<!--#include virtual="/server/header.html" -->
<!-- Parent-Version: 1.96 -->
<!--#set var="DISABLE_TOP_ADDENDUM" value="yes" -->
                  Please do not edit <ul class="blurbs">!
    Instead, edit /proprietary/workshop/mal.rec, then regenerate pages.
           See explanations in /proprietary/workshop/README.md.
<title>Malware in Appliances
- GNU Project - Free Software Foundation</title>
<link rel="stylesheet" type="text/css" href="/side-menu.css" media="screen,print" />
 <!--#include virtual="/proprietary/po/malware-appliances.translist" -->
<!--#include virtual="/server/banner.html" -->
<div class="nav">
<a id="side-menu-button" class="switch" href="#navlinks">
 <img id="side-menu-icon" height="32"
      title="Section contents"
      alt=" [Section contents] " />

<p class="breadcrumb">
 <a href="/"><img src="/graphics/icons/home.png" height="24"
    alt="GNU Home" title="GNU Home" /></a> /
 <a href="/proprietary/proprietary.html">Malware</a> /
 By product /
<!--#include virtual="/server/top-addendum.html" -->
<div style="clear: both"></div>
<div id="last-div" class="reduced-width">
<h2>Malware in Appliances</h2>

<div class="infobox">
<hr class="full-width" />
<p>Nonfree (proprietary) software is very often malware (designed to
mistreat the user). Nonfree software is controlled by its developers,
which puts them in a position of power over the users; <a
href="/philosophy/free-software-even-more-important.html">that is the
basic injustice</a>. The developers and manufacturers often exercise
that power to the detriment of the users they ought to serve.</p>

<p>This typically takes the form of malicious functionalities.</p>
<hr class="full-width" />

<div class="article">
<div class="important">
<p>If you know of an example that ought to be in this page but isn't
here, please write
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>
to inform us. Please include the URL of a trustworthy reference or two
to serve as specific substantiation.</p>

<div class="column-limit" id="malware-appliances"></div>

<ul class="blurbs">
  <li id="M202202190">
    <!--#set var="DATE" value='<small class="date-tag">2022-02</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Hewlett-Packard printer producing company <a
    implementing DRM in its machines so they won't work</a> if someone
    uses ink from another supplier than them!</p>

  <li id="M202202150">
    <!--#set var="DATE" value='<small class="date-tag">2022-02</small>'
    --><!--#echo encoding="none" var="DATE" -->
    printer company is now putting DRM on its label so users are forced
    to use paper supplied by Dymo</a>, not any other company. It's the
    same practice printer companies are using to enforce their own ink
    on people.</p>

  <li id="M202201290">
    <!--#set var="DATE" value='<small class="date-tag">2022-01</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>“Smart” TV producers <a
    spying on people using various methods</a>, and harvest their
    data. They are collecting audio, video, and TV usage data to profile

  <li id="M202111201">
    <!--#set var="DATE" value='<small class="date-tag">2021-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>NordicTrack, a company that sells
    exercise machines with ability to show videos <a
    what people can watch, and recently disabled a feature</a> that was
    originally functional. This happened through automatic update and
    probably involved a universal back door.</p>

  <li id="M202110160">
    <!--#set var="DATE" value='<small class="date-tag">2021-10</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Canon's all-in-one printer, scanner, and fax machine <a
    stop you from using any of its features if it's out of ink</a>! Since
    there's no need for ink to use scan or fax, Canon is sued by its
    customers for this malicious behavior. The proprietary software
    installed on Canon machines arbitrarily restricts users from using
    their device as they wish.</p>

  <li id="M202108240">
    <!--#set var="DATE" value='<small class="date-tag">2021-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Recent Samsung TVs have a back door with which Samsung can <a
    brick them remotely</a>.</p>

  <li id="M202101050">
    <!--#set var="DATE" value='<small class="date-tag">2021-01</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Most Internet connected devices in Mozilla's <a
    Not Included”</a> list <a
    designed to snoop on users</a> even if they meet
    Mozilla's “Minimum Security Standards.” Insecure
    design of the program running on some of these devices <a
    the user susceptible to be snooped and exploited by crackers as

  <li id="M202011230">
    <!--#set var="DATE" value='<small class="date-tag">2020-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Some Wavelink and JetStream wifi routers have
    universal back doors that enable unauthenticated
    users to remotely control not only the routers, but
    also any devices connected to the network. There is evidence that <a
    this vulnerability is actively exploited</a>.</p>

    <p>If you consider buying a router, we encourage you to get one
    that <a href="https://ryf.fsf.org/categories/routers">runs on free
    software</a>. Any attempts at introducing malicious functionalities in
    it (e.g., through a firmware update) will be detected by the community,
    and soon corrected.</p>

