<!--#include virtual="/server/header.html" --> <!-- Parent-Version:1.841.96 --> <!--#set var="DISABLE_TOP_ADDENDUM" value="yes" --> <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Please do not edit <ul class="blurbs">! Instead, edit /proprietary/workshop/mal.rec, then regenerate pages. See explanations in /proprietary/workshop/README.md. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --> <title>Malware in Appliances - GNU Project - Free Software Foundation</title> <link rel="stylesheet" type="text/css" href="/side-menu.css" media="screen,print" /> <!--#include virtual="/proprietary/po/malware-appliances.translist" --> <!--#include virtual="/server/banner.html" --> <div class="nav"> <a id="side-menu-button" class="switch" href="#navlinks"> <img id="side-menu-icon" height="32" src="/graphics/icons/side-menu.png" title="Section contents" alt=" [Section contents] " /> </a> <p class="breadcrumb"> <a href="/"><img src="/graphics/icons/home.png" height="24" alt="GNU Home" title="GNU Home" /></a> / <a href="/proprietary/proprietary.html">Malware</a> / By product / </p> </div> <!--GNUN: OUT-OF-DATE NOTICE--> <!--#include virtual="/server/top-addendum.html" --> <div style="clear: both"></div> <div id="last-div" class="reduced-width"> <h2>Malware in Appliances</h2> <div class="infobox"> <hr class="full-width" /> <p>Nonfree (proprietary) software is very often malware (designed to mistreat the user). Nonfree software is controlled by its developers, which puts them in a position of power over the users; <a href="/philosophy/free-software-even-more-important.html">that is the basic injustice</a>. The developers and manufacturers often exercise that power to the detriment of the users they ought to serve.</p> <p>This typically takes the form of malicious functionalities.</p> <hr class="full-width" /> </div> <div class="article"> <div class="important"> <p>If you know of an example that ought to be in this page but isn't here, please write to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a> to inform us. Please include the URL of a trustworthy reference or two to serve as specific substantiation.</p> </div> <div class="column-limit" id="malware-appliances"></div> <ul class="blurbs"> <li id="M202202190"> <!--#set var="DATE" value='<small class="date-tag">2022-02</small>' --><!--#echo encoding="none" var="DATE" --> <p>Hewlett-Packard printer producing company <a href="https://www.theguardian.com/money/2022/feb/19/how-cheap-ink-cartridges-can-cost-you-dear">is implementing DRM in its machines so they won't work</a> if someone uses ink from another supplier than them!</p> </li> <li id="M202202150"> <!--#set var="DATE" value='<small class="date-tag">2022-02</small>' --><!--#echo encoding="none" var="DATE" --> <p><ahref="/proprietary/proprietary.html">Other exampleshref="https://www.eff.org/deeplinks/2022/02/worst-timeline-printer-company-putting-drm-paper-now">Dymo printer company is now putting DRM on its label so users are forced to use paper supplied by Dymo</a>, not any other company. It's the same practice printer companies are using to enforce their own ink on people.</p> </li> <li id="M202201290"> <!--#set var="DATE" value='<small class="date-tag">2022-01</small>' --><!--#echo encoding="none" var="DATE" --> <p>“Smart” TV producers <a href="https://www.theguardian.com/technology/2022/jan/29/what-your-smart-tv-knows-about-you-and-how-to-stop-it-harvesting-data">are spying on people using various methods</a>, and harvest their data. They are collecting audio, video, and TV usage data to profile people.</p> </li> <li id="M202111201"> <!--#set var="DATE" value='<small class="date-tag">2021-11</small>' --><!--#echo encoding="none" var="DATE" --> <p>NordicTrack, a company that sells exercise machines with ability to show videos <a href="https://arstechnica.com/information-technology/2021/11/locked-out-of-god-mode-runners-are-hacking-their-treadmills/">limits what people can watch, and recently disabled a feature</a> that was originally functional. This happened through automatic update and probably involved a universal back door.</p> </li> <li id="M202110160"> <!--#set var="DATE" value='<small class="date-tag">2021-10</small>' --><!--#echo encoding="none" var="DATE" --> <p>Canon's all-in-one printer, scanner, and fax machine <a href="https://www.bleepingcomputer.com/news/legal/canon-sued-for-disabling-scanner-when-printers-run-out-of-ink/">will stop you from using any of its features if it's out of ink</a>! Since there's no need for ink to use scan or fax, Canon is sued by its customers for this malicious behavior. The proprietarymalware</a></p> <div class="highlight-para"> <p> <em>Malware</em> meanssoftware installed on Canon machines arbitrarily restricts users from using their device as they wish.</p> </li> <li id="M202108240"> <!--#set var="DATE" value='<small class="date-tag">2021-08</small>' --><!--#echo encoding="none" var="DATE" --> <p>Recent Samsung TVs have a back door with which Samsung can <a href="https://www.pcmag.com/news/samsung-can-remotely-disable-any-of-its-tvs-worldwide"> brick them remotely</a>.</p> </li> <li id="M202101050"> <!--#set var="DATE" value='<small class="date-tag">2021-01</small>' --><!--#echo encoding="none" var="DATE" --> <p>Most Internet connected devices in Mozilla's <a href="https://foundation.mozilla.org/en/privacynotincluded/">“Privacy Not Included”</a> list <a href="https://foundation.mozilla.org/privacynotincluded/arlo-video-doorbell">are designed tofunctionsnoop on users</a> even if they meet Mozilla's “Minimum Security Standards.” Insecure design of the program running on some of these devices <a href="https://foundation.mozilla.org/privacynotincluded/vibratissimo-panty-buster">makes the user susceptible to be snooped and exploited by crackers as well</a>.</p> </li> <li id="M202011230"> <!--#set var="DATE" value='<small class="date-tag">2020-11</small>' --><!--#echo encoding="none" var="DATE" --> <p>Some Wavelink and JetStream wifi routers have universal back doors that enable unauthenticated users to remotely control not only the routers, but also any devices connected to the network. There is evidence that <a href="https://cybernews.com/security/walmart-exclusive-routers-others-made-in-china-contain-backdoors-to-control-devices/"> this vulnerability is actively exploited</a>.</p> <p>If you consider buying a router, we encourage you to get one that <a href="https://ryf.fsf.org/categories/routers">runs on free software</a>. Any attempts at introducing malicious functionalities inwaysit (e.g., through a firmware update) will be detected by the community, and soon corrected.</p> <p>If unfortunately you own a router thatmistreat or harmruns on proprietary software, don't panic! You may be able to replace its firmware with a free operating system such as <a href="https://librecmc.org">libreCMC</a>. If you don't know how, you can get help from a nearby GNU/Linux user group.</p> </li> <li id="M202007280"> <!--#set var="DATE" value='<small class="date-tag">2020-07</small>' --><!--#echo encoding="none" var="DATE" --> <p>The Focals eyeglass display, with snooping microphone, has been eliminated. Google eliminated it by buying theuser. (This doesmanufacturer and shutting it down. It also <a href="https://www.ctvnews.ca/sci-tech/canadian-smart-glasses-going-offline-weeks-after-company-bought-by-google-1.5042010">shut down the server these devices depend on</a>, which caused the ones already sold to cease to function.</p> <p>It may be a good thing to wipe out this product—for “smart,” read “snoop”—but Google didn't do that for the sake of privacy. Rather, it was eliminating competition for its own snooping product.</p> </li> <li id="M202007270"> <!--#set var="DATE" value='<small class="date-tag">2020-07</small>' --><!--#echo encoding="none" var="DATE" --> <p>The Mellow sous-vide cooker is tethered to a server. The company suddenly <a href="https://www.slashgear.com/mellow-sous-vide-owners-get-unwelcome-subscription-surprise-27630842/"> turned this tethering into a subscription</a>, forbidding users from taking advantage of the “advanced features” of the cooker unless they pay a monthly fee.</p> </li> <li id="M202006250"> <!--#set var="DATE" value='<small class="date-tag">2020-06</small>' --><!--#echo encoding="none" var="DATE" --> <p>TV manufacturers are able to <a href="https://www.zdnet.com/article/fbi-warns-about-snoopy-smart-tvs-spying-on-you/">snoop every second of what the user is watching</a>. This is illegal due to the Video Privacy Protection Act of 1988, but they're circumventing it through EULAs.