<!--#include virtual="/server/header.html" -->
<!-- Parent-Version: 1.83 1.96 -->
<!--#set var="DISABLE_TOP_ADDENDUM" value="yes" -->
                  Please do not edit <ul class="blurbs">!
    Instead, edit /proprietary/workshop/mal.rec, then regenerate pages.
           See explanations in /proprietary/workshop/README.md.
<title>Proprietary Back Doors - GNU Project - Free Software Foundation</title>
<link rel="stylesheet" type="text/css" href="/side-menu.css" media="screen,print" />
 <!--#include virtual="/proprietary/po/proprietary-back-doors.translist" -->
<!--#include virtual="/server/banner.html" -->
<div class="nav">
<a id="side-menu-button" class="switch" href="#navlinks">
 <img id="side-menu-icon" height="32"
      title="Section contents"
      alt=" [Section contents] " />

<p class="breadcrumb">
 <a href="/"><img src="/graphics/icons/home.png" height="24"
    alt="GNU Home" title="GNU Home" /></a> /
 <a href="/proprietary/proprietary.html">Malware</a> /
 By type /
<!--#include virtual="/server/top-addendum.html" -->
<div style="clear: both"></div>
<div id="last-div" class="reduced-width">
<h2>Proprietary Back Doors</h2>

<p><a href="/proprietary/proprietary.html">Other examples of proprietary malware</a></p>

<div class="infobox">
<hr class="full-width" />
<p>Nonfree (proprietary) software is very often malware (designed to
mistreat the user). Nonfree software is controlled by its developers,
which puts them in a position of power over the users; <a
href="/philosophy/free-software-even-more-important.html">that is the
basic injustice</a>. The developers and manufacturers often exercise
that power to the detriment of the users they ought to serve.</p>


<p>This typically takes the form of malicious functionalities.</p>
<hr class="full-width" />

<div class="article">
<p>Some malicious functionalities are mediated by <a
href="/proprietary/proprietary.html#f1">back doors</a>.  Here are
examples of demonstrated programs that contain one or several of those, classified
according to what the back door is known to have the power to do.
Back doors that allow full control over the programs which contain them
are said to be “universal.”</p>

<div class="important">
<p>If you know of an example that ought to be in proprietary software.</p>

<!-- WEBMASTERS: make sure this page but isn't
here, please write
to place new items <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>
to inform us. Please include the URL of a trustworthy reference or two
to serve as specific substantiation.</p>

<div id="TOC" class="toc-inline">
<h3>Back-door functionalities</h3>
  <li><a href="#spy">Spying</a></li>
  <li><a href="#alter-data">Altering user's data or settings</a></li>
  <li><a href="#install-delete">Installing, deleting or disabling programs</a></li>
  <li><a href="#universal">Full control</a></li>
  <li><a href="#other">Other/undefined</a></li>

<h3 id='spy'>Spying</h3>

<ul class="blurbs">
  <li id="M202008030">
    <!--#set var="DATE" value='<small class="date-tag">2020-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Google Nest <a
    is taking over ADT</a>. Google sent out a software
    update to its speaker devices using their back door <a
    href="https://www.protocol.com/google-smart-speaker-alarm-adt"> that
    listens for things like smoke alarms</a> and then notifies your phone
    that an alarm is happening. This means the devices now listen for more
    than just their wake words. Google says the software update was sent
    out prematurely and on top under each subsection accident and Google was planning on disclosing
    this new feature and offering it to customers who pay for it.</p>

  <li id="M201706200.2">
    <!--#set var="DATE" value='<small class="date-tag">2017-06</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p id="InternetCameraBackDoor">Many models of Internet-connected
    cameras contain a glaring backdoor—they back door—they have login
    accounts with hard-coded passwords, which can't be changed, and <a
    there is no way to delete these accounts either</a>.
    </p> either</a>.</p>

    <p>Since these accounts with hard-coded passwords are impossible
    to delete, this problem is not merely an insecurity; it amounts to
    backdoor back door that can be used by the manufacturer (and
    government) to spy on users.</p>

    <p>Vizio “smart”

  <li id="M201701130">
    <!--#set var="DATE" value='<small class="date-tag">2017-01</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>WhatsApp has a feature that <a href="https://www.ftc.gov/news-events/blogs/business-blog/2017/02/what-vizio-was-doing-behind-tv-screen">have
    has been described as a universal back door</a>.</p>

    <li><p>The Amazon Echo appears “back door”</a> because it would
    enable governments to have nullify its encryption.</p>