    <p>If unfortunately you own a router that runs on
    proprietary software, don't panic! You may be able to
    replace its firmware with a free operating system such as <a
    href="https://librecmc.org">libreCMC</a>. If you don't know how,
    you can get help from a nearby GNU/Linux user group.</p>

  <li id="M202007280">
    <!--#set var="DATE" value='<small class="date-tag">2020-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The Focals eyeglass display, with snooping
    microphone, has been eliminated.  Google eliminated
    it by buying the manufacturer and shutting it down.  It also <a
    down the server these devices depend on</a>, which caused the ones
    already sold to cease to function.</p>

    <p>It may be a good thing to wipe out this product—for
    “smart,” read “snoop”—but Google
    didn't do that for the sake of privacy.  Rather, it was eliminating
    competition for its own snooping product.</p>

  <li id="M202007270">
    <!--#set var="DATE" value='<small class="date-tag">2020-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The Mellow sous-vide cooker is
    tethered to a server. The company suddenly <a
    turned this tethering into a subscription</a>, forbidding users from
    taking advantage of the “advanced features” of the cooker
    unless they pay a monthly fee.</p>

  <li id="M202006250">
    <!--#set var="DATE" value='<small class="date-tag">2020-06</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>TV manufacturers are able to <a
    every second of what the user is watching</a>. This is illegal due to
    the Video Privacy Protection Act of 1988, but they're circumventing
    it through EULAs.</p>

  <li id="M202006160">
    <!--#set var="DATE" value='<small class="date-tag">2020-06</small>'
    --><!--#echo encoding="none" var="DATE" -->
    A disasterous security bug</a> touches millions of products in the
    Internet of Stings.</p>

    <p>As a result, anyone can sting the user, not only the

  <li id="M202005070">
    <!--#set var="DATE" value='<small class="date-tag">2020-05</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Wink sells a “smart” home hub that is tethered
    to a server. In May 2020, it ordered the purchasers to start <a
    paying a monthly fee for the use of that server</a>.  Because of the
    tethering, the hub is useless without that.</p>

  <li id="M201912170">
    <!--#set var="DATE" value='<small class="date-tag">2019-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Some security breakers (wrongly referred in this article as <a
    managed to interfere the Amazon Ring proprietary system, and <a
    its camera, speakers and microphones</a>.</p>

  <li id="M201911190">
    <!--#set var="DATE" value='<small class="date-tag">2019-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Internet-tethered Amazon Ring had
    a security vulnerability that enabled attackers to <a
    access the user's wifi password</a>, and snoop on the household
    through connected surveillance devices.</p>

    <p>Knowledge of the wifi password would not be sufficient to carry
    out any significant surveillance if the devices implemented proper
    security, including encryption. But many devices with proprietary
    software lack this. Of course, they are also used by their
    manufacturers for snooping.</p>

  <li id="M201909061">
    <!--#set var="DATE" value='<small class="date-tag">2019-09</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Best Buy made controllable appliances and <a
    shut down the service to control them through</a>.</p>

    <p>While it is laudable that Best Buy recognized it was mistreating
    the customers by doing so, this doesn't alter the facts that
    tethering the device to a particular server is a path to screwing the
    users, and that it is a consequence of having nonfree software in the

  <li id="M201904260">
    <!--#set var="DATE" value='<small class="date-tag">2019-04</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The Jibo robot toys were tethered to the manufacturer's server,
    and <a href="https://www.apnews.com/99c9ec8ebad242ca88178e22c7642648"> href="https://apnews.com/article/san-francisco-north-america-technology-business-ap-top-news-99c9ec8ebad242ca88178e22c7642648">
    the company made them all cease to work</a> by shutting down that

    <p>The shutdown might ironically be good for their users, since the
    product was designed to manipulate people by presenting a phony
    semblance of emotions, and was most certainly spying on them.</p>

  <li id="M201903210">
    <!--#set var="DATE" value='<small class="date-tag">2019-03</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The Medtronics Conexus Telemetry Protocol has <a
    two vulnerabilities that affect several models of implantable
    defibrillators</a> and the devices they connect to.</p>

    <p>This protocol has been around since 2006, and similar
    vulnerabilities were discovered in an earlier Medtronics communication
    protocol in 2008. Apparently, nothing was done by the company to
    correct them. This means you can't rely on proprietary software
    developers to fix bugs in their products.</p>

  <li id="M201902270">
    <!--#set var="DATE" value='<small class="date-tag">2019-02</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The Ring (now Amazon) doorbell camera is designed so that the
    manufacturer (now Amazon) can watch all the time. Now it turns out
    that <a
    anyone else can also watch, and fake videos too</a>.</p>

    <p>The third party vulnerability is presumably
    unintentional and Amazon will probably fix it. However, we
    do not expect Amazon to change the design that <a
    Amazon to watch</a>.</p>