</p> </li> <li id="M202006160"> <!--#set var="DATE" value='<small class="date-tag">2020-06</small>' --><!--#echo encoding="none" var="DATE" --> <p><a href="https://www.wired.com/story/ripple20-iot-vulnerabilities/?bxid=5bd66d4c2ddf9c619437e4b8&cndid=9608804&esrc=Wired_etl_load&source=EDT_WIR_NEWSLETTER_0_DAILY_ZZ&utm_bran%5C"> A disasterous security bug</a> touches millions of products in the Internet of Stings.</p> <p>As a result, anyone can sting the user, notinclude accidental errors.) </p> <p> Malwareonly the manufacturer.</p> </li> <li id="M202005070"> <!--#set var="DATE" value='<small class="date-tag">2020-05</small>' --><!--#echo encoding="none" var="DATE" --> <p>Wink sells a “smart” home hub that is tethered to a server. In May 2020, it ordered the purchasers to start <a href="https://www.techhive.com/article/578539/wink-users-revolt-following-its-sudden-shift-to-a-subscription-model.html"> paying a monthly fee for the use of that server</a>. Because of the tethering, the hub is useless without that.</p> </li> <li id="M201912170"> <!--#set var="DATE" value='<small class="date-tag">2019-12</small>' --><!--#echo encoding="none" var="DATE" --> <p>Some security breakers (wrongly referred in this article as <a href="/philosophy/words-to-avoid.html#Hacker">“hackers”</a>) managed to interfere the Amazon Ring proprietary system, andnonfree<a href="https://www.theguardian.com/technology/2019/dec/13/ring-hackers-reportedly-watching-talking-strangers-in-home-cameras">access its camera, speakers and microphones</a>.</p> </li> <li id="M201911190"> <!--#set var="DATE" value='<small class="date-tag">2019-11</small>' --><!--#echo encoding="none" var="DATE" --> <p>Internet-tethered Amazon Ring had a security vulnerability that enabled attackers to <a href="https://www.commondreams.org/newswire/2019/11/07/amazons-ring-doorbells-leaks-customers-wi-fi-username-and-password"> access the user's wifi password</a>, and snoop on the household through connected surveillance devices.</p> <p>Knowledge of the wifi password would not be sufficient to carry out any significant surveillance if the devices implemented proper security, including encryption. But many devices with proprietary software lack this. Of course, they aretwo different issues. The difference betweenalso used by their manufacturers for snooping.</p> </li> <li id="M201909061"> <!--#set var="DATE" value='<small class="date-tag">2019-09</small>' --><!--#echo encoding="none" var="DATE" --> <p>Best Buy made controllable appliances and <ahref="/philosophy/free-sw.html">free software</a>href="https://www.theverge.com/2019/9/6/20853671/best-buy-connect-insignia-smart-plug-wifi-freezer-mobile-app-shutdown-november-6"> shut down the service to control them through</a>.</p> <p>While it is laudable that Best Buy recognized it was mistreating the customers by doing so, this doesn't alter the facts that tethering the device to a particular server is a path to screwing the users, and that it is a consequence of having nonfree softwareisin the device.</p> </li> <li id="M201904260"> <!--#set var="DATE" value='<small class="date-tag">2019-04</small>' --><!--#echo encoding="none" var="DATE" --> <p>The Jibo robot toys were tethered to the manufacturer's server, and <ahref="/philosophy/free-software-even-more-important.html"> whetherhref="https://apnews.com/article/san-francisco-north-america-technology-business-ap-top-news-99c9ec8ebad242ca88178e22c7642648"> theusers have controlcompany made them all cease to work</a> by shutting down that server.</p> <p>The shutdown might ironically be good for their users, since the product was designed to manipulate people by presenting a phony semblance of emotions, and was most certainly spying on them.</p> </li> <li id="M201903210"> <!--#set var="DATE" value='<small class="date-tag">2019-03</small>' --><!--#echo encoding="none" var="DATE" --> <p>The Medtronics Conexus Telemetry Protocol has <a href="https://www.startribune.com/750-000-medtronic-defibrillators-vulnerable-to-hacking/507470932/"> two vulnerabilities that affect several models of implantable defibrillators</a> and the devices they connect to.</p> <p>This protocol has been around since 2006, and similar vulnerabilities were discovered in an earlier Medtronics communication protocol in 2008. Apparently, nothing was done by the company to correct them. This means you can't rely on proprietary software developers to fix bugs in their products.</p> </li> <li id="M201902270"> <!--#set var="DATE" value='<small class="date-tag">2019-02</small>' --><!--#echo encoding="none" var="DATE" --> <p>The Ring (now Amazon) doorbell camera is designed so that the manufacturer (now Amazon) can watch all the time. Now it turns out that <a href="https://web.archive.org/web/20190918024432/https://dojo.bullguard.com/dojo-by-bullguard/blog/ring/"> anyone else can also watch, and fake videos too</a>.</p> <p>The third party vulnerability is presumably unintentional and Amazon will probably fix it. However, we do not expect Amazon to change the design that <a href="/proprietary/proprietary-surveillance.html#M201901100">allows Amazon to watch</a>.</p> </li> <li id="M201902080"> <!--#set var="DATE" value='<small class="date-tag">2019-02</small>' --><!--#echo encoding="none" var="DATE" --> <p>The HP <a href="https://boingboing.net/2019/02/08/inkjet-dystopias.html"> “ink subscription” cartridges have DRM that constantly communicates with HP servers</a> to make sure the user is still paying for the subscription, and hasn't printed more pages than were paid for.</p> <p>Even though the ink subscription program may be cheaper in some specific cases, it spies on users, and involves totally unacceptable restrictions in the use of ink cartridges that would otherwise be in working order.</p> </li> <li id="M201901100"> <!--#set var="DATE" value='<small class="date-tag">2019-01</small>' --><!--#echo encoding="none" var="DATE" --> <p>Amazon Ring “security” devices <a href="https://www.engadget.com/2019-01-10-ring-gave-employees-access-customer-video-feeds.html"> send the video they capture to Amazon servers</a>, which save it long-term.</p> <p>In many cases, the video shows everyone that comes near, orvice versa</a>. It's not directly a questionmerely passes by, the user's front door.</p> <p>The article focuses on how Ring used to let individual employees look at the videos freely. It appears Amazon has tried to prevent that secondary abuse, but the primary abuse—that Amazon gets the video—Amazon expects society to surrender to.</p> </li> <li id="M201901070"> <!--#set var="DATE" value='<small class="date-tag">2019-01</small>' --><!--#echo encoding="none" var="DATE" --> <p>Vizio TVs <a href="https://www.theverge.com/2019/1/7/18172397/airplay-2-homekit-vizio-tv-bill-baxter-interview-vergecast-ces-2019"> collect “whatever the TV sees,”</a> in the own words ofwhattheprogram <em>does</em> whencompany's CTO, and this data is sold to third parties. This is in return for “better service” (meaning more intrusive ads?) and slightly lower retail prices.</p> <p>What is supposed to make this spying acceptable, according to him, is that itruns. However,is opt-in inpractice nonfreenewer models. But since the Vizio software isoften malware, becausenonfree, we don't know what is actually happening behind thedeveloper's awarenessscenes, and there is no guarantee that all future updates will leave theuserssettings unchanged.</p> <p>If you already own a Vizio “smart” TV (or any “smart” TV, for that matter), the easiest way to make sure it isn't spying on you is to disconnect it from the Internet, and use a terrestrial antenna instead. Unfortunately, this is not always possible. Another option, if you are technically oriented, is to get your own router (which can be an old computer running completely free software), and set up a firewall to block connections to Vizio's servers. Or, as a last resort, you can replace your TV with another model.</p> </li> <li id="M201810300"> <!--#set var="DATE" value='<small class="date-tag">2018-10</small>' --><!--#echo encoding="none" var="DATE" --> <p>Nearly all “home security cameras” <a href="https://www.consumerreports.org/privacy/d-link-camera-poses-data-security-risk--consumer-reports-finds-a8814384448/"> give the manufacturer an unencrypted copy of everything they see</a>. “Home insecurity camera” would bepowerlessa better name!</p> <p>When Consumer Reports tested them, it suggested that these manufacturers promise not tofix any malicious functionalities temptslook at what's in thedevelopervideos. That's not security for your home. Security means making sure they don't get toimpose some. </p> </div> <p>Heresee through your camera.