    <p>The developers say that it wasn't intended as a universal back door, since
      <a href="https://en.wikipedia.org/wiki/Amazon_Echo#Software_updates">
      it installs “updates” automatically</a>.</p>
    <p>We have found nothing explicitly documenting and that
    may well be true. But that leaves the lack crucial question of any way to
      disable remote changes to whether it
    functions as one. Because the software, so program is nonfree, we are not completely sure
      there isn't one, but it seems pretty clear.</p> cannot check by
    studying it.</p>

  <li id="chrome-erase-addons"><p>Chrome id="M201512280">
    <!--#set var="DATE" value='<small class="date-tag">2015-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Microsoft has a back door <a href="https://consumerist.com/2017/01/18/why-is-google-blocking-this-ad-blocker-on-chrome/">for
    remote erasure of add-ons</a>.</p>
    backdoored its disk encryption</a>.</p>


  <li id="M201409220">
    <!--#set var="DATE" value='<small class="date-tag">2014-09</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Apple can, and regularly does, <a
    remotely extract some data from iPhones for the state</a>.</p>

    <p>This may have improved with <a href="https://www.theguardian.com/technology/2017/jan/13/whatsapp-backdoor-allows-snooping-on-encrypted-messages">has
    iOS 8 security improvements</a>; but <a
    not as much as Apple claims</a>.</p>

<h3 id='alter-data'>Altering user's data or settings</h3>

<ul class="blurbs">
  <li id="M202109220">
    <!--#set var="DATE" value='<small class="date-tag">2021-09</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Some Xiaomi phones <a
    a malfeature to bleep out phrases that express political views
    China does not like</a>. In phones sold in Europe, Xiaomi leaves
    this deactivated by default, but has a back door to activate the

    <p>This is the natural result of having nonfree software in a device
    that can communicate with the company can use that made it.</p>

  <li id="M201905060">
    <!--#set var="DATE" value='<small class="date-tag">2019-05</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>BlizzCon 2019 imposed a <a
    requirement to read run a proprietary phone app</a> to be allowed into
    the plaintext
        of messages</a>.</p> event.</p>

    <p>This should not come as app is a surprise. Nonfree software spyware that can snoop on a lot of
    sensitive data, including user's location and contact list, and has <a
    near-complete control</a> over the phone.</p>

  <li id="M201809140">
    <!--#set var="DATE" value='<small class="date-tag">2018-09</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Android has a <a
    back door for
          encryption is never trustworthy.</p> remotely changing “user” settings</a>.</p>

    <p>The article suggests it might be a universal back door, but this
    isn't clear.</p>

  <li id="M201607284">
    <!--#set var="DATE" value='<small class="date-tag">2016-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The Dropbox app for Macintosh <a
    takes control of user interface items after luring the user into
    entering an admin password</a>.</p>


  <li id="M201604250">
    <!--#set var="DATE" value='<small class="date-tag">2016-04</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>A pregnancy test controller application not only can <a href="http://www.theverge.com/2016/4/25/11503718/first-response-pregnancy-pro-test-bluetooth-app-security">spy
    spy on many sorts of data in the phone, and in server accounts,
    it can alter them too</a>.</p>

        <p>Xiaomi phones come with <a href="https://www.thijsbroenink.com/2016/09/xiaomis-analytics-app-reverse-engineered">a

  <li id="M201512074">
    <!--#set var="DATE" value='<small class="date-tag">2015-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    Some D-Link routers</a> have a back door in the application processor, for
           Xiaomi's use</a>.</p>

        <p>This is separate from <a href="#universal-back-door-phone-modem">the
           universal back door changing settings in the modem processor that the local
           phone company can use</a>.</p>

    <li><p>Capcom's Street Fighter V update <a href="https://web.archive.org/web/20160930051146/http://www.theregister.co.uk/2016/09/23/capcom_street_fighter_v/">installed a driver that can be used as a backdoor by any application
        installed on
    dlink of an eye.</p>

    <p><a href="https://sekurak.pl/tp-link-httptftp-backdoor/"> The TP-Link
    router has a Windows computer</a>.</p> back door</a>.</p>

    <p><a href="https://github.com/elvanderb/TCP-32764">Many models of
    routers have back doors</a>.</p>

    <li><p>The Dropbox app for Macintosh

  <li id="M201511244">
    <!--#set var="DATE" value='<small class="date-tag">2015-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Google has long had <a href="http://applehelpwriter.com/2016/07/28/revealing-dropboxs-dirty-little-security-hack/">takes
        total control of the machine by repeatedly nagging the user
    back door to remotely unlock an admini password</a>.</p> Android device</a>, unless its disk
    is encrypted (possible since Android 5.0 Lollipop, but still not
    quite the default).</p>