  <li id="M201902080">
    <!--#set var="DATE" value='<small class="date-tag">2019-02</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The HP <a
    “ink subscription” cartridges have DRM that constantly
    communicates with HP servers</a> to make sure the user is still
    paying for the subscription, and hasn't printed more pages than were
    paid for.</p>

    <p>Even though the ink subscription program may be cheaper in some
    specific cases, it spies on users, and involves totally unacceptable
    restrictions in the use of ink cartridges that would otherwise be in
    working order.</p>

  <li id="M201901100">
    <!--#set var="DATE" value='<small class="date-tag">2019-01</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Amazon Ring “security” devices <a
    send the video they capture to Amazon servers</a>, which save it

    <p>In many cases, the video shows everyone that comes near, or merely
    passes by, the user's front door.</p>

    <p>The article focuses on how Ring used to let individual employees look
    at the videos freely.  It appears Amazon has tried to prevent that
    secondary abuse, but the primary abuse—that Amazon gets the
    video—Amazon expects society to surrender to.</p>

  <li id="M201901070">
    <!--#set var="DATE" value='<small class="date-tag">2019-01</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Vizio TVs <a
    collect “whatever the TV sees,”</a> in the own words of the company's
    CTO, and this data is sold to third parties. This is in return for
    “better service” (meaning more intrusive ads?) and slightly
    lower retail prices.</p>

    <p>What is supposed to make this spying acceptable, according to him,
    is that it is opt-in in newer models. But since the Vizio software is
    nonfree, we don't know what is actually happening behind the scenes,
    and there is no guarantee that all future updates will leave the
    settings unchanged.</p>

    <p>If you already own a Vizio “smart” TV (or any “smart” TV, for that
    matter), the easiest way to make sure it isn't spying on you is
    to disconnect it from the Internet, and use a terrestrial antenna
    instead. Unfortunately, this is not always possible. Another option,
    if you are technically oriented, is to get your own router (which can
    be an old computer running completely free software), and set up a
    firewall to block connections to Vizio's servers. Or, as a last resort,
    you can replace your TV with another model.</p>

  <li id="M201810300">
    <!--#set var="DATE" value='<small class="date-tag">2018-10</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Nearly all “home security cameras” <a
    give the manufacturer an unencrypted copy of everything they
    see</a>. “Home insecurity camera” would be a better

    <p>When Consumer Reports tested them, it suggested that these
    manufacturers promise not to look at what's in the videos. That's not
    security for your home. Security means making sure they don't get to
    see through your camera.</p>

  <li id="M201810150">
    <!--#set var="DATE" value='<small class="date-tag">2018-10</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Printer manufacturers are very innovative—at blocking the
    use of independent replacement ink cartridges. Their “security
    upgrades” occasionally impose new forms of cartridge DRM. <a
    HP and Epson have done this</a>.</p>

  <li id="M201809260">
    <!--#set var="DATE" value='<small class="date-tag">2018-09</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Honeywell's “smart” thermostats communicate
    only through the company's server. They have
    all the nasty characteristics of such devices: <a
    surveillance, and danger of sabotage</a> (of a specific user, or of
    all users at once), as well as the risk of an outage (which is what
    just happened).</p>

    <p>In addition, setting the desired temperature requires running
    nonfree software. With an old-fashioned thermostat, you can do it
    using controls right on the thermostat.</p>

  <li id="M201809240">
    <!--#set var="DATE" value='<small class="date-tag">2018-09</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Researchers have discovered how to <a
    hide voice commands in other audio</a>, so that people cannot hear
    them, but Alexa and Siri can.</p>

  <li id="M201807050">
    <!--#set var="DATE" value='<small class="date-tag">2018-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The Jawbone fitness tracker was tethered to a proprietary phone
    app.  In 2017, the company shut down and made the app stop working. <a
    the existing trackers stopped working forever</a>.</p>

    <p>The article focuses on a further nasty fillip, that sales of the
    broken devices continued. But we think that is a secondary issue;
    it made the nasty consequences extend to some additional people.
    The fundamental wrong was to design the devices to depend on something
    else that didn't respect users' freedom.</p>

  <li id="M201804140">
    <!--#set var="DATE" value='<small class="date-tag">2018-04</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>A medical insurance company <a
    offers a gratis electronic toothbrush that snoops on its user by
    sending usage data back over the Internet</a>.</p>

  <li id="M201804010">
    <!--#set var="DATE" value='<small class="date-tag">2018-04</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Some “Smart” TVs automatically <a
    load downgrades that install a surveillance app</a>.</p>

    <p>We link to the article for the facts it presents. It
    is too bad that the article finishes by advocating the
    moral weakness of surrendering to Netflix. The Netflix app <a
    malware too</a>.</p>

  <li id="M201802120">
    <!--#set var="DATE" value='<small class="date-tag">2018-02</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Apple devices lock users in <a
    solely to Apple services</a> by being designed to be incompatible
    with all other options, ethical or unethical.</p>