</p> </li> <li id="M201810150"> <!--#set var="DATE" value='<small class="date-tag">2018-10</small>' --><!--#echo encoding="none" var="DATE" --> <p>Printer manufacturers areexamplesvery innovative—at blocking the use ofmalwareindependent replacement ink cartridges. Their “security upgrades” occasionally impose new forms of cartridge DRM. <a href="https://www.vice.com/en/article/pa98ab/printer-makers-are-crippling-cheap-ink-cartridges-via-bogus-security-updates"> HP and Epson have done this</a>.</p> </li> <li id="M201809260"> <!--#set var="DATE" value='<small class="date-tag">2018-09</small>' --><!--#echo encoding="none" var="DATE" --> <p>Honeywell's “smart” thermostats communicate only through the company's server. They have all the nasty characteristics of such devices: <a href="https://www.businessinsider.com/honeywell-iot-thermostats-server-outage-2018-9"> surveillance, and danger of sabotage</a> (of a specific user, or of all users at once), as well as the risk of an outage (which is what just happened).</p> <p>In addition, setting the desired temperature requires running nonfree software. With an old-fashioned thermostat, you can do it using controls right on the thermostat.</p> </li> <li id="M201809240"> <!--#set var="DATE" value='<small class="date-tag">2018-09</small>' --><!--#echo encoding="none" var="DATE" --> <p>Researchers have discovered how to <a href="https://news.rub.de/english/press-releases/2018-09-24-it-security-secret-messages-alexa-and-co"> hide voice commands inappliances.</p> <ul>other audio</a>, so that people cannot hear them, but Alexa and Siri can.</p> </li> <liid="nest-thermometers"> <p>Nest thermometers sendid="M201807050"> <!--#set var="DATE" value='<small class="date-tag">2018-07</small>' --><!--#echo encoding="none" var="DATE" --> <p>The Jawbone fitness tracker was tethered to a proprietary phone app. In 2017, the company shut down and made the app stop working. <ahref="http://bgr.com/2014/07/17/google-nest-jailbreak-hack">a lothref="https://www.theguardian.com/technology/2018/jul/05/defunct-jawbone-fitness-trackers-kept-selling-after-app-closure-says-which">All the existing trackers stopped working forever</a>.</p> <p>The article focuses on a further nasty fillip, that sales of the broken devices continued. But we think that is a secondary issue; it made the nasty consequences extend to some additional people. The fundamental wrong was to design the devices to depend on something else that didn't respect users' freedom.</p> </li> <li id="M201804140"> <!--#set var="DATE" value='<small class="date-tag">2018-04</small>' --><!--#echo encoding="none" var="DATE" --> <p>A medical insurance company <a href="https://wolfstreet.com/2018/04/14/our-dental-insurance-sent-us-free-internet-connected-toothbrushes-and-this-is-what-happened-next/"> offers a gratis electronic toothbrush that snoops on its user by sending usage dataaboutback over theuser</a>.</p>Internet</a>.</p> </li> <li id="M201804010"> <!--#set var="DATE" value='<small class="date-tag">2018-04</small>' --><!--#echo encoding="none" var="DATE" --> <p>Some “Smart” TVs automatically <a href="https://web.archive.org/web/20180405014828/https:/twitter.com/buro9/status/980349887006076928"> load downgrades that install a surveillance app</a>.</p> <p>We link to the article for the facts it presents. It is too bad that the article finishes by advocating the moral weakness of surrendering to Netflix. The Netflix app <a href="/proprietary/malware-google.html#netflix-app-geolocation-drm">is malware too</a>.</p> </li> <li id="M201802120"> <!--#set var="DATE" value='<small class="date-tag">2018-02</small>' --><!--#echo encoding="none" var="DATE" --> <p>Apple devices lock users in <a href="https://gizmodo.com/homepod-is-the-ultimate-apple-product-in-a-bad-way-1822883347"> solely to Apple services</a> by being designed to be incompatible with all other options, ethical or unethical.</p> </li> <li id="M201712240"> <!--#set var="DATE" value='<small class="date-tag">2017-12</small>' --><!--#echo encoding="none" var="DATE" --> <p>One of the dangers of the “internet of stings” is that, if you lose your internet service, you also <a href="https://torrentfreak.com/piracy-notices-can-mess-with-your-thermostat-isp-warns-171224/"> lose control of your house and appliances</a>.</p> <p>For your safety, don't use any appliance with a connection to the real internet.</p> </li> <li id="M201711200"> <!--#set var="DATE" value='<small class="date-tag">2017-11</small>' --><!--#echo encoding="none" var="DATE" --> <p>Amazon recently invited consumers to be suckers and <a href="https://www.techdirt.com/2017/11/22/vulnerability-found-amazon-key-again-showing-how-dumber-tech-is-often-smarter-option/"> allow delivery staff to open their front doors</a>. Wouldn't you know it, the system has a grave security flaw.</p> </li><li><li id="M201711100"> <!--#set var="DATE" value='<small class="date-tag">2017-11</small>' --><!--#echo encoding="none" var="DATE" --> <p>A remote-control sex toy was found to make <ahref="https://www.theverge.com/2017/11/10/16634442/lovense-sex-toy-spy-survei">audiohref="https://www.theverge.com/2017/11/10/16634442/lovense-sex-toy-spy-surveillance">audio recordings of the conversation between two users</a>.</p> </li><li><li id="M201711080"> <!--#set var="DATE" value='<small class="date-tag">2017-11</small>' --><!--#echo encoding="none" var="DATE" --> <p>Logitech will sabotage all Harmony Link household control devices by <a href="https://arstechnica.com/gadgets/2017/11/logitech-to-shut-down-service-and-support-for-harmony-link-devices-in-2018/"> turning off the server through which the products' supposed owners communicate with them</a>.</p> <p>The owners suspect this is to pressure them to buy a newer model. If they are wise, they will learn, rather, to distrust any product that requires users to talk with them through some specialized service.</p> </li> <li id="M201710040"> <!--#set var="DATE" value='<small class="date-tag">2017-10</small>' --><!--#echo encoding="none" var="DATE" --> <p>Every “home security” camera, if its manufacturer can communicate with it, is a surveillance device. <a href="https://www.theverge.com/circuitbreaker/2017/10/4/16426394/canary-smart-home-camera-free-service-update-change"> Canary camera is an example</a>.</p> <p>The article describes wrongdoing by the manufacturer, based on the fact that the device is tethered to a server.</p> <p><a href="/proprietary/proprietary-tethers.html">More about proprietary tethering</a>.</p> <p>But it also demonstrates that the device gives the company surveillance capability.</p> </li><li><li id="M201709200"> <!--#set var="DATE" value='<small class="date-tag">2017-09</small>' --><!--#echo encoding="none" var="DATE" --> <p>A “smart” intravenous pump designed for hospitals is connected to the internet. Naturally <ahref="https://www.techdirt.com/articles/20170920/09450338247/smart-hospital-iv-pump-vulnerable-to-remote-hack-attack.shtml">href="https://www.techdirt.com/2017/09/22/smart-hospital-iv-pump-vulnerable-to-remote-hack-attack/"> its security has been cracked</a>.</p><p>Note<p><small>(Note that this article misuses the term <a href="/philosophy/words-to-avoid.html#Hacker">“hackers”</a> referring tocrackers.</p>crackers.)</small></p> </li><li><li id="M201708280"> <!--#set var="DATE" value='<small class="date-tag">2017-08</small>' --><!--#echo encoding="none" var="DATE" --> <p>The bad security in many Internet of Stings devices allows <ahref="https://www.techdirt.com/articles/20170828/08152938092/iot-devices-provide-comcast-wonderful-new-opportunity-to-spy-you.shtml">ISPshref="https://www.techdirt.com/2017/08/28/iot-devices-provide-comcast-wonderful-new-opportunity-to-spy-you/">ISPs to snoop on the people that use them</a>.</p> <p>Don't be a sucker—reject all the stings.</p><p>It<p><small>(It is unfortunate that the article uses the term <ahref="/philosophy/words-to-avoid.html#Monetize">“monetize”</a>.</p>href="/philosophy/words-to-avoid.html#Monetize">“monetize”</a>.)</small></p> </li> <li id="M201708230"> <!--#set var="DATE" value='<small class="date-tag">2017-08</small>' --><!--#echo encoding="none" var="DATE" --> <p>Sonos <a href="https://www.zdnet.com/article/sonos-accept-new-privacy-policy-speakers-cease-to-function/"> told all its customers, “Agree” to snooping or the product will stop working</a>. <a href="https://www.consumerreports.org/consumerist/sonos-holds-software-updates-hostage-if-you-dont-sign-new-privacy-agreement/"> Another article</a> says they won't forcibly change the software, but people won't be able to get any upgrades and eventually it will stop working.