here, please write to <webmasters@gnu.org> to inform us. Please include the URL of a trustworthy reference or two to serve as specific substantiation.

Don't trust “connected” appliances

Most of the devices listed here are “connected”—they try to talk over the internet with someone (typically a company) other than the nominal owner. Such an appliance is inherently untrustworthy: no matter what company it is, you should never trust it that far.

The appliances we are dealing with contain software, almost always nonfree software. It is reasonable to treat this software as equivalent to a bunch of circuits, provided it is never changed (not even if the change is called an “upgrade”).

In a connected appliance, it is hard to ensure that software won't be changed. Typically a connected appliance will have a universal back door—a feature that allows the company to remotely replace the software in it, over the internet. Some appliances might be exceptions, but we can never verify that a given appliance is an exception. Thus, we can never be sure that software in it won't be changed.

In practice, these “upgrades” can amount to sabotage. Let's assume, for instance, that your printer accepts third-party ink cartridges. You have no guarantee that, some day, the manufacturer will not install malicious code to reject them. With a connected device, you must expect this.

The manufacturer may try to justify these “upgrades” in the name of “security.” You can respond by asking: “Whose security? Security for me, or for the manufacturer against me?” If the manufacturer writes the software, in practice it implements security for itself against the customers.

Even without changing the code in the device, the company can use the “connection” to do nasty things to you—for instance, snoop on you, your family and your guests, or make it stop running at all.

The reliable way to prevent abuse of this sort is to block the appliance from communicating by internet with anything other than your own computer. (You can make your own computer more secure by running exclusively free software in it.)

In an ideal world, appliances would contain 100% free software, so our community could correct any problems the software might have. The free software would obey us, not companies. That software would not let anyone change it without entering passwords that the owners chose.

Examples of malware in appliances

  • 2023-11

    In Australia, people assume that “smart” means “tethered.” When people's ISP goes down, all the tethered devices become useless.

    That's in addition to the nasty things tethered devices do when they are “functioning” normally—such as snoop on the commands sent to the device and the results they report.

    Smart users know better than to accept tethered devices.

  • 2023-11

    Chamberlain Group blocks users from using third-party software with its garage openers. This is an intentional attack on using free software. The official garage opener proprietary mobile app is now also infested with ads, including up-selling its other services and devices.

  • 2023-09

    Philips Hue, the most ubiquitous home automation product in the US, is planning to soon force users to log in to the app server in order to be able to adjust a lightbulb, or use other functionalities, in what amounts to a massive user-tracking data grab.

  • 2023-09

    Google Nest snooper/surveillance cameras are always tethered to Google servers, record videos 24/7, and are subscription-based, which is an injustice to people who use them. The article discusses the rise in prices for “plans” you can buy from Google, which include storing videos in the “cloud”—another word for someone else's computer.

  • 2023-08

    Some Bambu Lab 3D printers were reported to start printing without user's consent, as a result of a malfunction of the servers to which they were tethered. This caused significant damage.

  • 2023-07

    Driverless cars in San Francisco collect videos constantly, using cameras inside and outside, and governments have already collected those videos secretly.

    As the Surveillance Technology Oversight Project says, they are “driving us straight into authoritarianism.” We must regulate all cameras that collect images that can be used to track people, to make sure they are not used for that.

  • 2023-05

    HP delivers printers with a universal back door, and recently used it to sabotage them by remotely installing malware. The malware makes the printer refuse to function with non-HP ink cartrides, and even with old HP cartridges which HP now declares to have “expired.” HP calls the back door “dynamic security,” and has the gall to claim that this “security” protects users from malware.

    If you own an HP printer that can still use non-HP cartridges, we urge you to disconnect it from the internet. This will ensure that HP doesn't sabotage it by “updating” its software.

    Note how the author of the Guardian article credulously repeats HP's assertion that the “dynamic security” feature protects users against malware, not recognizing that the article demonstrates it does the opposite.

  • 2023-05

    Controlling Honeywell internet thermostats with the dedicated app has proven unreliable, due to recurrent connection issues with the server these thermostats are tethered to.