  <li id="M201712240">
    <!--#set var="DATE" value='<small class="date-tag">2017-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>One of the dangers of the “internet of stings”
    is that, if you lose your internet service, you also <a
    lose control of your house and appliances</a>.</p>

    <p>For your safety, don't use any appliance with a connection to the
    real internet.</p>

  <li id="M201711200">
    <!--#set var="DATE" value='<small class="date-tag">2017-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Amazon recently invited consumers to be suckers and <a
    allow delivery staff to open their front doors</a>. Wouldn't you know
    it, the system has a grave security flaw.</p>

  <li id="M201711100">
    <!--#set var="DATE" value='<small class="date-tag">2017-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>A remote-control sex toy was found to make <a
    recordings of the conversation between two users</a>.</p>

  <li id="M201711080">
    <!--#set var="DATE" value='<small class="date-tag">2017-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Logitech will sabotage
    all Harmony Link household control devices by <a
    turning off the server through which the products' supposed owners
    communicate with them</a>.</p>

    <p>The owners suspect this is to pressure them to buy a newer model. If
    they are wise, they will learn, rather, to distrust any product that
    requires users to talk with them through some specialized service.</p>

  <li id="M201710040">
    <!--#set var="DATE" value='<small class="date-tag">2017-10</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Every “home security” camera, if its
    manufacturer can communicate with it, is a surveillance device. <a
    Canary camera is an example</a>.</p>

    <p>The article describes wrongdoing by the manufacturer, based on
    the fact that the device is tethered to a server.</p>

    <p><a href="/proprietary/proprietary-tethers.html">More about
    proprietary tethering</a>.</p>

    <p>But it also demonstrates that the device gives the company
    surveillance capability.</p>

  <li id="M201709200">
    <!--#set var="DATE" value='<small class="date-tag">2017-09</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>A “smart” intravenous pump
    designed for hospitals is connected to the internet. Naturally <a
    its security has been cracked</a>.</p>

    <p><small>(Note that this article misuses the term <a
    referring to crackers.)</small></p>

  <li id="M201708280">
    <!--#set var="DATE" value='<small class="date-tag">2017-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The bad security in many Internet of Stings devices allows <a
    to snoop on the people that use them</a>.</p>

    <p>Don't be a sucker—reject all the stings.</p>

    <p><small>(It is unfortunate that the article uses the term <a

  <li id="M201708230">
    <!--#set var="DATE" value='<small class="date-tag">2017-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Sonos <a
    told all its customers, “Agree”
    to snooping or the product will stop working</a>.  <a
    Another article</a> says they won't forcibly change the software, but
    people won't be able to get any upgrades and eventually it will
    stop working.</p>

  <li id="M201708040">
    <!--#set var="DATE" value='<small class="date-tag">2017-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>While you're using a DJI drone
    to snoop on other people, DJI is in many cases <a
    on you</a>.</p>

  <li id="M201706200">
    <!--#set var="DATE" value='<small class="date-tag">2017-06</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Many models of Internet-connected cameras
    are tremendously insecure.  They have login
    accounts with hard-coded passwords, which can't be changed, and <a
    is no way to delete these accounts either</a>.</p>

  <li id="M201705250">
    <!--#set var="DATE" value='<small class="date-tag">2017-05</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The proprietary code that runs pacemakers,
    insulin pumps, and other medical devices is <a
    href="https://www.bbc.com/news/technology-40042584"> full of gross
    security faults</a>.</p>

  <li id="M201705180">
    <!--#set var="DATE" value='<small class="date-tag">2017-05</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Bird and rabbit pets were implemented for Second
    Life by a company that tethered their food to a server.  <a
    It shut down the server and the pets more or less died</a>.</p>

  <li id="M201704190">
    <!--#set var="DATE" value='<small class="date-tag">2017-04</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Users are suing Bose for <a
    distributing a spyware app for its headphones</a>.  Specifically,
    the app would record the names of the audio files users listen to
    along with the headphone's unique serial number.</p>

    <p>The suit accuses that this was done without the users' consent.
    If the fine print of the app said that users gave consent for this,
    would that make it acceptable? No way! It should be flat out <a
    href="/philosophy/surveillance-vs-democracy.html"> illegal to design
    the app to snoop at all</a>.</p>

  <li id="M201704120">
    <!--#set var="DATE" value='<small class="date-tag">2017-04</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Anova sabotaged users' cooking devices
    with a downgrade that tethered them to a remote server. <a
    users create an account on Anova's servers, their cookers won't

  <li id="M201703270">
    <!--#set var="DATE" value='<small class="date-tag">2017-03</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>When Miele's Internet of
    Stings hospital disinfectant dishwasher is <a
    connected to the Internet, its security is crap</a>.</p>

    <p>For example, a cracker can gain access to the dishwasher's
    filesystem, infect it with malware, and force the dishwasher to launch
    attacks on other devices in the network. Since these dishwashers are
    used in hospitals, such attacks could potentially put hundreds of
    lives at risk.</p>