  <li id="universal-back-door-phone-modem"><p>The universal id="M201511194">
    <!--#set var="DATE" value='<small class="date-tag">2015-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Caterpillar vehicles come with <a
    a back door in portable phones <a
    employed to listen through their microphones</a>.</p>
    <p>More about <a href="http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone">the nature of this problem</a>.</p> shutoff the engine</a> remotely.</p>
  <li><p><a href="https://theintercept.com/2015/12/28/recently-bought-a-windows-computer-microsoft-probably-has-your-encryption-key/">
      Microsoft has already backdoored its disk encryption</a>.</p></li>


  <li id="M201509160">
    <!--#set var="DATE" value='<small class="date-tag">2015-09</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Modern gratis game cr…apps <a href="http://toucharcade.com/2015/09/16/we-own-you-confessions-of-a-free-to-play-producer/">
    collect a wide range of data about their users and their users'
    friends and associates</a>.</p>

    <p>Even nastier, they do it through ad networks that merge the data
    collected by various cr…apps and sites made by different

    <p>They use this data to manipulate people to buy things, and hunt for
    “whales” who can be led to spend a lot of money. They also
    use a back door to manipulate the game play for specific players.</p>

    <p>While the article describes gratis games, games that cost money
    can use the same tactics.</p>
    <p>Dell computers, shipped

  <li id="M201403120.1">
    <!--#set var="DATE" value='<small class="date-tag">2014-03</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p id="samsung"><a
    Samsung Galaxy devices running proprietary Android versions come with Windows, had
    a bogus root
      certificate back door</a> that
      <a href="http://fossforce.com/2015/11/dell-comcast-intel-who-knows-who-else-are-out-to-get-you/">allowed
      anyone (not just Dell) to remotely authorize any software provides remote access to
      run</a> the files stored on
    the computer.</p> device.</p>
    <p>Baidu's proprietary Android library, Moplus,

  <li id="M201210220">
    <!--#set var="DATE" value='<small class="date-tag">2012-10</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p id="swindle-eraser">The Amazon
    Kindle-Swindle has a back door that <a href="https://www.eff.org/deeplinks/2015/11/millions-android-devices-vulnerable-remote-hijacking-baidu-wrote-code-google-made">can
      “upload files” as well as forcibly install
    <p>It is used by 14,000 Android applications.</p>
<li><p>ARRIS cable modem has a been used to <a href="https://w00tsec.blogspot.de/2015/11/arris-cable-modem-has-backdoor-in.html?m=1">
  backdoor in
    remotely erase books</a>.  One of the backdoor</a>.</p>
  <li><p>Caterpillar vehicles come with
     <a href="http://www.zerohedge.com/news/2015-11-19/caterpillar-depression-has-never-been-worse-it-has-cunning-plan-how-deal-it">a back-door books erased was
    <cite>1984</cite>, by George Orwell.</p>

    <p>Amazon responded to shutoff criticism by saying it
    would delete books only following orders from the engine</a>
Mac OS X had an
    state.  However, that policy didn't last.  In 2012 it <a href="https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/">
intentional local
    wiped a user's Kindle-Swindle and deleted her account</a>, then
    offered her kafkaesque “explanations.”</p>

    <p>Do other ebook readers have back doors in their nonfree software? We
    don't know, and we have no way to find out.  There is no reason to
    assume that they don't.</p>

  <li id="M201011220">
    <!--#set var="DATE" value='<small class="date-tag">2010-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The iPhone has a back door for 4 years</a>.

<li><p>Users reported that <a 
    Microsoft was forcing them to replace Windows 7 and 8 with all-spying 
    Windows 10</a>.</p>

    <p>Microsoft was in fact
    remote wipe</a>.  It's not always enabled, but users are led into
    enabling it without understanding.</p>

<h3 id='install-delete'>Installing, deleting or disabling programs</h3>

<ul class="blurbs">
  <li id="M202208220">
    <!--#set var="DATE" value='<small class="date-tag">2022-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Tesla <a 
    attacking computers
    sells an add-on software feature that run Windows 7 and 8</a>, switching drivers are not   allowed
    to use</a>.</p>

    <p>This practice depends on a flag 
    that said whether back door, which is unjust in
    itself. Asking users to “upgrade” buy something years in advance to Windows 10 when users 
    had turned it off.</p>

    <p>Later on, Microsoft published instructions on avoid having
    to pay an even higher price later is manipulative.</p>

  <li id="M202110130">
    <!--#set var="DATE" value='<small class="date-tag">2021-10</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Adobe <a 
    licensed its Flash Player to permanently reject China's Zhong Cheng Network</a> who is
    offering the downgrade to Windows 10</a>.</p>