</p> </li> <li id="M201708040"> <!--#set var="DATE" value='<small class="date-tag">2017-08</small>' --><!--#echo encoding="none" var="DATE" --> <p>While you're using a DJI drone to snoop on other people, DJI is in many cases <a href="https://www.theverge.com/2017/8/4/16095244/us-army-stop-using-dji-drones-cybersecurity">snooping on you</a>.</p> </li><li><li id="M201706200"> <!--#set var="DATE" value='<small class="date-tag">2017-06</small>' --><!--#echo encoding="none" var="DATE" --> <p>Many models of Internet-connected cameras are tremendously insecure. They have login accounts with hard-coded passwords, which can't be changed, and <ahref="https://arstechnica.com/security/2017/06/internet-cameras-expose-private-video-feeds-and-remote-controls/">therehref="https://arstechnica.com/information-technology/2017/06/internet-cameras-expose-private-video-feeds-and-remote-controls/">there is no way to delete these accounts either</a>.</p> </li><li><li id="M201705250"> <!--#set var="DATE" value='<small class="date-tag">2017-05</small>' --><!--#echo encoding="none" var="DATE" --> <p>The proprietary code that runs pacemakers, insulin pumps, and other medical devices is <ahref="http://www.bbc.co.uk/news/technology-40042584">href="https://www.bbc.com/news/technology-40042584"> full of gross security faults</a>.</p> </li><li><p>Users<li id="M201705180"> <!--#set var="DATE" value='<small class="date-tag">2017-05</small>' --><!--#echo encoding="none" var="DATE" --> <p>Bird and rabbit pets were implemented for Second Life by a company that tethered their food to a server. <a href="https://www.rockpapershotgun.com/second-life-ozimals-pet-rabbits-dying"> It shut down the server and the pets more or less died</a>.</p> </li> <li id="M201704190"> <!--#set var="DATE" value='<small class="date-tag">2017-04</small>' --><!--#echo encoding="none" var="DATE" --> <p>Users are suing Bose for <ahref="https://www.washingtonpost.com/news/the-switch/wp/2017/04/19/bose-headphones-have-been-spying-on-their-customers-lawsuit-claims/">href="https://web.archive.org/web/20170423010030/https://www.washingtonpost.com/news/the-switch/wp/2017/04/19/bose-headphones-have-been-spying-on-their-customers-lawsuit-claims/"> distributing a spyware app for its headphones</a>. Specifically, the app would record the names of the audio files users listen to along with the headphone's unique serialnumber. </p>number.</p> <p>The suit accuses that this was done without the users' consent. If the fine print of the app said that users gave consent for this, would that make it acceptable? No way! It should be flat out <a href="/philosophy/surveillance-vs-democracy.html"> illegal to design the app to snoop atall</a>. </p>all</a>.</p> </li> <liid="anova">id="M201704120"> <!--#set var="DATE" value='<small class="date-tag">2017-04</small>' --><!--#echo encoding="none" var="DATE" --> <p>Anova sabotaged users' cooking devices with a downgrade that tethered them to a remote server. <ahref="https://consumerist.com/2017/04/12/anova-ticks-off-customers-by-requiring-mandatory-accounts-to-cook-food/#more-10275062">Unlesshref="https://web.archive.org/web/20170415145520/https://consumerist.com/2017/04/12/anova-ticks-off-customers-by-requiring-mandatory-accounts-to-cook-food/">Unless users create an account on Anova's servers, their cookers won'tfunction.</a></p>function</a>.</p> </li><li><li id="M201703270"> <!--#set var="DATE" value='<small class="date-tag">2017-03</small>' --><!--#echo encoding="none" var="DATE" --> <p>When Miele's Internet of Stings hospital disinfectant dishwasher is <ahref="https://motherboard.vice.com/en_us/article/a-hackable-dishwasher-is-connecting-hospitals-to-the-internet-of-shit">connectedhref="https://www.vice.com/en/article/pg9qkv/a-hackable-dishwasher-is-connecting-hospitals-to-the-internet-of-shit"> connected to the Internet, its security is crap</a>.</p> <p>For example, a cracker can gain access to the dishwasher's filesystem, infect it with malware, and force the dishwasher to launch attacks on other devices in the network. Since these dishwashers are used in hospitals, such attacks could potentially put hundreds of lives at risk.</p> </li><li><li id="M201703140"> <!--#set var="DATE" value='<small class="date-tag">2017-03</small>' --><!--#echo encoding="none" var="DATE" --> <p>A computerized vibrator <a href="https://www.theguardian.com/technology/2016/aug/10/vibrator-phone-app-we-vibe-4-plus-bluetooth-hack"> was snooping on its users through the proprietary control app</a>.</p> <p>The app was reporting the temperature of the vibrator minute by minute (thus, indirectly, whether it was surrounded by a person's body), as well as the vibration frequency.</p> <p>Note the totally inadequate proposed response: a labeling standard with which manufacturers would make statements about their products, rather than free software which users could have checked and changed.</p> <p>The company that made the vibrator <a href="https://www.theguardian.com/us-news/2016/sep/14/wevibe-sex-toy-data-collection-chicago-lawsuit"> was sued for collecting lots of personal information about how people used it</a>.</p> <p>The company's statement that it was anonymizing the data may be true, but it doesn't really matter. If it had sold the data to a data broker, the data broker would have been able to figure out who the user was.</p> <p>Following this lawsuit, <a href="https://www.theguardian.com/technology/2017/mar/14/we-vibe-vibrator-tracking-users-sexual-habits"> the company has been ordered to pay a total of C$4m</a> to its customers.</p> </li> <li id="M201703070"> <!--#set var="DATE" value='<small class="date-tag">2017-03</small>' --><!--#echo encoding="none" var="DATE" --> <p>The CIA exploited existing vulnerabilities in “smart” TVs and phones to design a malware that <a href="https://www.independent.co.uk/tech/wikileaks-vault-7-android-iphone-cia-phones-handsets-tv-smart-julian-assange-a7616651.html"> spies through their microphones and cameras while making them appear to be turned off</a>. Since the spyware sniffs signals, it bypasses encryption.</p> </li> <li id="M201702280"> <!--#set var="DATE" value='<small class="date-tag">2017-02</small>' --><!--#echo encoding="none" var="DATE" --> <p>“CloudPets” toys with microphones <a href="https://www.theguardian.com/technology/2017/feb/28/cloudpets-data-breach-leaks-details-of-500000-children-and-adults"> leak childrens' conversations to the manufacturer</a>. Guess what? <a href="https://www.vice.com/en/article/pgwean/internet-of-things-teddy-bear-leaked-2-million-parent-and-kids-message-recordings"> Crackers found a way to access the data</a> collected by the manufacturer's snooping.</p> <p>That the manufacturer and the FBI could listen to these conversations was unacceptable by itself.</p> </li> <li id="M201702200"> <!--#set var="DATE" value='<small class="date-tag">2017-02</small>' --><!--#echo encoding="none" var="DATE" --> <p>If you buy a used “smart” car, house, TV, refrigerator, etc., usually <ahref="http://boingboing.net/2017/02/20/the-previous-owners-of-used.html">thehref="https://boingboing.net/2017/02/20/the-previous-owners-of-used.html">the previous owners can still remotely control it</a>.</p> </li><li><li id="M201702060"> <!--#set var="DATE" value='<small class="date-tag">2017-02</small>' --><!--#echo encoding="none" var="DATE" --> <p>Vizio “smart” <ahref="https://www.ftc.gov/news-events/blogs/business-blog/2017/02/what-vizio-was-doing-behind-tv-screen">TVshref="https://www.ftc.gov/business-guidance/blog/2017/02/what-vizio-was-doing-behind-tv-screen">TVs report everything that is viewed on them, and not just broadcasts and cable</a>. Even if the image is coming from the user's own computer, the TV reports what it is. The existence of a way to disable the surveillance, even if it were not hidden as it was in these TVs, does not legitimize the surveillance.</p> </li><li> <p>More or less all “smart” TVs <a href="http://www.myce.com/news/reseachers-all-smart-tvs-spy-on-you-sony-monitors-all-channel-switches-72851/">spy on their users</a>.</p> <p>The report was as of 2014, but we don't expect this has got better.</p> <p>This shows that laws requiring products<li id="M201701271"> <!--#set var="DATE" value='<small class="date-tag">2017-01</small>' --><!