  <li id="M201703140">
    <!--#set var="DATE" value='<small class="date-tag">2017-03</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>A computerized vibrator <a
    was snooping on its users through the proprietary control app</a>.</p>

    <p>The app was reporting the temperature of the vibrator minute by
    minute (thus, indirectly, whether it was surrounded by a person's
    body), as well as the vibration frequency.</p>

    <p>Note the totally inadequate proposed response: a labeling
    standard with which manufacturers would make statements about their
    products, rather than free software which users could have checked
    and changed.</p>

    <p>The company that made the vibrator <a
    was sued for collecting lots of personal information about how people
    used it</a>.</p>

    <p>The company's statement that it was anonymizing the data may be
    true, but it doesn't really matter. If it had sold the data to a data
    broker, the data broker would have been able to figure out who the
    user was.</p>

    <p>Following this lawsuit, <a
    the company has been ordered to pay a total of C$4m</a> to its

  <li id="M201703070">
    <!--#set var="DATE" value='<small class="date-tag">2017-03</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The CIA exploited existing vulnerabilities
    in “smart” TVs and phones to design a malware that <a
    spies through their microphones and cameras while making them appear
    to be turned off</a>. Since the spyware sniffs signals, it bypasses

  <li id="M201702280">
    <!--#set var="DATE" value='<small class="date-tag">2017-02</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>“CloudPets” toys with microphones <a
    leak childrens' conversations to the manufacturer</a>. Guess what? <a
    Crackers found a way to access the data</a> collected by the
    manufacturer's snooping.</p>

    <p>That the manufacturer and the FBI could listen to these
    conversations was unacceptable by itself.</p>

  <li id="M201702200">
    <!--#set var="DATE" value='<small class="date-tag">2017-02</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>If you buy a used “smart”
    car, house, TV, refrigerator, etc., usually <a
    previous owners can still remotely control it</a>.</p>

  <li id="M201702060">
    <!--#set var="DATE" value='<small class="date-tag">2017-02</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Vizio “smart” <a
    report everything that is viewed on them, and not just broadcasts and
    cable</a>. Even if the image is coming from the user's own computer,
    the TV reports what it is. The existence of a way to disable the
    surveillance, even if it were not hidden as it was in these TVs,
    does not legitimize the surveillance.</p>

  <li id="M201701271">
    <!--#set var="DATE" value='<small class="date-tag">2017-01</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>A cracker would be able to <a
    turn the Oculus Rift sensors into spy cameras</a> after breaking into
    the computer they are connected to.</p>

    <p><small>(Unfortunately, the article <a
    href="/philosophy/words-to-avoid.html#Hacker">improperly refers
    to crackers as “hackers”</a>.)</small></p>

  <li id="M201612230">
    <!--#set var="DATE" value='<small class="date-tag">2016-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>VR equipment, measuring every slight motion,
    creates the potential for the most intimate
    surveillance ever. All it takes to make this potential real <a
    software as malicious as many other programs listed in this

    <p>You can bet Facebook will implement the maximum possible
    surveillance on Oculus Rift devices. The moral is, never trust a VR
    system with nonfree software in it.</p>

  <li id="M201612200">
    <!--#set var="DATE" value='<small class="date-tag">2016-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The developer of Ham Radio Deluxe <a
    a customer's installation as punishment for posting a negative

    <p>Most proprietary software companies don't use their power so
    harshly, but it is an injustice that they all <em>have</em> such

  <li id="M201612060.1">
    <!--#set var="DATE" value='<small class="date-tag">2016-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The “smart” toys My Friend Cayla and i-Que can be <a
    controlled with a mobile phone</a>; physical access is not
    necessary. This would enable crackers to listen in on a child's
    conversations, and even speak into the toys themselves.</p>

    <p>This means a burglar could speak into the toys and ask the child
    to unlock the front door while Mommy's not looking.</p>

  <li id="M201609200">
    <!--#set var="DATE" value='<small class="date-tag">2016-09</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>HP's firmware downgrade <a
    DRM on some printers, which now refuse to function with third-party
    ink cartridges</a>.</p>

  <li id="M201608080">
    <!--#set var="DATE" value='<small class="date-tag">2016-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Ransomware <a
    has been developed for a thermostat that uses proprietary

  <li id="M201605020">
    <!--#set var="DATE" value='<small class="date-tag">2016-05</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Samsung's “Smart Home” has a big security hole; <a
    unauthorized people can remotely control it</a>.</p>

    <p>Samsung claims that this is an “open” platform so the
    problem is partly the fault of app developers. That is clearly true
    if the apps are proprietary software.</p>

    <p>Anything whose name is “Smart” is most likely going
    to screw you.</p>

  <li id="M201604110">
    <!--#set var="DATE" value='<small class="date-tag">2016-04</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Malware was found on <a
    security cameras available through Amazon</a>.</p>