  • 2022-09

    B-CAS [1] is the digital restrictions management (DRM) system used by Japanese TV broadcasters, including NHK (public-service TV). It is sold by the B-CAS company, which has a de-facto monopoly on it. Initially intended for pay-TV, its use was extended to digital free-to-air broadcasting as a means to enforce restrictions on copyrighted works. The system encrypts works that permit free redistribution just like other works, thus denying users their nominal rights.

    On the client side, B-CAS is typically implemented by a card that plugs into a compatible receiver, or alternatively by a tuner card that plugs into a computer. Beside implementing drastic copying and viewing restrictions, this system gives broadcasters full power over users, through back doors among other means. For example:

    • It can force messages to the user's TV screen, and the user can't turn them off.
    • It can collect viewing information and send it to other companies to take surveys. Until 2011, user registration was required, so the viewing habits of each customer were recorded. We don't know whether this personal information was deleted from the company's servers after 2011.
    • Each card has an ID, which enables broadcasters to force customer-specific updates via the back door normally used to update the decryption key. Thus pay-TV broadcasters can disable decryption of the broadcast wave if subscription fees are not paid on time. This feature could also be used by any broadcaster (possibly instructed by the government) to stop certain persons from watching TV.
    • As the export of B-CAS cards is illegal, people outside Japan can't (officially) decrypt the satellite broadcast signal that may spill over to their location. They are thus deprived of a valuable source of information about what happens in Japan.

    These unacceptable restrictions led to a sort of cat-and-mouse game, with some users doing their best to bypass the system, and broadcasters trying to stop them without much success: cryptographic keys were retrieved through the back door of the B-CAS card, illegal cards were made and sold on the black market, as well as a tuner for PC that disables the copy control signal.

    While B-CAS cards are still in use with older equipment, modern high definition TVs have an even nastier version of this DRM (called ACAS) in a special chip that is built into the receiver. The chip can update its own software from the company's servers, even when the receiver is turned off (but still plugged into an outlet). This feature could be abused to disable stored TV programs that the power in place doesn't agree with, thus interfering with free speech.

    Being part of the receiver, the ACAS chip is supposed to be tamper-resistant. Time will tell…

    [1] We thank the free software supporter who translated this article from Japanese, and shared his experience of B-CAS with us. (Unfortunately, the article presents DRM as a good thing.)

  • 2022-08

    Some Epson printers are programmed to stop working after they have printed a predetermined number of pages, on the pretext that ink pads become saturated with ink. This constitutes an unacceptable infringement on users' freedom to use their printers as they wish, and on their right to repair them.

  • 2022-04

    Today's “smart” TVs push people to surrender to tracking via internet. Some won't work unless they have a chance to download nonfree software. And they are designed for programmed obsolescence.

  • 2022-02

    Hewlett-Packard is implementing DRM in its printers so they refuse to print with ink cartridges from another supplier.

  • 2022-02

    Dymo is now embedding DRM in the paper rolls for its label printers to make those printers reject equivalent paper rolls made by other companies. This is implemented by an RFID tag, which keeps track of how many labels remain on the roll, and blocks further printing when the roll is empty—an efficient way to prevent reusing the same RFID with a third-party roll.

  • 2022-01

    “Smart” TV manufacturers spy on people using various methods, and harvest their data. They are collecting audio, video, and TV usage data to profile people.

  • 2021-11

    NordicTrack, a company that sells exercise machines with ability to show videos limits what people can watch, and recently disabled a feature that was originally functional. This happened through automatic update and probably involved a universal back door.

  • 2021-08

    Recent Samsung TVs have a back door with which Samsung can brick them remotely.

  • 2021-01

    Most Internet connected devices in Mozilla's “Privacy Not Included” list are designed to snoop on users even if they meet Mozilla's “Minimum Security Standards.” Insecure design of the program running on some of these devices makes the user susceptible to be snooped on and exploited by crackers as well.

  • 2020-11

    Some Wavelink and JetStream wifi routers have universal back doors that enable unauthenticated users to remotely control not only the routers, but also any devices connected to the network. There is evidence that this vulnerability is actively exploited.

    If you consider buying a router, we encourage you to get one that runs on free software. Any attempts at introducing malicious functionalities in it (e.g., through a firmware update) will be detected by the community, and soon corrected.

    If unfortunately you own a router that runs on proprietary software, don't panic! You may be able to replace its firmware with a free operating system such as libreCMC. If you don't know how, you can get help from a nearby GNU/Linux user group.