    <p>This seems program bundled with spyware and a back door that can
    remotely deactivate it.</p>

    <p>Adobe is responsible for this since they gave Zhong Cheng
    Network permission to involve do this.  This injustice involves “misuse” of
    the DMCA, but “proper,” intended use of the DMCA is a back door in Windows 7 and 8.</p> much bigger
    injustice.  There is <a href="/philosophy/right-to-read.html">a series
    of errors related to DMCA</a>.</p>

<p>Most mobile phones

  <li id="M202108240">
    <!--#set var="DATE" value='<small class="date-tag">2021-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Recent Samsung TVs have a universal back door, door with which has been used to Samsung can <a href="http://www.slate.com/blogs/future_tense/2013/07/22/nsa_can_reportedly_track_cellphones_even_when_they_re_turned_off.html">
    brick them malicious</a>.
</p> remotely</a>.</p>


  <li id="M202106190">
    <!--#set var="DATE" value='<small class="date-tag">2021-06</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p><a href="http://www.theguardian.com/technology/2014/dec/18/chinese-android-phones-coolpad-hacker-backdoor">
A Chinese version of
    automatically installed an app on many proprietary Android phones</a>. The app
    might or might not do malicious things but the power Google has over proprietary
    Android phones is dangerous.</p>

  <li id="M202012020">
    <!--#set var="DATE" value='<small class="date-tag">2020-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Adobe Flash Player <a
    has a universal back door</a>. Nearly all
models of mobile phones door</a> which lets Adobe control
    the software and, for example, disable it whenever it
    wants. Adobe will block Flash content from running in Flash Player
    beginning January 12, 2021, which indicates that they have access to
    every Flash Player through a universal back door.</p>

    <p>The back door won't be dangerous in the modem chip. So
why did Coolpad bother future, as it'll disable
    a proprietary program and make users delete the software, but it
    was an injustice for many years. Users should have deleted Flash Player
    even before its end of life.</p>

  <li id="M202007020">
    <!--#set var="DATE" value='<small class="date-tag">2020-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>BMW is trying to introduce another? Because this one <a
    certain features of its cars, and force people to pay to use part of
    the car they already bought</a>. This is controlled
by Coolpad.

<p>Microsoft Windows has done through forced update
    of the car software via a universal radio-operated back door through which door.</p>

  <li id="M201908270">
    <!--#set var="DATE" value='<small class="date-tag">2019-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>A very popular app found in the
    Google Play store contained a module that was designed to <a href="https://web.archive.org/web/20071011010707/http://informationweek.com/news/showArticle.jhtml?articleID=201806263">
any change whatsoever can be imposed
    install malware on the users</a>.
<p>More information on when
<a href="http://slated.org/windows_by_stealth_the_updates_you_dont_want">
this was used</a>.
<p>In Windows 10, user's computer</a>. The app developers
    regularly used it to make the universal back door computer download and execute any code
    they wanted.</p>

    <p>This is no longer hidden; all
“upgrades” will a concrete example of what users are exposed to when they
    run nonfree apps. They can never be <a href="http://arstechnica.com/information-technology/2015/07/windows-10-updates-to-be-automatic-and-mandatory-for-home-users/">forcibly
and immediately imposed</a>.
</p> completely sure that a nonfree
    app is safe.</p>

<li><p>German government <a href="https://web.archive.org/web/20160310201616/http://drleonardcoldwell.com/2013/08/23/leaked-german-government-warns-key-entities-not-to-use-windows-8-linked-to-nsa/">veers
away from Windows 8 computers with TPM 2.0 due

  <li id="M201907100">
    <!--#set var="DATE" value='<small class="date-tag">2019-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Apple appears to potential say that <a
    there is a back door capabilities of in MacOS</a> for automatically updating some
    (all?) apps.</p>

    <p>The specific change described in the TPM 2.0 chip</a>.</p> article was not
    malicious—it protected users from surveillance by third
    parties—but that is a separate question.</p>

<p>The iPhone

  <li id="M201811100">
    <!--#set var="DATE" value='<small class="date-tag">2018-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Corel Paintshop Pro has a <a
    back door
<a href="http://www.telegraph.co.uk/technology/3358134/Apples-Jobs-confirms-iPhone-kill-switch.html"> that allows Apple to remotely delete apps</a> which Apple considers
“inappropriate”.  Jobs said it's ok for Apple can make it cease to have this power
because function</a>.</p>

    <p>The article is full of course confusions, errors and biases that we can trust Apple.