    <p>A camera that records locally on physical media, and has no network
    connection, does not threaten people with surveillance—neither
    by watching people through the camera, nor through malware in the

  <li id="M201604050">
    <!--#set var="DATE" value='<small class="date-tag">2016-04</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Revolv is a device that managed “smart home”
    operations: switching lights, operate motion sensors, regulating
    temperature, etc.  Its proprietary software depends on a remote server
    to do these tasks.  On May 15th, 2016, Google/Alphabet <a
    broke it by shutting down the server</a>.</p>

    <p>If it were free software, users would have the ability to make it
    work again, differently, and then have a freedom-respecting home
    instead of a “smart” home. Don't let proprietary software
    control your devices and turn them into $300 out-of-warranty
    bricks. Insist on self-contained computers that run free software!</p>

  <li id="M201603220">
    <!--#set var="DATE" value='<small class="date-tag">2016-03</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Over 70 brands of network-connected surveillance cameras have <a
    security bugs that allow anyone to watch through them</a>.</p>

  <li id="M201601100">
    <!--#set var="DATE" value='<small class="date-tag">2016-01</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The <a
    “Cube” 3D printer was designed with DRM</a>: it
    won't accept third-party printing materials.  It is the Keurig of
    printers.  Now it is being discontinued, which means that eventually
    authorized materials won't be available and the printers may become

    <p>With a <a
    printer that gets the Respects Your Freedom</a>, this problem would
    not even be a remote possibility.</p>

    <p>How pitiful that the author of that article says that there was
    “nothing wrong” with designing the device to restrict
    users in the first place.  This is like putting a “cheat me and
    mistreat me” sign on your chest.  We should know better: we
    should condemn all companies that take advantage of people like him. 
    Indeed, it is the acceptance of their unjust practice that teaches
    people to be doormats.</p>

  <li id="M201512140">
    <!--#set var="DATE" value='<small class="date-tag">2015-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Philips “smart” lightbulbs had initially been
    designed to interact with other companies' smart light bulbs, but <a
    later the company updated the firmware to disallow

    <p>If a product is “smart”, and you didn't build it,
    it is cleverly serving its manufacturer <em>against you</em>.</p>

  <li id="M201512074">
    <!--#set var="DATE" value='<small class="date-tag">2015-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    Some D-Link routers</a> have a back door for changing settings in a
    dlink of an eye.</p>

    <p><a href="http://sekurak.pl/tp-link-httptftp-backdoor/"> href="https://sekurak.pl/tp-link-httptftp-backdoor/"> The TP-Link
    router has a back door</a>.</p>

    <p><a href="https://github.com/elvanderb/TCP-32764">Many models of
    routers have back doors</a>.</p>

  <li id="M201511250">
    <!--#set var="DATE" value='<small class="date-tag">2015-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The Nest Cam “smart” camera is <a
    href="https://www.bbc.com/news/technology-34922712">always watching</a>,
    even when the “owner” switches it “off.”</p>

    <p>A “smart” device means the manufacturer is using it
    to outsmart you.</p>

  <li id="M201511198">
    <!--#set var="DATE" value='<small class="date-tag">2015-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>ARRIS cable modem has a <a
    back door in the back door</a>.</p>

  <li id="M201511130">
    <!--#set var="DATE" value='<small class="date-tag">2015-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Some web and TV advertisements play inaudible
    sounds to be picked up by proprietary malware running
    on other devices in range so as to determine that they
    are nearby.  Once your Internet devices are paired with
    your TV, advertisers can correlate ads with Web activity, and other <a
    cross-device tracking</a>.</p>

  <li id="M201511060">
    <!--#set var="DATE" value='<small class="date-tag">2015-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Vizio goes a step further than other TV
    manufacturers in spying on their users: their <a
    “smart” TVs analyze your viewing habits in detail and
    link them your IP address</a> so that advertisers can track you
    across devices.</p>

    <p>It is possible to turn this off, but having it enabled by default
    is an injustice already.</p>

  <li id="M201511020">
    <!--#set var="DATE" value='<small class="date-tag">2015-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Tivo's alliance with Viacom adds 2.3 million households
    to the 600 millions social media profiles the company
    already monitors. Tivo customers are unaware they're
    being watched by advertisers. By combining TV viewing
    information with online social media participation, Tivo can now <a
    correlate TV advertisement with online purchases</a>, exposing all
    users to new combined surveillance by default.</p>

  <li id="M201510210">
    <!--#set var="DATE" value='<small class="date-tag">2015-10</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>FitBit fitness trackers have a <a
    Bluetooth vulnerability</a> that allows attackers to send malware
    to the devices, which can subsequently spread to computers and other
    FitBit trackers that interact with them.</p>