--#echo encoding="none" var="DATE" --> <p>A cracker would be able toget users' formal consent before collecting personal data are totally inadequate. And what happens if a user declines consent? Probably<a href="https://uploadvr.com/hackable-webcam-oculus-sensor-be-aware/"> turn theTV will say, “Without your consent to tracking,Oculus Rift sensors into spy cameras</a> after breaking into theTV will not work.”</p> <p>Proper laws would say that TVscomputer they arenot allowed to report whatconnected to.</p> <p><small>(Unfortunately, theuser watches — no exceptions!</p> </li> <li> <p>Some LG TVsarticle <ahref="http://openlgtv.org.ru/wiki/index.php/Achievements">are tyrants</a>.</p>href="/philosophy/words-to-avoid.html#Hacker">improperly refers to crackers as “hackers”</a>.)</small></p> </li><li><a href="http://wiki.samygo.tv/index.php5/SamyGO_for_DUMMIES#What_are_Restricted_Firmwares.3F"> Samsung “Smart” TVs have turned Linux into<li id="M201612230"> <!--#set var="DATE" value='<small class="date-tag">2016-12</small>' --><!--#echo encoding="none" var="DATE" --> <p>VR equipment, measuring every slight motion, creates thebasepotential fora tyrant system</a> so as to impose DRM. What enables Samsungthe most intimate surveillance ever. All it takes todomake thisis that Linux is released under GNU GPL version 2,potential real <ahref="/licenses/rms-why-gplv3.html">not version 3</a>, together withhref="https://theintercept.com/2016/12/23/virtual-reality-allows-the-most-detailed-intimate-digital-surveillance-yet/">is software as malicious as many other programs listed in this page</a>.</p> <p>You can bet Facebook will implement the maximum possible surveillance on Oculus Rift devices. The moral is, never trust aweak interpretation of GPL version 2.VR system with nonfree software in it.</p> </li><li> <p>A company that makes internet-controlled vibrators<li id="M201612200"> <!--#set var="DATE" value='<small class="date-tag">2016-12</small>' --><!--#echo encoding="none" var="DATE" --> <p>The developer of Ham Radio Deluxe <ahref="https://www.theguardian.com/us-news/2016/sep/14/wevibe-sex-toy-data-collection-chicago-lawsuit">is being suedhref="https://www.techdirt.com/2016/12/22/software-company-shows-how-not-to-handle-negative-review/">sabotaged a customer's installation as punishment forcollecting lots of personal information about how peopleposting a negative review</a>.</p> <p>Most proprietary software companies don't useit</a>.</p> <p>The company's statement that it anonymizes the data may be true,their power so harshly, but itdoesn't really matter. If it sells the datais an injustice that they all <em>have</em> such power.</p> </li> <li id="M201612060.1"> <!--#set var="DATE" value='<small class="date-tag">2016-12</small>' --><!--#echo encoding="none" var="DATE" --> <p>The “smart” toys My Friend Cayla and i-Que can be <a href="https://www.forbrukerradet.no/siste-nytt/connected-toys-violate-consumer-laws/">remotely controlled with a mobile phone</a>; physical access is not necessary. This would enable crackers to listen in on adata broker,child's conversations, and even speak into thedata broker can figure out whotoys themselves.</p> <p>This means a burglar could speak into theuser is.</p>toys and ask the child to unlock the front door while Mommy's not looking.</p> </li><li> <p>Google/Alphabet<li id="M201609200"> <!--#set var="DATE" value='<small class="date-tag">2016-09</small>' --><!--#echo encoding="none" var="DATE" --> <p>HP's firmware downgrade <ahref="https://www.eff.org/deeplinks/2016/04/nest-reminds-customers-ownership-isnt-what-it-used-be"> intentionally broke Revolv home automatic control products that dependedhref="https://www.theguardian.com/technology/2016/sep/20/hp-inkjet-printers-unofficial-cartridges-software-update">imposed DRM ona server</a>some printers, which now refuse tofunction. The lesson is, don't standfunction with third-party ink cartridges</a>.</p> </li> <li id="M201608080"> <!--#set var="DATE" value='<small class="date-tag">2016-08</small>' --><!--#echo encoding="none" var="DATE" --> <p>Ransomware <a href="https://www.pentestpartners.com/security-blog/thermostat-ransomware-a-lesson-in-iot-security/"> has been developed forthat! Insist on self-contained computersa thermostat thatrun free software!</p>uses proprietary software</a>.</p> </li><li> <p>ARRIS cable modem<li id="M201605020"> <!--#set var="DATE" value='<small class="date-tag">2016-05</small>' --><!--#echo encoding="none" var="DATE" --> <p>Samsung's “Smart Home” has a big security hole; <ahref="https://w00tsec.blogspot.de/2015/11/arris-cable-modem-has-backdoor-in.html?m=1"> backdoor in the backdoor</a>.</p> </li> <li> <p>HP “storage appliances”href="https://arstechnica.com/information-technology/2016/05/samsung-smart-home-flaws-lets-hackers-make-keys-to-front-door/"> unauthorized people can remotely control it</a>.</p> <p>Samsung claims thatusethis is an “open” platform so the problem is partly the fault of app developers. That is clearly true if the apps are proprietary“Left Hand” operating system have back doors that give HP <a href="https://insights.dice.com/2013/07/11/hp-keeps-installing-secret-backdoors-in-enterprise-storage/"> remote login access</a>software.</p> <p>Anything whose name is “Smart” is most likely going tothem. HP claimsscrew you.</p> </li> <li id="M201604110"> <!--#set var="DATE" value='<small class="date-tag">2016-04</small>' --><!--#echo encoding="none" var="DATE" --> <p>Malware was found on <a href="http://www.slate.com/blogs/future_tense/2016/04/11/security_cameras_sold_through_amazon_have_malware_according_to_security.html"> security cameras available through Amazon</a>.</p> <p>A camera thatthisrecords locally on physical media, and has no network connection, does notgive HP access tothreaten people with surveillance—neither by watching people through thecustomer's data, but ifcamera, nor through malware in theback door allows installation of software changes,camera.</p> </li> <li id="M201604050"> <!--#set var="DATE" value='<small class="date-tag">2016-04</small>' --><!--#echo encoding="none" var="DATE" --> <p>Revolv is achange could be installeddevice thatwould give accessmanaged “smart home” operations: switching lights, operate motion sensors, regulating temperature, etc. Its proprietary software depends on a remote server to do these tasks. On May 15th, 2016, Google/Alphabet <a href="https://www.eff.org/deeplinks/2016/04/nest-reminds-customers-ownership-isnt-what-it-used-be">intentionally broke it by shutting down thecustomer's data. </p> </li> <li> <p><a href="http://www.itworld.com/article/2705284/data-protection/backdoor-found-in-d-link-router-firmware-code.html"> Some D-Link routers</a>server</a>.</p> <p>If it were free software, users would have the ability to make it work again, differently, and then have aback door for changing settings in a dlinkfreedom-respecting home instead ofan eye.</p> <p> <a href="https://github.com/elvanderb/TCP-32764">Many modelsa “smart” home. Don't let proprietary software control your devices and turn them into $300 out-of-warranty bricks. Insist on self-contained computers that run free software!</p> </li> <li id="M201603220"> <!--#set var="DATE" value='<small class="date-tag">2016-03</small>' --><!--#echo encoding="none" var="DATE" --> <p>Over 70 brands ofroutersnetwork-connected surveillance cameras haveback doors</a>.</p> </li> <li> <p><a href="http://sekurak.pl/tp-link-httptftp-backdoor/"> The TP-Link router has a backdoor</a>.</p><a href="http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html"> security bugs that allow anyone to watch through them</a>.</p> </li><li><li id="M201601100"> <!--#set var="DATE" value='<small class="date-tag">2016-01</small>' --><!--#echo encoding="none" var="DATE" --> <p>The <ahref="http://michaelweinberg.org/post/137045828005/free-the-cube">href="https://michaelweinberg.org/post/137045828005/free-the-cube"> “Cube” 3D printer was designed with DRM</a>: it won't accept third-party printing materials. It is the Keurig of printers. Now it is being discontinued, which means that eventually authorized materials won't be available and the printers may become unusable.</p> <p>With a <ahref="http://www.fsf.org/resources/hw/endorsement/aleph-objects">href="https://www.fsf.org/resources/hw/endorsement/aleph-objects"> printer that gets the Respects Your Freedom</a>, this problem would not even be a remote possibility.</p> <p>How pitiful that the author of that article says that there was “nothing wrong” with designing the device to restrict users in the first place. This is like putting a “cheat me and mistreat me” sign on your chest. We should know better: we should condemn all companies that take advantage of people like him. Indeed, it is the acceptance of their unjust practice that teaches people to be doormats.