<p>The iPhone has have
    an obligation to expose, given that we are making a link to them.</p>

    <li>Getting a patent does not “enable” a company to do
    any particular thing in its products. What it does enable the company
    to do is sue other companies if they do some particular thing in
    their products.</li>

    <li>A company's policies about when to attack users through a back
    door for are beside the point. Inserting the back door is wrong in the
    first place, and using the back door is always wrong too. No software
    developer should have that power over users.</li>

    href="/philosophy/words-to-avoid.html#Piracy">Piracy</a>” means
    attacking ships. Using that word to refer to sharing copies is a smear;
    please don't smear sharing.</li>

    <li><p>The idea of “protecting our IP” is
    total confusion. The term “IP” itself is a <a href="http://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphone">
remote wipe</a>.
    href="/philosophy/not-ipr.html">bogus generalization about things
    that have nothing in common</a>.</p>

    <p>In addition, to speak of “protecting” that bogus
    generalization is a separate absurdity. It's not always enabled, but users like calling the cops
    because neighbors' kids are led into enabling playing on your front yard, and saying
    that you're “protecting the boundary line”. The kids can't do harm
    to the boundary line, not even with a jackhammer, because it without understanding.

  <p>Apple can, is an
    abstraction and regularly does, can't be affected by physical action.</p></li>

  <li id="M201804010">
    <!--#set var="DATE" value='<small class="date-tag">2018-04</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Some “Smart” TVs automatically <a href="http://arstechnica.com/apple/2014/05/new-guidelines-outline-what-iphone-data-apple-can-give-to-police/">
  remotely extract some data from iPhones
    load downgrades that install a surveillance app</a>.</p>

    <p>We link to the article for the state</a>.
  <p>This may have improved with facts it presents. It
    is too bad that the article finishes by advocating the
    moral weakness of surrendering to Netflix. The Netflix app <a href="http://www.washingtonpost.com/business/technology/2014/09/17/2612af58-3ed2-11e4-b03f-de718edeb92f_story.html">
  iOS 8 security improvements</a>; but
    malware too</a>.</p>

  <li id="M201511090">
    <!--#set var="DATE" value='<small class="date-tag">2015-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Baidu's proprietary Android library, Moplus, has a back door that <a href="https://firstlook.org/theintercept/2014/09/22/apple-data/">
    can “upload files” as much well as Apple claims</a>.</p> forcibly install

    <p>It is used by 14,000 Android applications.</p>

<p><a href="http://www.computerworld.com/article/2500036/desktop-apps/microsoft--we-can-remotely-delete-windows-8-apps.html">

  <li id="M201112080">
    <!--#set var="DATE" value='<small class="date-tag">2011-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p> In addition to its <a href="#windows-update">universal back
    door</a>, Windows 8 also has a back door for <a
    remotely deleting apps</a>.

You apps</a>.</p>

    <p>You might well decide to let a security service that you trust
    remotely <em>deactivate</em> programs that it considers malicious.
    But there is no excuse for <em>deleting</em> the programs, and you
    should have the right to decide who whom (if anyone) to trust in this way.

As these pages show, if you do want to clean your computer of malware,
the first software to delete is Windows or iOS.


  <li id="M201103070">
    <!--#set var="DATE" value='<small class="date-tag">2011-03</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>In Android, <a href="http://www.computerworld.com/article/2506557/security0/google-throws--kill-switch--on-android-phones.html">
    Google has a back door to remotely delete apps.</a> apps</a>. (It is was in a
    program called GTalkService).

<p> GTalkService, which seems since then to have been
    merged into Google Play.)</p>

    <p>Google can also <a
    forcibly and remotely install apps</a> through GTalkService (which
seems, since that article, to have been merged into Google Play). GTalkService.  This is
    not equivalent to a universal back door, but permits various dirty tricks.


    <p>Although Google's <em>exercise</em> of this power has not been
    malicious so far, the point is that nobody should have such power,
    which could also be used maliciously.  You might well decide to
    let a security service remotely <em>deactivate</em> programs that
    it considers malicious.  But there is no excuse for allowing it to
    <em>delete</em> the programs, and you should have the right to decide
    who (if anyone) to trust in this way.
</p> way.</p>

<p><a id="samsung"
Samsung Galaxy devices running proprietary Android versions come

  <li id="M200808110">
    <!--#set var="DATE" value='<small class="date-tag">2008-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The iPhone has a back door <a
    that allows Apple to remotely delete apps</a> which Apple considers
    “inappropriate”.  Jobs said it's OK for Apple to have
    this power because of course we can trust Apple.</p>

<h3 id='universal'>Full control</h3>

<ul class="blurbs">
  <li id="M202111201">
    <!--#set var="DATE" value='<small class="date-tag">2021-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>NordicTrack, a company that sells
    exercise machines with ability to show videos <a
    what people can watch, and recently disabled a feature</a> that was
    originally functional. This happened through automatic update and
    probably involved a universal back
door</a> door.</p>