  <li id="M201510200">
    <!--#set var="DATE" value='<small class="date-tag">2015-10</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>“Self-encrypting” disk drives
    do the encryption with proprietary firmware so you
    can't trust it.  Western Digital's “My Passport” drives <a
    have a back door</a>.</p>

  <li id="M201507240">
    <!--#set var="DATE" value='<small class="date-tag">2015-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Vizio “smart” TVs recognize and <a
    what people are watching</a>, even if it isn't a TV channel.</p>

  <li id="M201506080">
    <!--#set var="DATE" value='<small class="date-tag">2015-06</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Due to bad security in a drug pump, crackers could use it to <a
    kill patients</a>.</p>

  <li id="M201505290">
    <!--#set var="DATE" value='<small class="date-tag">2015-05</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Verizon cable TV <a
    snoops on what programs people watch, and even what they wanted to

  <li id="M201505050">
    <!--#set var="DATE" value='<small class="date-tag">2015-05</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Hospira infusion pumps, which are used
    to administer drugs to a patient, were rated “<a
    secure IP device I've ever seen</a>” by a security

    <p>Depending on what drug is being infused, the insecurity could open
    the door to murder.</p>

  <li id="M201504300">
    <!--#set var="DATE" value='<small class="date-tag">2015-04</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Vizio <a
    used a firmware “upgrade” to make its TVs snoop on what
    users watch</a>.  The TVs did not do that when first sold.</p>

  <li id="M201502180">
    <!--#set var="DATE" value='<small class="date-tag">2015-02</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Barbie <a
    going to spy on children and adults</a>.</p>

  <li id="M201502090">
    <!--#set var="DATE" value='<small class="date-tag">2015-02</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The Samsung “Smart” TV <a
    transmits users' voice on the internet to another company, Nuance</a>.
    Nuance can save it and would then have to give it to the US or some
    other government.</p>

    <p>Speech recognition is not to be trusted unless it is done by free
    software in your own computer.</p>

    <p>In its privacy policy, Samsung explicitly confirms that <a
    data containing sensitive information will be transmitted to third

  <li id="M201411090">
    <!--#set var="DATE" value='<small class="date-tag">2014-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The Amazon “Smart” TV is <a
    snooping all the time</a>.</p>

  <li id="M201409290">
    <!--#set var="DATE" value='<small class="date-tag">2014-09</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>More or less all “smart” TVs <a
    on their users</a>.</p>

    <p>The report was as of 2014, but we don't expect this has got

    <p>This shows that laws requiring products to get users' formal
    consent before collecting personal data are totally inadequate.
    And what happens if a user declines consent? Probably the TV will
    say, “Without your consent to tracking, the TV will not

    <p>Proper laws would say that TVs are not allowed to report what the
    user watches—no exceptions!</p>

  <li id="M201407170">
    <!--#set var="DATE" value='<small class="date-tag">2014-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p id="nest-thermometers">Nest thermometers send <a
    href="https://bgr.com/general/google-nest-jailbreak-hack/">a lot of
    data about the user</a>.</p>

  <li id="M201405200.1">
    <!--#set var="DATE" value='<small class="date-tag">2014-05</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>LG <a
    disabled network features</a> on <em>previously purchased</em>
    “smart” TVs, unless the purchasers agreed to let LG begin
    to snoop on them and distribute their personal data.</p>

  <li id="M201404250">
    <!--#set var="DATE" value='<small class="date-tag">2014-04</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Lots of <a
    hospital equipment has lousy security</a>, and it can be fatal.</p>

  <li id="M201312290">
    <!--#set var="DATE" value='<small class="date-tag">2013-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p><a href="http://www.bunniestudios.com/blog/?p=3554"> href="https://www.bunniestudios.com/blog/?p=3554"> Some flash
    memories have modifiable software</a>, which makes them vulnerable
    to viruses.</p>

    <p>We don't call this a “back door” because it is normal
    that you can install a new system in a computer, given physical access
    to it.  However, memory sticks and cards should not be modifiable in
    this way.</p>

  <li id="M201312040">
    <!--#set var="DATE" value='<small class="date-tag">2013-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    Point-of-sale terminals running Windows were taken over</a> and
    turned into a botnet for the purpose of collecting customers' credit
    card numbers.</p>

  <li id="M201311210">
    <!--#set var="DATE" value='<small class="date-tag">2013-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Spyware in LG “smart” TVs <a
    reports what the user watches, and the switch to turn this off has
    no effect</a>.  (The fact that the transmission reports a 404 error
    really means nothing; the server could save that data anyway.)</p> 

    <p>Even worse, it <a
    snoops on other devices on the user's local network</a>.</p>

    <p>LG later said it had installed a patch to stop this, but any
    product could spy this way.</p>

  <li id="M201310070">
    <!--#set var="DATE" value='<small class="date-tag">2013-10</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p id="bluray"><a
    DVDs and Bluray disks have DRM</a>.</p>