</p> </li><li><li id="M201512140"> <!--#set var="DATE" value='<small class="date-tag">2015-12</small>' --><!--#echo encoding="none" var="DATE" --> <p>Philips “smart” lightbulbs<a href="https://www.techdirt.com/articles/20151214/07452133070/lightbulb-drm-philips-locks-purchasers-out-third-party-bulbs-with-firmware-update.shtml"> havehad initially been designednotto interact with other companies' smartlightbulbs</a>.</p>light bulbs, but <a href="https://www.techdirt.com/2015/12/14/lightbulb-drm-philips-locks-purchasers-out-third-party-bulbs-with-firmware-update/"> later the company updated the firmware to disallow interoperability</a>.</p> <p>If a product is “smart”, and you didn't build it, it is cleverly serving its manufacturer <em>against you</em>.</p> </li><li><li id="M201512074"> <!--#set var="DATE" value='<small class="date-tag">2015-12</small>' --><!--#echo encoding="none" var="DATE" --> <p><ahref="http://web.archive.org/web/20131007102857/http://www.nclnet.org/technology/73-digital-rights-management/124-whos-driving-the-copyright-laws-consumers-insist-on-the-right-to-back-it-up"> DVDs and Bluray diskshref="https://www.computerworld.com/article/2705284/backdoor-found-in-d-link-router-firmware-code.html"> Some D-Link routers</a> haveDRM</a>. </p> <p>That page uses spin terms that favor DRM, including <a href="/philosophy/words-to-avoid.html#DigitalRightsManagement"> digital “rights” management</a> and <a href="/philosophy/words-to-avoid.html#Protection">“protect”</a>, and it claims that “artists” (rather than companies) are primarily responsible for putting digital restrictions management into these disks. Nonetheless, it isareferenceback door forthe facts. </p> <p>Every Bluray disk (with few, rare exceptions) has DRM—so don't use Bluray disks!</p> </li> <li id="cameras-bugs"> <p>Over 70 brands of network-connected surveillance cameras have <a href="http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html"> security bugs that allow anyone to watch through them</a>.</p> </li> <li> <p>Samsung's “Smart Home” haschanging settings in abig security hole; <a href="http://arstechnica.com/security/2016/05/samsung-smart-home-flaws-lets-hackers-make-keys-to-front-door/"> unauthorized people can remotely control it</a>.</p> <p>Samsung claims that this is an “open” platform so the problem is partly the faultdlink ofapp developers. That is clearly true if the apps are proprietary software.</p> <p>Anything whose name is “Smart” is most likely going to screw you.</p> </li> <li> <p> Malware found on <a href="http://www.slate.com/blogs/future_tense/2016/04/11/security_cameras_sold_through_amazon_have_malware_according_to_security.html"> security cameras available through Amazon</a>. </p> <p>A camera that records locally on physical media, andan eye.</p> <p><a href="https://sekurak.pl/tp-link-httptftp-backdoor/"> The TP-Link router hasno network connection, does not threaten people with surveillance—neither by watching people through the camera, nor through malware in the camera.</p> </li> <li> <p> <a href="http://www.tripwire.com/state-of-security/latest-security-news/10-second-hack-delivers-first-ever-malware-to-fitness-trackers/"> FitBit fitness trackers have a Bluetooth vulnerability</a> that allows attackers to send malware to the devices, which can subsequently spread to computers and other FitBit trackers that interact with them.</p> </li> <li> <p> “Self-encrypting” disk drives do the encryption with proprietary firmware so you can't trust it. Western Digital's <a href="https://motherboard.vice.com/en_uk/read/some-popular-self-encrypting-hard-drives-have-really-bad-encryption"> “My Passport” drives havea back door</a>.</p></li> <li> <p> Hospira infusion pumps, which are used to administer drugs to a patient, were rated “<a href="https://securityledger.com/2015/05/researcher-drug-pump-the-least-secure-ip-device-ive-ever-seen/"> least secure IP device I've ever seen</a>” by a security researcher.</p> <p>Depending on what drug is being infused, the insecurity could open the door to murder.</p> </li> <li> <p>Due to bad security in a drug pump, crackers could use it to <a href="http://www.wired.com/2015/06/hackers-can-send-fatal-doses-hospital-drug-pumps/"> kill patients</a>.</p> </li> <li> <p><a href="http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/"> “Smart homes”</a> turn out to be stupidly vulnerable to intrusion.</p> </li> <li> <p>The <a href="http://www.nytimes.com/2013/09/05/technology/ftc-says-webcams-flaw-put-users-lives-on-display.html"> FTC punished a company for making webcams with bad security</a> so that it was easy for anyone to watch them.</p> </li> <li> <p>It is possible to <a href="http://siliconangle.com/blog/2013/07/27/famed-hacker-barnaby-jack-dies-days-before-scheduled-black-hat-appearance/"> kill people by taking control of medical implants by radio</a>. More information in <a href="http://www.bbc.co.uk/news/technology-17631838">BBC News</a> and <a href="http://blog.ioactive.com/2013/02/broken-hearts-how-plausible-was.html"> IOActive Labs Research blog</a>.</p> </li> <li> <p>Lots of <a href="http://www.wired.com/2014/04/hospital-equipment-vulnerable/"> hospital equipment has lousy security</a>, and it can be fatal.</p> </li> <li><p><ahref="http://arstechnica.com/security/2013/12/credit-card-fraud-comes-of-age-with-first-known-point-of-sale-botnet/"> Point-of-sale terminals running Windows were taken over</a> and turned into a botnet for the purposehref="https://github.com/elvanderb/TCP-32764">Many models ofcollecting customers' credit card numbers.</p>routers have back doors</a>.</p> </li> <liid="vizio-snoop"> <p>Vizio <a href="http://boingboing.net/2015/04/30/telescreen-watch-vizio-adds-s.html"> used a firmware “upgrade” to make its TVs snoop on what users watch</a>. The TVs did not do that when first sold.</p> </li> <li> <p>LG <a href="http://www.techdirt.com/articles/20140511/17430627199/lg-will-take-smart-out-your-smart-tv-if-you-dont-agree-to-share-your-viewing-search-data-with-third-parties.shtml"> disabled network features</a> on <em>previously purchased</em> “smart” TVs, unless the purchasers agreed to let LG begin to snoop on them and distribute their personal data.</p> </li> <li> <p><a href="http://www.mirror.co.uk/news/technology-science/technology/wi-fi-spy-barbie-records-childrens-5177673"> Barbie is going to spy</a> on children and adults.</p> </li> <li> <p><a href="http://boingboing.net/2012/12/29/your-cisco-phone-is-listening.html"> Cisco TNP IP phones are spying devices</a>.</p> </li> <li>id="M201511250"> <!--#set var="DATE" value='<small class="date-tag">2015-11</small>' --><!--#echo encoding="none" var="DATE" --> <p>The<a href="http://www.bbc.com/news/technology-34922712">NestNest Cam “smart” camera isalways<a href="https://www.bbc.com/news/technology-34922712">always watching</a>, even when the “owner” switches it “off.”</p> <p>A “smart” device means the manufacturer is using it to outsmart you.</p> </li><li><li id="M201511198"> <!--#set var="DATE" value='<small class="date-tag">2015-11</small>' --><!--#echo encoding="none" var="DATE" --> <p>ARRIS cable modem has a <a href="https://w00tsec.blogspot.de/2015/11/arris-cable-modem-has-backdoor-in.html?m=1"> back door in the back door</a>.</p> </li> <li id="M201511130"> <!--#set var="DATE" value='<small class="date-tag">2015-11</small>' --><!--#echo encoding="none" var="DATE" --> <p>Some web and TV advertisements play inaudible sounds to be picked up by proprietary malware running on other devices in range so as to determine that they are nearby. Once your Internet devices are paired with your TV, advertisers can correlate ads with Web activity, and other <a href="https://arstechnica.com/tech-policy/2015/11/beware-of-ads-that-use-inaudible-sound-to-link-your-phone-tv-tablet-and-pc/"> cross-device tracking</a>.</p> </li> <li id="M201511060"> <!--#set var="DATE" value='<small class="date-tag">2015-11</small>' --><!--#echo encoding="none" var="DATE" --> <p>Vizio goes a step further than other TV manufacturers in spying on their users: their <ahref="http://www.propublica.org/article/own-a-vizio-smart-tv-its-watching-you">href="https://www.propublica.org/article/own-a-vizio-smart-tv-its-watching-you"> “smart” TVs analyze your viewing habits in detail and link them your IP address</a> so that advertisers can track you across devices.