  • 2020-07

    The Focals eyeglass display, with snooping microphone, has been eliminated. Google eliminated it by buying the manufacturer and shutting it down. It also shut down the server these devices depend on, which caused the ones already sold to cease to function.

    It may be a good thing to wipe out this product—for “smart,” read “snoop”—but Google didn't do that for the sake of privacy. Rather, it was eliminating competition for its own snooping product.

  • 2020-07

    The Mellow sous-vide cooker is tethered to a server. The company suddenly turned this tethering into a subscription, forbidding users from taking advantage of the “advanced features” of the cooker unless they pay a monthly fee.

  • 2020-06

    TV manufacturers are able to snoop every second of what the user is watching. This is illegal due to the Video Privacy Protection Act of 1988, but they're circumventing it through EULAs.

  • 2020-06

    A disasterous security bug touches millions of products in the Internet of Stings.

    As a result, anyone can sting the user, not only the manufacturer.

  • 2020-05

    Wink sells a “smart” home hub that is tethered to a server. In May 2020, it ordered the purchasers to start paying a monthly fee for the use of that server. Because of the tethering, the hub is useless without that.

  • 2020-01

    The Amazon Ring app does surveillance for other companies as well as for Amazon.

  • 2019-12

    As tech companies add microphones to a wide range of products, including refrigerators and motor vehicles, they also set up transcription farms where human employees listen to what people say and tweak the recognition algorithms.

  • 2019-11

    Internet-tethered Amazon Ring had a security vulnerability that enabled attackers to access the user's wifi password, and snoop on the household through connected surveillance devices.

    Knowledge of the wifi password would not be sufficient to carry out any significant surveillance if the devices implemented proper security, including encryption. But many devices with proprietary software lack this. Of course, they are also used by their manufacturers for snooping.

  • 2019-09

    Best Buy made controllable appliances and shut down the service to control them through.

    Best Buy acknowledged that it was mistreating its customers by doing so, and offered reimbursement of the affected appliances. The fact remains, however, that tethering a device to a server is a way of restricting and harassing users. The nonfree software in the device is what stops users from cutting the tether.

  • 2019-04

    The Jibo robot toys were tethered to the manufacturer's server, and the company made them all cease to work by shutting down that server.

    The shutdown might ironically be good for their users, since the product was designed to manipulate people by presenting a phony semblance of emotions, and was most certainly spying on them.

  • 2019-03

    The British supermarket Tesco sold tablets which were tethered to Tesco's server for reinstalling default settings. Tesco turned off the server for old models, so now if you try to reinstall the default settings, it bricks them instead.

  • 2019-03

    The Medtronics Conexus Telemetry Protocol has two vulnerabilities that affect several models of implantable defibrillators and the devices they connect to.

    This protocol has been around since 2006, and similar vulnerabilities were discovered in an earlier Medtronics communication protocol in 2008. Apparently, nothing was done by the company to correct them. This means you can't rely on proprietary software developers to fix bugs in their products.

  • 2019-02

    The Ring doorbell camera is designed so that the manufacturer (now Amazon) can watch all the time. Now it turns out that anyone else can also watch, and fake videos too.

    The third party vulnerability is presumably unintentional and Amazon will probably fix it. However, we do not expect Amazon to change the design that allows Amazon to watch.

  • 2019-02

    The HP “ink subscription” cartridges have DRM that constantly communicates with HP servers to make sure the user is still paying for the subscription, and hasn't printed more pages than were paid for.

    Even though the ink subscription program may be cheaper in some specific cases, it spies on users, and involves totally unacceptable restrictions in the use of ink cartridges that would otherwise be in working order.

  • 2019-01

    Amazon Ring “security” devices send the video they capture to Amazon servers, which save it long-term.

    In many cases, the video shows everyone that comes near, or merely passes by, the user's front door.

    The article focuses on how Ring used to let individual employees look at the videos freely. It appears Amazon has tried to prevent that secondary abuse, but the primary abuse—that Amazon gets the video—Amazon expects society to surrender to.

  • 2019-01

    Vizio TVs collect “whatever the TV sees,” in the own words of the company's CTO, and this data is sold to third parties. This is in return for “better service” (meaning more intrusive ads?) and slightly lower retail prices.