    <p>That page uses spin terms that favor DRM, including <a
    digital “rights” management</a> and <a
    and it claims that “artists” (rather than companies)
    are primarily responsible for putting digital restrictions management
    into these disks.  Nonetheless, it is a reference for the facts.</p>

    <p>Every Bluray disk (with few, rare exceptions) has DRM—so
    don't use Bluray disks!</p>

  <li id="M201309050">
    <!--#set var="DATE" value='<small class="date-tag">2013-09</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The FTC punished a company for making webcams with <a
    bad security so that it was easy for anyone to watch through

  <li id="M201308060">
    <!--#set var="DATE" value='<small class="date-tag">2013-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p><a href="http://spritesmods.com/?art=hddhack&page=6">
    Replaceable nonfree software in disk drives can be written by a
    nonfree program</a>. This makes any system vulnerable to persistent
    attacks that normal forensics won't detect.</p>

  <li id="M201307270">
    <!--#set var="DATE" value='<small class="date-tag">2013-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p> It is possible to <a
    kill people by taking control of medical
    implants by radio</a>.  More information in <a
    News</a> and <a
    IOActive Labs Research blog</a>.</p>

  <li id="M201307260">
    <!--#set var="DATE" value='<small class="date-tag">2013-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    “Smart homes”</a> turn out to be stupidly vulnerable to

  <li id="M201307114">
    <!--#set var="DATE" value='<small class="date-tag">2013-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>HP “storage appliances” that
    use the proprietary “Left Hand”
    operating system have back doors that give HP <a
    remote login access</a> to them.  HP claims that this does not
    give HP access to the customer's data, but if the back door allows
    installation of software changes, a change could be installed that
    would give access to the customer's data.</p>

  <li id="M201212290">
    <!--#set var="DATE" value='<small class="date-tag">2012-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The Cisco TNP IP phones are <a
    spying devices</a>.</p>

  <li id="M201212180">
    <!--#set var="DATE" value='<small class="date-tag">2012-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Samsung “Smart” TVs have <a
    turned Linux into the base for a tyrant system</a> so as to impose
    DRM.  What enables Samsung to do this is that Linux is released
    under GNU GPL version 2, <a
    href="/licenses/rms-why-gplv3.html">not version 3</a>, together with
    a weak interpretation of GPL version 2.</p>

  <li id="M201212170">
    <!--#set var="DATE" value='<small class="date-tag">2012-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p id="break-security-smarttv"><a
    Crackers found a way to break security on a “smart” TV</a>
    and use its camera to watch the people who are watching TV.</p>

  <li id="M201210020">
    <!--#set var="DATE" value='<small class="date-tag">2012-10</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Some LG TVs <a
    are tyrants</a>.</p>

<!--#include virtual="/proprietary/proprietary-menu.html" -->
<!--#include virtual="/server/footer.html" -->
<div id="footer" role="contentinfo">
<div class="unprintable">

<p>Please send general FSF & GNU inquiries to
<a href="mailto:gnu@gnu.org"><gnu@gnu.org></a>.
There are also <a href="/contact/">other ways to contact</a>
the FSF.  Broken links and other corrections or suggestions can be sent
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>.</p>

<p><!-- TRANSLATORS: Ignore the original text in this paragraph,
        replace it with the translation of these two:

        We work hard and do our best to provide accurate, good quality
        translations.  However, we are not exempt from imperfection.
        Please send your comments and general suggestions in this regard
        to <a href="mailto:web-translators@gnu.org">

        <p>For information on coordinating and contributing translations of
        our web pages, see <a
        README</a>. -->
Please see the <a
README</a> for information on coordinating and contributing translations
of this article.</p>

<!-- Regarding copyright, in general, standalone pages (as opposed to
     files generated as part of manuals) on the GNU web server should
     be under CC BY-ND 4.0.  Please do NOT change or remove this
     without talking with the webmasters or licensing team first.
     Please make sure the copyright date is consistent with the
     document.  For web pages, it is ok to list just the latest year the
     document was modified, or published.

     If you wish to list earlier years, that is ok too.
     Either "2001, 2002, 2003" or "2001-2003" are ok for specifying
     years, as long as each year in the range is in fact a copyrightable
     year, i.e., a year in which the document was published (including
     being publicly visible on the web or in a revision control system).

     There is more detail about copyright years in the GNU Maintainers
     Information document, www.gnu.org/prep/maintain. -->

<p>Copyright © 2016-2021 2016-2022 Free Software Foundation, Inc.</p>

<p>This page is licensed under a <a rel="license"
Commons Attribution 4.0 International License</a>.</p>

<!--#include virtual="/server/bottom-notes.html" -->

<p class="unprintable">Updated:
<!-- timestamp start -->
$Date: 2022/07/09 07:37:20 $
<!-- timestamp end -->
</div><!-- for class="inner", starts in the banner include -->