</p> <p>It is possible to turn this off, but having it enabled by default is an injustice already.</p> </li><li><li id="M201511020"> <!--#set var="DATE" value='<small class="date-tag">2015-11</small>' --><!--#echo encoding="none" var="DATE" --> <p>Tivo's alliance with Viacom adds 2.3 million households to the 600 millions social media profiles the company already monitors. Tivo customers are unaware they're being watched by advertisers. By combining TV viewing information with online social media participation, Tivo can now <ahref="http://www.reuters.com/article/viacom-tivo-idUSL1N12U1VV20151102">href="https://www.reuters.com/article/viacom-tivo-idUSL1N12U1VV20151102"> correlate TV advertisement with online purchases</a>, exposing all users to new combined surveillance by default.</p> </li><li> <p>Some web and TV advertisements play inaudible sounds<li id="M201510210"> <!--#set var="DATE" value='<small class="date-tag">2015-10</small>' --><!--#echo encoding="none" var="DATE" --> <p>FitBit fitness trackers have a <a href="https://www.tripwire.com/state-of-security/latest-security-news/10-second-hack-delivers-first-ever-malware-to-fitness-trackers/"> Bluetooth vulnerability</a> that allows attackers tobe picked up by proprietarysend malwarerunning on other devices in range so astodetermine that they are nearby. Once your Internet devices are paired with your TV, advertisersthe devices, which cancorrelate ads with Web activity,subsequently spread to computers and other FitBit trackers that interact with them.</p> </li> <li id="M201510200"> <!--#set var="DATE" value='<small class="date-tag">2015-10</small>' --><!--#echo encoding="none" var="DATE" --> <p>“Self-encrypting” disk drives do the encryption with proprietary firmware so you can't trust it. Western Digital's “My Passport” drives <ahref="http://arstechnica.com/tech-policy/2015/11/beware-of-ads-that-use-inaudible-sound-to-link-your-phone-tv-tablet-and-pc/"> cross-device tracking</a>.</p>href="https://www.vice.com/en/article/mgbmma/some-popular-self-encrypting-hard-drives-have-really-bad-encryption"> have a back door</a>.</p> </li><li><li id="M201507240"> <!--#set var="DATE" value='<small class="date-tag">2015-07</small>' --><!--#echo encoding="none" var="DATE" --> <p>Vizio “smart” TVs recognize and <ahref="http://www.engadget.com/2015/07/24/vizio-ipo-inscape-acr/">trackhref="https://www.engadget.com/2015-07-24-vizio-ipo-inscape-acr.html">track what people are watching</a>, even if it isn't a TV channel.</p> </li><li> <p>The Amazon “smart”<li id="M201506080"> <!--#set var="DATE" value='<small class="date-tag">2015-06</small>' --><!--#echo encoding="none" var="DATE" --> <p>Due to bad security in a drug pump, crackers could use it to <a href="https://www.wired.com/2015/06/hackers-can-send-fatal-doses-hospital-drug-pumps/"> kill patients</a>.</p> </li> <li id="M201505290"> <!--#set var="DATE" value='<small class="date-tag">2015-05</small>' --><!--#echo encoding="none" var="DATE" --> <p>Verizon cable TVis<ahref="http://www.theguardian.com/technology/shortcuts/2014/nov/09/amazon-echo-smart-tv-watching-listening-surveillance"> snooping allhref="https://arstechnica.com/information-technology/2015/05/verizon-fios-reps-know-what-tv-channels-you-watch/"> snoops on what programs people watch, and even what they wanted to record</a>.</p> </li> <li id="M201505050"> <!--#set var="DATE" value='<small class="date-tag">2015-05</small>' --><!--#echo encoding="none" var="DATE" --> <p>Hospira infusion pumps, which are used to administer drugs to a patient, were rated “<a href="https://securityledger.com/2015/05/researcher-drug-pump-the-least-secure-ip-device-ive-ever-seen/">least secure IP device I've ever seen</a>” by a security researcher.</p> <p>Depending on what drug is being infused, thetime</a>.</p>insecurity could open the door to murder.</p> </li><li><li id="M201504300"> <!--#set var="DATE" value='<small class="date-tag">2015-04</small>' --><!--#echo encoding="none" var="DATE" --> <p>Vizio <a href="https://boingboing.net/2015/04/30/telescreen-watch-vizio-adds-s.html"> used a firmware “upgrade” to make its TVs snoop on what users watch</a>. The TVs did not do that when first sold.</p> </li> <li id="M201502180"> <!--#set var="DATE" value='<small class="date-tag">2015-02</small>' --><!--#echo encoding="none" var="DATE" --> <p>Barbie <a href="https://www.mirror.co.uk/news/technology-science/technology/wi-fi-spy-barbie-records-childrens-5177673">is going to spy on children and adults</a>.</p> </li> <li id="M201502090"> <!--#set var="DATE" value='<small class="date-tag">2015-02</small>' --><!--#echo encoding="none" var="DATE" --> <p>The Samsung“smart”“Smart” TV <ahref="http://www.consumerreports.org/cro/news/2015/02/who-s-the-third-party-that-samsung-and-lg-smart-tvs-are-sharing-your-voice-data-with/index.htm">href="https://www.consumerreports.org/cro/news/2015/02/who-s-the-third-party-that-samsung-and-lg-smart-tvs-are-sharing-your-voice-data-with/index.htm"> transmits users' voice on the internet to another company, Nuance</a>. Nuance can save it and would then have to give it to the US or some other government.</p> <p>Speech recognition is not to be trusted unless it is done by free software in your own computer.</p> <p>In its privacy policy, Samsung explicitly confirms that <ahref="http://theweek.com/speedreads/538379/samsung-warns-customers-not-discuss-personal-information-front-smart-tvs">voicehref="https://theweek.com/speedreads/538379/samsung-warns-customers-not-discuss-personal-information-front-smart-tvs">voice data containing sensitive information will be transmitted to third parties</a>.</p> </li><li><li id="M201411090"> <!--#set var="DATE" value='<small class="date-tag">2014-11</small>' --><!--#echo encoding="none" var="DATE" --> <p>The Amazon “Smart” TV is <a href="https://www.theguardian.com/technology/shortcuts/2014/nov/09/amazon-echo-smart-tv-watching-listening-surveillance"> snooping all the time</a>.</p> </li> <li id="M201409290"> <!--#set var="DATE" value='<small class="date-tag">2014-09</small>' --><!--#echo encoding="none" var="DATE" --> <p>More or less all “smart” TVs <a href="https://myce.wiki/news/reseachers-all-smart-tvs-spy-on-you-sony-monitors-all-channel-switches-72851/">spy on their users</a>.</p> <p>The report was as of 2014, but we don't expect this has got better.</p> <p>This shows that laws requiring products to get users' formal consent before collecting personal data are totally inadequate. And what happens if a user declines consent? Probably the TV will say, “Without your consent to tracking, the TV will not work.”</p> <p>Proper laws would say that TVs are not allowed to report what the user watches—no exceptions!</p> </li> <li id="M201407170"> <!--#set var="DATE" value='<small class="date-tag">2014-07</small>' --><!--#echo encoding="none" var="DATE" --> <p id="nest-thermometers">Nest thermometers send <a href="https://bgr.com/general/google-nest-jailbreak-hack/">a lot of data about the user</a>.</p> </li> <li id="M201405200.1"> <!--#set var="DATE" value='<small class="date-tag">2014-05</small>' --><!--#echo encoding="none" var="DATE" --> <p>LG <a href="https://www.techdirt.com/2014/05/20/lg-will-take-smart-out-your-smart-tv-if-you-dont-agree-to-share-your-viewing-search-data-with-third-parties/"> disabled network features</a> on <em>previously purchased</em> “smart” TVs, unless the purchasers agreed to let LG begin to snoop on them and distribute their personal data.</p> </li> <li id="M201404250"> <!--#set var="DATE" value='<small class="date-tag">2014-04</small>' --><!--#echo encoding="none" var="DATE" --> <p>Lots of <a href="https://www.wired.com/2014/04/hospital-equipment-vulnerable/"> hospital equipment has lousy security</a>, and it can be fatal.</p> </li> <li id="M201312290"> <!--#set var="DATE" value='<small class="date-tag">2013-12</small>' --><!--#echo encoding="none" var="DATE" --> <p><ahref="http://doctorbeet.blogspot.co.uk/2013/11/lg-smart-tvs-logging-usb-filenames-and.html"> Spywarehref="https://www.bunniestudios.com/blog/?p=3554"> Some flash memories have modifiable software</a>, which makes them vulnerable to viruses.</p> <p>We don't call this a “back door” because it is normal that you can install a new system in a computer, given physical access to it. However, memory sticks and cards should not be modifiable in this way.</p> </li> <li id="M201312040"> <!--#set var="DATE" value='<small class="date-tag">2013-12</small>' --><!