  <li id="M202106220">
    <!--#set var="DATE" value='<small class="date-tag">2021-06</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Peloton company which produces treadmills recently <a
    people out of basic features of people's treadmills by a software
    update</a>. The company now asks people for a membership/subscription
    for what people already paid for.</p>

    <p>The software used in the treadmill is proprietary and probably
    includes back doors to force software updates. It teaches the lesson
    that provides remote access if a product talks to external networks, you must expect it to
    take in new malware.</p>

    <p>Please note that the files stored on company behind this product said they
    are working to reverse the device.
</p> changes so people will no longer need
    subscription to use the locked feature.</p>

    <p>Apparently public anger made the company back down. If we want that
    to be our safety, we need to build up the anger against malicious
    features (and the proprietary software that is their entry path)
    to the point that even the most powerful companies don't dare.</p>


  <li id="M202102180">
    <!--#set var="DATE" value='<small class="date-tag">2021-02</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Microsoft is <a
    removing the Flash player from computers running Windows 10</a>, using
    <a href="/proprietary/proprietary-back-doors.html#windows-update">a
    universal backdoor in Windows</a>.</p>

    <p>The Amazon Kindle-Swindle has a back door fact that Flash has been used to <a href="http://pogue.blogs.nytimes.com/2009/07/17/some-e-books-are-more-equal-than-others/">
remotely erase books</a>.  One
    by Adobe</a> is no excuse for this abuse of power. The nature of
    proprietary software, such as Microsoft Windows, gives the books erased was 1984, developers
    power to impose their decisions on users. Free software on the other
    hand empowers users to make their own decisions.</p>

  <li id="M202011230">
    <!--#set var="DATE" value='<small class="date-tag">2020-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Some Wavelink and JetStream wifi routers have
    universal back doors that enable unauthenticated
    users to remotely control not only the routers, but
    also any devices connected to the network. There is evidence that <a
    this vulnerability is actively exploited</a>.</p>

    <p>If you consider buying a router, we encourage you to get one
    that <a href="https://ryf.fsf.org/categories/routers">runs on free
    software</a>. Any attempts at introducing malicious functionalities in
    it (e.g., through a firmware update) will be detected by George Orwell.

<p>Amazon responded the community,
    and soon corrected.</p>

    <p>If unfortunately you own a router that runs on
    proprietary software, don't panic! You may be able to criticism
    replace its firmware with a free operating system such as <a
    href="https://librecmc.org">libreCMC</a>. If you don't know how,
    you can get help from a nearby GNU/Linux user group.</p>

  <li id="M202011060">
    <!--#set var="DATE" value='<small class="date-tag">2020-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>A new app published by saying Google <a
    banks and creditors deactivate people's Android devices</a> if they
    fail to make payments. If someone's device gets deactivated, it would delete books only
following orders from will
    be limited to basic functionality, such as emergency calling and
    access to settings.</p>

  <li id="M202007010">
    <!--#set var="DATE" value='<small class="date-tag">2020-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>BMW will remotely <a
    enable and disable functionality in cars</a> through a universal
    back door.</p>

  <li id="M202004130">
    <!--#set var="DATE" value='<small class="date-tag">2020-04</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The <a href="https://play.google.com/about/play-terms/">
    Google Play Terms of Service</a> insist that the state.  However, user of Android accept
    the presence of universal back doors in apps released by Google.</p>

    <p>This does not tell us whether any of Google's apps currently
    contains a universal back door, but that policy didn't last. is a secondary question.
    In 2012
it moral terms, demanding that people accept in advance certain bad
    treatment is equivalent to actually doing it.  Whatever condemnation
    the latter deserves, the former deserves the same.</p>

  <li id="M202001090">
    <!--#set var="DATE" value='<small class="date-tag">2020-01</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Android phones subsidized by the US government come with <a href="http://boingboing.net/2012/10/22/kindle-user-claims-amazon-dele.html">wiped
a user's Kindle-Swindle
    preinstalled adware and deleted her account</a>, then offered her
kafkaesque “explanations.”</p> a back door for forcing installation of

    <p>The Kindle-Swindle also has adware is in a modified version of an
    essential system configuration app. The back door is a
    surreptitious addition to a program whose stated purpose is to be a <a href="http://www.amazon.com/gp/help/customer/display.html?nodeId=200774090">
    universal back door</a>.
</p> door for firmware</a>.</p>

    <p>In other words, a program whose raison d'ĂȘtre is malicious has
    a secret secondary malicious purpose. All this is in addition to the
    malware of Android itself.</p>