    What is supposed to make this spying acceptable, according to him, is that it is opt-in in newer models. But since the Vizio software is nonfree, we don't know what is actually happening behind the scenes, and there is no guarantee that all future updates will leave the settings unchanged.

    If you already own a Vizio “smart” TV (or any “smart” TV, for that matter), the easiest way to make sure it isn't spying on you is to disconnect it from the Internet, and use a terrestrial antenna instead. Unfortunately, this is not always possible. Another option, if you are technically oriented, is to get your own router (which can be an old computer running completely free software), and set up a firewall to block connections to Vizio's servers. Or, as a last resort, you can replace your TV with another model.

  • 2018-10

    Nearly all “home security cameras” give the manufacturer an unencrypted copy of everything they see. “Home insecurity camera” would be a better name!

    When Consumer Reports tested them, it suggested that these manufacturers promise not to look at what's in the videos. That's not security for your home. Security means making sure they don't get to see through your camera.

  • 2018-10

    Printer manufacturers are very innovative—at blocking the use of independent replacement ink cartridges. Their “security upgrades” occasionally impose new forms of cartridge DRM. HP and Epson have done this.

  • 2018-09

    Honeywell's “smart” thermostats communicate only through the company's server. They have all the nasty characteristics of such devices: surveillance, and danger of sabotage (of a specific user, or of all users at once), as well as the risk of an outage (which is what just happened).

    In addition, setting the desired temperature requires running nonfree software. With an old-fashioned thermostat, you can do it using controls right on the thermostat.

  • 2018-09

    Researchers have discovered how to hide voice commands in other audio, so that people cannot hear them, but Alexa and Siri can.

  • 2018-07

    The Jawbone fitness tracker was tethered to a proprietary phone app. In 2017, the company shut down and made the app stop working. All the existing trackers stopped working forever.

    The article focuses on a further nasty fillip, that sales of the broken devices continued. But we think that is a secondary issue; it made the nasty consequences extend to some additional people. The fundamental wrong was to design the devices to depend on something else that didn't respect users' freedom.

  • 2018-04

    A medical insurance company offers a gratis electronic toothbrush that snoops on its user by sending usage data back over the Internet.

  • 2018-04

    Some “Smart” TVs automatically load downgrades that install a surveillance app.

    We link to the article for the facts it presents. It is too bad that the article finishes by advocating the moral weakness of surrendering to Netflix. The Netflix app is malware too.

  • 2018-02

    Apple devices lock users in solely to Apple services by being designed to be incompatible with all other options, ethical or unethical.

  • 2017-12

    One of the dangers of the “internet of stings” is that, if you lose your internet service, you also lose control of your house and appliances.

    For your safety, don't use any appliance with a connection to the real internet.

  • 2017-11

    Amazon recently invited consumers to be suckers and allow delivery staff to open their front doors. Wouldn't you know it, the system has a grave security flaw.

  • 2017-11

    A remote-control sex toy was found to make audio recordings of the conversation between two users.

  • 2017-11

    Logitech will sabotage all Harmony Link household control devices by turning off the server through which the products' supposed owners communicate with them.

    The owners suspect this is to pressure them to buy a newer model. If they are wise, they will learn, rather, to distrust any product that requires users to talk with them through some specialized service.

  • 2017-11

    Sony has brought back its robotic pet Aibo, this time with a universal back door, and tethered to a server that requires a subscription.

  • 2017-10

    The Canary home surveillance camera has been sabotaged by its manufacturer, turning off many features unless the user starts paying for a subscription.

    With manufacturers like these, who needs security breakers?

    The purchasers should learn the larger lesson and reject connected appliances with embedded proprietary software. Every such product is a temptation to commit sabotage.

  • 2017-10

    Every “home security” camera, if its manufacturer can communicate with it, is a surveillance device. Canary camera is an example.

    The article describes wrongdoing by the manufacturer, based on the fact that the device is tethered to a server.

    More about proprietary tethering.

    But it also demonstrates that the device gives the company surveillance capability.

  • 2017-09

    A “smart” intravenous pump designed for hospitals is connected to the internet. Naturally its security has been cracked.

    (Note that this article misuses the term “hackers” referring to crackers.)

