Malware in Appliances

Malware means software designed to function in ways that mistreat or harm the user. (This does not include accidental errors.)

Malware and nonfree software are two different issues. The difference between free software and nonfree software is in whether the users have control of the program or vice versa. It's not directly a question of what the program does when it runs. However, in practice nonfree software is often malware, because the developer's awareness that the users would be powerless to fix any malicious functionalities tempts the developer to impose some.

Here are examples of malware in appliances.

Many models of Internet-connected cameras are tremendously insecure. They have login accounts with hard-coded passwords, which can't be changed, and there is no way to delete these accounts either.
The proprietary code that runs pacemakers, insulin pumps, and other medical devices is full of gross security faults.
Users are suing Bose for distributing a spyware app for its headphones. Specifically, the app would record the names of the audio files users listen to along with the headphone's unique serial number.

The suit accuses that this was done without the users' consent. If the fine print of the app said that users gave consent for this, would that make it acceptable? No way! It should be flat out illegal to design the app to snoop at all.
Anova sabotaged users' cooking devices with a downgrade that tethered them to a remote server. Unless users create an account on Anova's servers, their cookers won't function.
When Miele's Internet of Stings hospital disinfectant dishwasher is connected to the Internet, its security is crap.

For example, a cracker can gain access to the dishwasher's filesystem, infect it with malware, and force the dishwasher to launch attacks on other devices in the network. Since these dishwashers are used in hospitals, such attacks could potentially put hundreds of lives at risk.
If you buy a used “smart” car, house, TV, refrigerator, etc., usually the previous owners can still remotely control it.
Vizio “smart” TVs report everything that is viewed on them, and not just broadcasts and cable. Even if the image is coming from the user's own computer, the TV reports what it is. The existence of a way to disable the surveillance, even if it were not hidden as it was in these TVs, does not legitimize the surveillance.
More or less all “smart” TVs spy on their users.

The report was as of 2014, but we don't expect this has got better.

This shows that laws requiring products to get users' formal consent before collecting personal data are totally inadequate. And what happens if a user declines consent? Probably the TV will say, “Without your consent to tracking, the TV will not work.”

Proper laws would say that TVs are not allowed to report what the user watches — no exceptions!
Some LG TVs are tyrants.
Samsung “Smart” TVs have turned Linux into the base for a tyrant system so as to impose DRM. What enables Samsung to do this is that Linux is released under GNU GPL version 2, not version 3, together with a weak interpretation of GPL version 2.
Audi's proprietary software used a simple method to cheat on emissions tests: to activate a special low-emission gearshifting mode until the first time the car made a turn.
A company that makes internet-controlled vibrators is being sued for collecting lots of personal information about how people use it.

The company's statement that it anonymizes the data may be true, but it doesn't really matter. If it sells the data to a data broker, the data broker can figure out who the user is.
Google/Alphabet intentionally broke Revolv home automatic control products that depended on a server to function. The lesson is, don't stand for that! Insist on self-contained computers that run free software!
ARRIS cable modem has a backdoor in the backdoor.
Caterpillar vehicles come with a back-door to shutoff the engine remotely.
HP “storage appliances” that use the proprietary “Left Hand” operating system have back doors that give HP remote login access to them. HP claims that this does not give HP access to the customer's data, but if the back door allows installation of software changes, a change could be installed that would give access to the customer's data.
Some D-Link routers have a back door for changing settings in a dlink of an eye.

Many models of router have back doors.
The TP-Link router has a backdoor.
Volkswagen programmed its car engine computers to detect the Environmental Protection Agency's emission tests, and run dirty the rest of the time.

In real driving, the cars exceeded emissions standards by a factor of up to 35.

Using free software would not have stopped Volkswagen from programming it this way, but would have made it harder to conceal.
The “Cube” 3D printer was designed with DRM: it won't accept third-party printing materials. It is the Keurig of printers. Now it is being discontinued, which means that eventually authorized materials won't be available and the printers may become unusable.

With a printer that gets the Respects Your Freedom, this problem would not even be a remote possibility.

How pitiful that the author of that article says that there was “nothing wrong” with designing the device to restrict users in the first place. This is like putting a “cheat me and mistreat me” sign on your chest. We should know better: we should condemn all companies that take advantage of people like him. Indeed, it is the acceptance of their unjust practice that teaches people to be doormats.
Philips “smart” lightbulbs have been designed not to interact with other companies' smart lightbulbs.

If a product is “smart”, and you didn't build it, it is cleverly serving its manufacturer against you.
DVDs and Bluray disks have DRM.

That page uses spin terms that favor DRM, including digital “rights” management and “protect”, and it claims that “artists” (rather than companies) are primarily responsible for putting digital restrictions management into these disks. Nonetheless, it is a reference for the facts.

Every Bluray disk (with few, rare exceptions) has DRM—so don't use Bluray disks!
DRM in cars will drive consumers crazy.
Over 70 brands of network-connected surveillance cameras have security bugs that allow anyone to watch through them.
Samsung's “Smart Home” has a big security hole; unauthorized people can remotely control it.