--#echo encoding="none" var="DATE" --> <p><a href="https://arstechnica.com/information-technology/2013/12/credit-card-fraud-comes-of-age-with-first-known-point-of-sale-botnet/"> Point-of-sale terminals running Windows were taken over</a> and turned into a botnet for the purpose of collecting customers' credit card numbers.</p> </li> <li id="M201311210"> <!--#set var="DATE" value='<small class="date-tag">2013-11</small>' --><!--#echo encoding="none" var="DATE" --> <p>Spyware in LG “smart”TVs</a>TVs <a href="https://doctorbeet.blogspot.com/2013/11/lg-smart-tvs-logging-usb-filenames-and.html"> reports what the user watches, and the switch to turn this off has noeffect.effect</a>. (The fact that the transmission reports a 404 error really means nothing; the server could save that data anyway.)</p> <p>Even worse, it <ahref="http://rambles.renney.me/2013/11/lg-tv-logging-filenames-from-network-folders/">href="https://rrrrambles.wordpress.com/2013/11/21/lg-tv-logging-filenames-from-network-folders/"> snoops on other devices on the user's local network</a>.</p> <p>LG later said it had installed a patch to stop this, but any product could spy this way.</p> </li><li><li id="M201310070"> <!--#set var="DATE" value='<small class="date-tag">2013-10</small>' --><!--#echo encoding="none" var="DATE" --> <p id="bluray"><a href="https://web.archive.org/web/20131007102857/http://www.nclnet.org/technology/73-digital-rights-management/124-whos-driving-the-copyright-laws-consumers-insist-on-the-right-to-back-it-up"> DVDs and Bluray disks have DRM</a>.</p> <p>That page uses spin terms that favor DRM, including <a href="/philosophy/words-to-avoid.html#DigitalRightsManagement"> digital “rights” management</a> and <a href="/philosophy/words-to-avoid.html#Protection">“protect”</a>, and it claims that “artists” (rather than companies) are primarily responsible for putting digital restrictions management into these disks. Nonetheless, it is a reference for the facts.</p> <p>Every Bluray disk (with few, rare exceptions) has DRM—so don't use Bluray disks!</p> </li> <li id="M201309050"> <!--#set var="DATE" value='<small class="date-tag">2013-09</small>' --><!--#echo encoding="none" var="DATE" --> <p>The FTC punished a company for making webcams with <a href="https://www.nytimes.com/2013/09/05/technology/ftc-says-webcams-flaw-put-users-lives-on-display.html"> bad security so that it was easy for anyone to watch through them</a>.</p> </li> <li id="M201308060"> <!--#set var="DATE" value='<small class="date-tag">2013-08</small>' --><!--#echo encoding="none" var="DATE" --> <p><ahref="http://arstechnica.com/business/2015/05/verizon-fios-reps-know-what-tv-channels-you-watch/"> Verizon cable TV snoops on what programshref="http://spritesmods.com/?art=hddhack&page=6"> Replaceable nonfree software in disk drives can be written by a nonfree program</a>. This makes any system vulnerable to persistent attacks that normal forensics won't detect.</p> </li> <li id="M201307270"> <!--#set var="DATE" value='<small class="date-tag">2013-07</small>' --><!--#echo encoding="none" var="DATE" --> <p> It is possible to <a href="https://siliconangle.com/2013/07/27/famed-hacker-barnaby-jack-dies-days-before-scheduled-black-hat-appearance/"> kill peoplewatch</a>,by taking control of medical implants by radio</a>. More information in <a href="https://www.bbc.com/news/technology-17631838">BBC News</a> andeven what they wanted<a href="https://ioactive.com/broken-hearts-how-plausible-was-the-homeland-pacemaker-hack/"> IOActive Labs Research blog</a>.</p> </li> <li id="M201307260"> <!--#set var="DATE" value='<small class="date-tag">2013-07</small>' --><!--#echo encoding="none" var="DATE" --> <p><a href="https://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/"> “Smart homes”</a> turn out torecord.</p>be stupidly vulnerable to intrusion.</p> </li></ul> </div><!--<li id="M201307114"> <!--#set var="DATE" value='<small class="date-tag">2013-07</small>' --><!--#echo encoding="none" var="DATE" --> <p>HP “storage appliances” that use the proprietary “Left Hand” operating system have back doors that give HP <a href="https://insights.dice.com/2013/07/11/hp-keeps-installing-secret-backdoors-in-enterprise-storage/"> remote login access</a> to them. HP claims that this does not give HP access to the customer's data, but if the back door allows installation of software changes, a change could be installed that would give access to the customer's data.</p> </li> <li id="M201212290"> <!--#set var="DATE" value='<small class="date-tag">2012-12</small>' --><!--#echo encoding="none" var="DATE" --> <p>The Cisco TNP IP phones are <a href="https://boingboing.net/2012/12/29/your-cisco-phone-is-listening.html"> spying devices</a>.</p> </li> <li id="M201212180"> <!--#set var="DATE" value='<small class="date-tag">2012-12</small>' --><!--#echo encoding="none" var="DATE" --> <p>Samsung “Smart” TVs have <a href="https://wiki.samygo.tv/index.php?title=SamyGO_for_DUMMIES#What_are_Restricted_Firmwares.3F"> turned Linux into the base forid="content", starts ina tyrant system</a> so as to impose DRM. What enables Samsung to do this is that Linux is released under GNU GPL version 2, <a href="/licenses/rms-why-gplv3.html">not version 3</a>, together with a weak interpretation of GPL version 2.</p> </li> <li id="M201212170"> <!--#set var="DATE" value='<small class="date-tag">2012-12</small>' --><!--#echo encoding="none" var="DATE" --> <p id="break-security-smarttv"><a href="http://www.dailymail.co.uk/sciencetech/article-2249303/Hackers-penetrate-home-Crack-Samsungs-Smart-TV-allows-attacker-seize-control-microphone-cameras.html"> Crackers found a way to break security on a “smart” TV</a> and use its camera to watch theinclude abovepeople who are watching TV.</p> </li> <li id="M201210020"> <!--#set var="DATE" value='<small class="date-tag">2012-10</small>' --><!--#echo encoding="none" var="DATE" --> <p>Some LG TVs <a href="https://web.archive.org/web/20190917164647/http://openlgtv.org.ru/wiki/index.php/Achievements"> are tyrants</a>.</p> </li> </ul> </div> </div> <!--#include virtual="/proprietary/proprietary-menu.html" --> <!--#include virtual="/server/footer.html" --> <divid="footer">id="footer" role="contentinfo"> <div class="unprintable"> <p>Please send general FSF & GNU inquiries to <a href="mailto:gnu@gnu.org"><gnu@gnu.org></a>. There are also <a href="/contact/">other ways to contact</a> the FSF. Broken links and other corrections or suggestions can be sent to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>.</p> <p><!-- TRANSLATORS: Ignore the original text in this paragraph, replace it with the translation of these two: We work hard and do our best to provide accurate, good quality translations. However, we are not exempt from imperfection. Please send your comments and general suggestions in this regard to <a href="mailto:web-translators@gnu.org"> <web-translators@gnu.org></a>.</p> <p>For information on coordinating andsubmittingcontributing translations of our web pages, see <a href="/server/standards/README.translations.html">Translations README</a>. --> Please see the <a href="/server/standards/README.translations.html">Translations README</a> for information on coordinating andsubmittingcontributing translations of this article.</p> </div> <!-- Regarding copyright, in general, standalone pages (as opposed to files generated as part of manuals) on the GNU web server should be under CC BY-ND 4.0. Please do NOT change or remove this without talking with the webmasters or licensing team first. Please make sure the copyright date is consistent with the document. For web pages, it is ok to list just the latest year the document was modified, or published. If you wish to list earlier years, that is ok too. Either "2001, 2002, 2003" or "2001-2003" are ok for specifying years, as long as each year in the range is in fact a copyrightable year, i.e., a year in which the document was published (including being publicly visible on the web or in a revision control system). There is more detail about copyright years in the GNU Maintainers Information document, www.gnu.org/prep/maintain. --> <p>Copyright ©2016, 2017, 20182016-2022 Free Software Foundation, Inc.</p> <p>This page is licensed under a <a rel="license"href="http://creativecommons.org/licenses/by-nd/4.0/">Creativehref="http://creativecommons.org/licenses/by/4.0/">Creative CommonsAttribution-NoDerivativesAttribution 4.0 International License</a>.</p> <!--#include virtual="/server/bottom-notes.html" --> <p class="unprintable">Updated: <!-- timestamp start --> $Date: 2022/07/09 07:37:20 $ <!-- timestamp end --> </p> </div></div></div><!-- for class="inner", starts in the banner include --> </body> </html>