  • 2017-08

    The bad security in many Internet of Stings devices allows ISPs to snoop on the people that use them.

    Don't be a sucker—reject all the stings.

    (It is unfortunate that the article uses the term “monetize”.)

  • 2017-08

    Sonos told all its customers, “Agree” to snooping or the product will stop working. Another article says they won't forcibly change the software, but people won't be able to get any upgrades and eventually it will stop working.

  • 2017-08

    While you're using a DJI drone to snoop on other people, DJI is in many cases snooping on you.

  • 2017-06

    Many models of Internet-connected cameras are tremendously insecure. They have login accounts with hard-coded passwords, which can't be changed, and there is no way to delete these accounts either.

  • 2017-05

    The proprietary code that runs pacemakers, insulin pumps, and other medical devices is full of gross security faults.

  • 2017-05

    Bird and rabbit pets were implemented for Second Life by a company that tethered their food to a server. It shut down the server and the pets more or less died.

  • 2017-04

    Users are suing Bose for distributing a spyware app for its headphones. Specifically, the app would record the names of the audio files users listen to along with the headphone's unique serial number.

    The suit accuses that this was done without the users' consent. If the fine print of the app said that users gave consent for this, would that make it acceptable? No way! It should be flat out illegal to design the app to snoop at all.

  • 2017-04

    Anova sabotaged users' cooking devices with a downgrade that tethered them to a remote server. Unless users create an account on Anova's servers, their cookers won't function.

  • 2017-03

    When Miele's Internet of Stings hospital disinfectant dishwasher is connected to the Internet, its security is crap.

    For example, a cracker can gain access to the dishwasher's filesystem, infect it with malware, and force the dishwasher to launch attacks on other devices in the network. Since these dishwashers are used in hospitals, such attacks could potentially put hundreds of lives at risk.

  • 2017-03

    A computerized vibrator was snooping on its users through the proprietary control app.

    The app was reporting the temperature of the vibrator minute by minute (thus, indirectly, whether it was surrounded by a person's body), as well as the vibration frequency.

    Note the totally inadequate proposed response: a labeling standard with which manufacturers would make statements about their products, rather than free software which users could have checked and changed.

    The company that made the vibrator was sued for collecting lots of personal information about how people used it.

    The company's statement that it was anonymizing the data may be true, but it doesn't really matter. If it had sold the data to a data broker, the data broker would have been able to figure out who the user was.

    Following this lawsuit, the company has been ordered to pay a total of C$4m to its customers.

  • 2017-03

    The CIA exploited existing vulnerabilities in “smart” TVs and phones to design a malware that spies through their microphones and cameras while making them appear to be turned off. Since the spyware sniffs signals, it bypasses encryption.

  • 2017-02

    “CloudPets” toys with microphones leak childrens' conversations to the manufacturer. Guess what? Crackers found a way to access the data collected by the manufacturer's snooping.

    That the manufacturer and the FBI could listen to these conversations was unacceptable by itself.

  • 2017-02

    If you buy a used “smart” car, house, TV, refrigerator, etc., usually the previous owners can still remotely control it.

  • 2017-02

    Vizio “smart” TVs report everything that is viewed on them, and not just broadcasts and cable. Even if the image is coming from the user's own computer, the TV reports what it is. The existence of a way to disable the surveillance, even if it were not hidden as it was in these TVs, does not legitimize the surveillance.

  • 2017-01

    A cracker would be able to turn the Oculus Rift sensors into spy cameras after breaking into the computer they are connected to.

    (Unfortunately, the article improperly refers to crackers as “hackers”.)

  • 2016-12

    VR equipment, measuring every slight motion, creates the potential for the most intimate surveillance ever. All it takes to make this potential real is software as malicious as many other programs listed in this page.

    You can bet Facebook will implement the maximum possible surveillance on Oculus Rift devices. The moral is, never trust a VR system with nonfree software in it.

  • 2016-12

    The developer of Ham Radio Deluxe sabotaged a customer's installation as punishment for posting a negative review.

    Most proprietary software companies don't use their power so harshly, but it is an injustice that they all have such power.

  • 2016-12

    The “smart” toys My Friend Cayla and i-Que can be remotely controlled with a mobile phone; physical access is not necessary. This would enable crackers to listen in on a child's conversations, and even speak into the toys themselves.