<p>HP “storage appliances”

  <li id="M201910130.1">
    <!--#set var="DATE" value='<small class="date-tag">2019-10</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The Chinese Communist Party's <a
    “Study the Great Nation” app</a> was found to contain <a
    a back-door allowing developers to run any code they wish</a> in the
    users' phone, as “superusers.”</p>

    <p>Note: The <a
    Washington Post version of the article</a> (partly obfuscated, but
    readable after copy-pasting in a text editor) includes a clarification
    saying that use the proprietary
“Left Hand” tests were only performed on the Android version
    of the app, and that, according to Apple, “this kind of
    ‘superuser’ surveillance could not be conducted on
    Apple's operating system have system.”</p>

  <li id="M201908220">
    <!--#set var="DATE" value='<small class="date-tag">2019-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>ChromeBooks are programmed for obsolescence:
    ChromeOS has a universal back doors door that give
HP is used for updates and <a href="http://news.dice.com/2013/07/11/hp-keeps-installing-secret-backdoors-in-enterprise-storage/">
remote login access</a>
    ceases to them.  HP claims that this does not give HP operate at a predefined date</a>. From then on, there
    appears to be no support whatsoever for the computer.</p>

    <p>In other words, when you stop getting screwed by the back door,
    you start getting screwed by the obsolescence.</p>

  <li id="M201902011">
    <!--#set var="DATE" value='<small class="date-tag">2019-02</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The FordPass Connect feature of some Ford vehicles has <a
    near-complete access to the customer's internal car network</a>. It is constantly
    connected to the cellular phone network and sends Ford a lot of data, but if
    including car location. This feature operates even when the back door allows installation ignition
    key is removed, and users report that they can't disable it.</p>

    <p>If you own one of these cars, have you succeeded in breaking the
    connectivity by disconnecting the cellular modem, or wrapping the
    antenna in aluminum foil?</p>

  <li id="M201812300">
    <!--#set var="DATE" value='<small class="date-tag">2018-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>New GM cars <a
    offer the feature of
software changes, a change universal back door</a>.</p>

    <p>Every nonfree program offers the user zero security against its
    developer. With this malfeature, GM has explicitly made things even

  <li id="M201711244">
    <!--#set var="DATE" value='<small class="date-tag">2017-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The Furby Connect has a <a
    universal back door</a>. If the product as shipped doesn't act as a
    listening device, remote changes to the code could be installed surely convert it
    into one.</p>

  <li id="M201711010">
    <!--#set var="DATE" value='<small class="date-tag">2017-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Sony has brought back its robotic pet Aibo, this time <a
    with a universal back door, and tethered to a server that requires
    a subscription</a>.</p>

  <li id="M201709090.1">
    <!--#set var="DATE" value='<small class="date-tag">2017-09</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Tesla used software to limit the part of the battery
    that was available to customers in some cars, and <a
    a universal back door in the software</a> to temporarily increase
    this limit.</p>

    <p>While remotely allowing car “owners” to use the
    whole battery capacity did not do them any harm, the same back
    door would give access permit Tesla (perhaps under the command of some
    government) to remotely order the
customer's data.
</p> car to use none of its battery. Or
    perhaps to drive its passenger to a torture prison.</p>

<p><a href="http://www.itworld.com/article/2705284/data-protection/backdoor-found-in-d-link-router-firmware-code.html">
Some D-Link routers</a>

  <li id="M201702060.1">
    <!--#set var="DATE" value='<small class="date-tag">2017-02</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Vizio “smart” TVs <a
    have a universal back door</a>.</p>

  <li id="M201609130">
    <!--#set var="DATE" value='<small class="date-tag">2016-09</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Xiaomi phones come with <a
    a universal back door in the application processor, for changing settings Xiaomi's

    <p>This is separate from <a href="#universal-back-door-phone-modem">the
    universal back door in the modem processor that the local phone
    company can use</a>.</p>

  <li id="M201608171">
    <!--#set var="DATE" value='<small class="date-tag">2016-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p id="windows-update">Microsoft
    Windows has a dlink
of an eye.