Samsung claims that this is an “open” platform so the problem is partly the fault of app developers. That is clearly true if the apps are proprietary software.

Anything whose name is “Smart” is most likely going to screw you.
The Nissan Leaf has a built-in cell phone modem which allows effectively anyone to access its computers remotely and make changes in various settings.

That's easy to do because the system has no authentication when accessed through the modem. However, even if it asked for authentication, you couldn't be confident that Nissan has no access. The software in the car is proprietary, which means it demands blind faith from its users.

Even if no one connects to the car remotely, the cell phone modem enables the phone company to track the car's movements all the time; it is possible to physically remove the cell phone modem though.
Malware found on security cameras available through Amazon.

A camera that records locally on physical media, and has no network connection, does not threaten people with surveillance—neither by watching people through the camera, nor through malware in the camera.
FitBit fitness trackers have a Bluetooth vulnerability that allows attackers to send malware to the devices, which can subsequently spread to computers and other FitBit trackers that interact with them.
“Self-encrypting” disk drives do the encryption with proprietary firmware so you can't trust it. Western Digital's “My Passport” drives have a back door.
Security researchers discovered a vulnerability in diagnostic dongles used for vehicle tracking and insurance that let them take remote control of a car or lorry using an SMS.
Crackers were able to take remote control of the Jeep “connected car”.

They could track the car, start or stop the engine, and activate or deactivate the brakes, and more.

I expect that Chrysler and the NSA can do this too.

If I ever own a car, and it contains a portable phone, I will deactivate that.
Hospira infusion pumps, which are used to administer drugs to a patient, were rated “ least secure IP device I've ever seen” by a security researcher.

Depending on what drug is being infused, the insecurity could open the door to murder.
Due to bad security in a drug pump, crackers could use it to kill patients.
“Smart homes” turn out to be stupidly vulnerable to intrusion.
The FTC punished a company for making webcams with bad security so that it was easy for anyone to watch them.
It is possible to take control of some car computers through malware in music files. Also by radio. More information in Automotive Security And Privacy Center.
It is possible to kill people by taking control of medical implants by radio. More information in BBC News and IOActive Labs Research blog.
Lots of hospital equipment has lousy security, and it can be fatal.
Point-of-sale terminals running Windows were taken over and turned into a botnet for the purpose of collecting customers' credit card numbers.
Vizio used a firmware “upgrade” to make its TVs snoop on what users watch. The TVs did not do that when first sold.
LG disabled network features on previously purchased “smart” TVs, unless the purchasers agreed to let LG begin to snoop on them and distribute their personal data.
Barbie is going to spy on children and adults.
Cisco TNP IP phones are spying devices.
The Nest Cam “smart” camera is always watching, even when the “owner” switches it “off.”

A “smart” device means the manufacturer is using it to outsmart you.
Computerized cars with nonfree software are snooping devices.
Proprietary software in cars records information about drivers' movements, which is made available to car manufacturers, insurance companies, and others.

The case of toll-collection systems, mentioned in this article, is not really a matter of proprietary surveillance. These systems are an intolerable invasion of privacy, and should be replaced with anonymous payment systems, but the invasion isn't done by malware. The other cases mentioned are done by proprietary malware in the car.
Tesla cars allow the company to extract data remotely and determine the car's location at any time. (See Section 2, paragraphs b and c.). The company says it doesn't store this information, but if the state orders it to get the data and hand it over, the state can store it.
Vizio goes a step further than other TV manufacturers in spying on their users: their “smart” TVs analyze your viewing habits in detail and link them your IP address so that advertisers can track you across devices.

It is possible to turn this off, but having it enabled by default is an injustice already.
Tivo's alliance with Viacom adds 2.3 million households to the 600 millions social media profiles the company already monitors. Tivo customers are unaware they're being watched by advertisers. By combining TV viewing information with online social media participation, Tivo can now correlate TV advertisement with online purchases, exposing all users to new combined surveillance by default.
Some web and TV advertisements play inaudible sounds to be picked up by proprietary malware running on other devices in range so as to determine that they are nearby. Once your Internet devices are paired with your TV, advertisers can correlate ads with Web activity, and other cross-device tracking.
Vizio “smart” TVs recognize and track what people are watching, even if it isn't a TV channel.
The Amazon “smart” TV is snooping all the time.
The Samsung “smart” TV transmits users' voice on the internet to another company, Nuance. Nuance can save it and would then have to give it to the US or some other government.

Speech recognition is not to be trusted unless it is done by free software in your own computer.

In its privacy policy, Samsung explicitly confirms that voice data containing sensitive information will be transmitted to third parties.
Spyware in LG “smart” TVs reports what the user watches, and the switch to turn this off has no effect. (The fact that the transmission reports a 404 error really means nothing; the server could save that data anyway.)

Even worse, it snoops on other devices on the user's local network.

LG later said it had installed a patch to stop this, but any product could spy this way.
Verizon cable TV snoops on what programs people watch, and even what they wanted to record.