    This means a burglar could speak into the toys and ask the child to unlock the front door while Mommy's not looking.

  • 2016-09

    HP's firmware downgrade imposed DRM on some printers, which now refuse to function with third-party ink cartridges.

  • 2016-08

    Ransomware has been developed for a thermostat that uses proprietary software.

  • 2016-05

    Samsung's “Smart Home” has a big security hole; unauthorized people can remotely control it.

    Samsung claims that this is an “open” platform so the problem is partly the fault of app developers. That is clearly true if the apps are proprietary software.

    Anything whose name is “Smart” is most likely going to screw you.

  • 2016-04

    Malware was found on security cameras available through Amazon.

    A camera that records locally on physical media, and has no network connection, does not threaten people with surveillance—neither by watching people through the camera, nor through malware in the camera.

  • 2016-04

    Revolv is a device that managed “smart home” operations: switching lights, operate motion sensors, regulating temperature, etc. Its proprietary software depends on a remote server to do these tasks. On May 15th, 2016, Google/Alphabet intentionally broke it by shutting down the server.

    If it were free software, users would have the ability to make it work again, differently, and then have a freedom-respecting home instead of a “smart” home. Don't let proprietary software control your devices and turn them into $300 out-of-warranty bricks. Insist on self-contained computers that run free software!

  • 2016-03

    Over 70 brands of network-connected surveillance cameras have security bugs that allow anyone to watch through them.

  • 2016-01

    The “Cube” 3D printer was designed with DRM: it won't accept third-party printing materials. It is the Keurig of printers. Now it is being discontinued, which means that eventually authorized materials won't be available and the printers may become unusable.

    With a printer that gets the Respects Your Freedom, this problem would not even be a remote possibility.

    How pitiful that the author of that article says that there was “nothing wrong” with designing the device to restrict users in the first place. This is like putting a “cheat me and mistreat me” sign on your chest. We should know better: we should condemn all companies that take advantage of people like him. Indeed, it is the acceptance of their unjust practice that teaches people to be doormats.

  • 2015-12

    Philips “smart” lightbulbs had initially been designed to interact with other companies' smart light bulbs, but later the company updated the firmware to disallow interoperability.

    If a product is “smart”, and you didn't build it, it is cleverly serving its manufacturer against you.

  • 2015-12

    Some D-Link routers have a back door for changing settings in a dlink of an eye.

    The TP-Link router has a back door.

    Many models of routers have back doors.

  • 2015-11

    The Nest Cam “smart” camera is always watching, even when the “owner” switches it “off.”

    A “smart” device means the manufacturer is using it to outsmart you.

  • 2015-11

    ARRIS cable modem has a back door in the back door.

  • 2015-11

    Some web and TV advertisements play inaudible sounds to be picked up by proprietary malware running on other devices in range so as to determine that they are nearby. Once your Internet devices are paired with your TV, advertisers can correlate ads with Web activity, and other cross-device tracking.

  • 2015-11

    Vizio goes a step further than other TV manufacturers in spying on their users: their “smart” TVs analyze your viewing habits in detail and link them your IP address so that advertisers can track you across devices.

    It is possible to turn this off, but having it enabled by default is an injustice already.

  • 2015-11

    Tivo's alliance with Viacom adds 2.3 million households to the 600 millions social media profiles the company already monitors. Tivo customers are unaware they're being watched by advertisers. By combining TV viewing information with online social media participation, Tivo can now correlate TV advertisement with online purchases, exposing all users to new combined surveillance by default.

  • 2015-10

    FitBit fitness trackers have a Bluetooth vulnerability that allows attackers to send malware to the devices, which can subsequently spread to computers and other FitBit trackers that interact with them.

  • 2015-10

    “Self-encrypting” disk drives do the encryption with proprietary firmware so you can't trust it. Western Digital's “My Passport” drives have a back door.

  • 2015-07

    Vizio “smart” TVs recognize and track what people are watching, even if it isn't a TV channel.

  • 2015-06

    Due to bad security in a drug pump, crackers could use it to kill patients.

  • 2015-05

    Verizon cable TV snoops on what programs people watch, and even what they wanted to record.

  • 2015-05

    Hospira infusion pumps, which are used to administer drugs to a patient, were rated “least secure IP device I've ever seen” by a security researcher.

    Depending on what drug is being infused, the insecurity could open the door to murder.

  • 2015-04

    Vizio used a firmware “upgrade” to make its TVs snoop on what users watch. The TVs did not do that when first sold.

  • 2015-02

    Barbie is going to spy on children and adults.

  • 2015-02

    The Samsung “Smart” TV transmits users' voice on the internet to another company, Nuance. Nuance can save it and would then have to give it to the US or some other government.

    Speech recognition is not to be trusted unless it is done by free software in your own computer.

    In its privacy policy, Samsung explicitly confirms that voice data containing sensitive information will be transmitted to third parties.

  • 2014-11

    The Amazon “Smart” TV is snooping all the time.

  • 2014-09

    More or less all “smart” TVs spy on their users.

    The report was as of 2014, but we don't expect this has got better.

    This shows that laws requiring products to get users' formal consent before collecting personal data are totally inadequate. And what happens if a user declines consent? Probably the TV will say, “Without your consent to tracking, the TV will not work.”

    Proper laws would say that TVs are not allowed to report what the user watches—no exceptions!

  • 2014-07

    Nest thermometers send a lot of data about the user.

  • 2014-05

    LG disabled network features on previously purchased “smart” TVs, unless the purchasers agreed to let LG begin to snoop on them and distribute their personal data.

  • 2014-05

    Spyware in LG “smart” TVs reports what the user watches, and the switch to turn this off has no effect. (The fact that the transmission reports a 404 error really means nothing; the server could save that data anyway.)

    Even worse, it snoops on other devices on the user's local network.

    LG later said it had installed a patch to stop this, but any product could spy this way.

    Meanwhile, LG TVs do lots of spying anyway.

  • 2014-04

    Lots of hospital equipment has lousy security, and it can be fatal.

  • 2013-12

    Some flash memories have modifiable software, which makes them vulnerable to viruses.

    We don't call this a “back door” because it is normal that you can install a new system in a computer, given physical access to it. However, memory sticks and cards should not be modifiable in this way.

  • 2013-12

    Point-of-sale terminals running Windows were taken over and turned into a botnet for the purpose of collecting customers' credit card numbers.

  • 2013-11

    Spyware in LG “smart” TVs reports what the user watches, and the switch to turn this off has no effect. (The fact that the transmission reports a 404 error really means nothing; the server could save that data anyway.)

    Even worse, it snoops on other devices on the user's local network.

    LG later said it had installed a patch to stop this, but any product could spy this way.

  • 2013-10

    DVDs and Blu-ray disks have DRM.

    That page uses spin terms that favor DRM, including digital “rights” management and “protect”, and it claims that “artists” (rather than companies) are primarily responsible for putting digital restrictions management into these disks. Nonetheless, it is a reference for the facts.

    Every Blu-ray disk (with few, rare exceptions) has DRM—so don't use Blu-ray disks!

  • 2013-09

    The FTC punished a company for making webcams with bad security so that it was easy for anyone to watch through them.

  • 2013-08

    Replaceable nonfree software in disk drives can be written by a nonfree program. This makes any system vulnerable to persistent attacks that normal forensics won't detect.

  • 2013-07

    It is possible to kill people by taking control of medical implants by radio. More information in BBC News and IOActive Labs Research blog.

  • 2013-07

    “Smart homes” turn out to be stupidly vulnerable to intrusion.

  • 2013-07

    HP “storage appliances” that use the proprietary “Left Hand” operating system have back doors that give HP remote login access to them. HP claims that this does not give HP access to the customer's data, but if the back door allows installation of software changes, a change could be installed that would give access to the customer's data.

  • 2012-12

    The Cisco TNP IP phones are spying devices.

  • 2012-12

    Samsung “Smart” TVs have turned Linux into the base for a tyrant system so as to impose DRM. What enables Samsung to do this is that Linux is released under GNU GPL version 2, not version 3, together with a weak interpretation of GPL version 2.

  • 2012-12

    Crackers found a way to break security on a “smart” TV and use its camera to watch the people who are watching TV.

  • 2012-10

    Some LG TVs are tyrants.