<p> universal back door through which <a href="https://github.com/elvanderb/TCP-32764">Many models of router
    any change whatsoever can be imposed on the users</a>.</p>

    <p>This was <a
    reported in 2007</a> for XP and Vista, and it seems
    that Microsoft used the same method to push the <a
    Windows 10 downgrade</a> to computers running Windows 7 and 8.</p>

    <p>In Windows 10, the universal back door
    is no longer hidden; all “upgrades” will be <a
    forcibly and immediately imposed</a>.</p>

  <li id="M201606060">
    <!--#set var="DATE" value='<small class="date-tag">2016-06</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The Amazon Echo appears to have a universal back doors</a>.</p> door, since <a
    it installs “updates” automatically</a>.</p>

    <p>We have found nothing explicitly documenting the lack of any way
    to disable remote changes to the software, so we are not completely
    sure there isn't one, but this seems pretty clear.</p>


  <li id="M201412180">
    <!--#set var="DATE" value='<small class="date-tag">2014-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p><a href="http://sekurak.pl/tp-link-httptftp-backdoor/">
The TP-Link router
    A Chinese version of Android has a backdoor</a>.</p> universal back door</a>. Nearly
    all models of mobile phones have a <a href="#universal-back-door-phone-modem">
    universal back door in the modem chip</a>. So why did Coolpad bother
    to introduce another? Because this one is controlled by Coolpad.</p>


  <li id="M201311300">
    <!--#set var="DATE" value='<small class="date-tag">2013-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    Some applications come with MyFreeProxy, which is a universal back door
    door</a> that can download programs and run them.</a>
</p> them.</p>

  <li id="M201202280">
    <!--#set var="DATE" value='<small class="date-tag">2012-02</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>ChromeOS has a universal back
    door. At least, Google says it does—in <a
    section 4 of the EULA</a>.</p>

  <li id="M200700000.1">
    <!--#set var="DATE" value='<small class="date-tag">[2007]</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>In addition to its <a href="#swindle-eraser">book
    eraser</a>, the Kindle-Swindle has a <a
    universal back door</a>.</p>

  <li id="M200612050">
    <!--#set var="DATE" value='<small class="date-tag">2006-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p id="universal-back-door-phone-modem">Almost every phone's communication
    processor has a universal back door which is <a
    often used to make a phone transmit all conversations it hears</a>. See
    <a href="/proprietary/malware-mobiles.html#universal-back-door-phone-modem">Malware
    in Mobile Devices</a> for more info.</p>

<h3 id='other'>Other or undefined</h3>

<ul class="blurbs">
  <li id="M201711204">
    <!--#set var="DATE" value='<small class="date-tag">2017-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Intel's intentional “management engine” back door has <a
    unintended back doors</a> too.</p>

  <li id="M201609240">
    <!--#set var="DATE" value='<small class="date-tag">2016-09</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>A Capcom's Street Fighter V update <a
    installed a driver that could be used as a back door by
    any application installed on a Windows computer</a>, but was <a
    immediately rolled back</a> in response to public outcry.</p>

  <li id="M201511260">
    <!--#set var="DATE" value='<small class="date-tag">2015-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Dell computers, shipped with
    Windows, had a bogus root certificate that <a
    allowed anyone (not just Dell) to remotely authorize any software to
    run</a> on the computer.</p>

  <li id="M201511198">
    <!--#set var="DATE" value='<small class="date-tag">2015-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>ARRIS cable modem has a <a
    back door in the back door</a>.</p>

  <li id="M201510200">
    <!--#set var="DATE" value='<small class="date-tag">2015-10</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>“Self-encrypting” disk drives
    do the encryption with proprietary firmware so you
    can't trust it.  Western Digital's “My Passport” drives <a
    have a back door</a>.</p>

  <li id="M201504090">
    <!--#set var="DATE" value='<small class="date-tag">2015-04</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Mac OS X had an <a
    intentional local back door for 4 years</a>, which could be exploited
    by attackers to gain root privileges.</p>

  <li id="M201309110">
    <!--#set var="DATE" value='<small class="date-tag">2013-09</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Here is a big problem whose details are still secret.</p>

<p><a href="http://mashable.com/2013/09/11/fbi-microsoft-bitlocker-backdoor/"> secret: <a
    The FBI asks lots of companies to put back doors in proprietary programs.
    programs</a>. We don't know of specific cases where this was done,
    but every proprietary program for encryption is a possibility.</p>

  <li id="M201308230">
    <!--#set var="DATE" value='<small class="date-tag">2013-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The German government <a
    away from Windows 8 computers with TPM 2.0</a> (<a
    article in German</a>), due to potential back
    door capabilities of the TPM 2.0 chip.</p>

  <li id="M201307300">
    <!--#set var="DATE" value='<small class="date-tag">2013-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Here is a suspicion that
    we can't prove, but is worth thinking

<p><a href="http://web.archive.org/web/20150206003913/http://www.afr.com/p/technology/intel_chips_could_be_nsa_key_to_ymrhS1HS1633gCWKt5tFtI"> about: <a
    Writable microcode for Intel and AMD microprocessors</a> may be a
    vehicle for the NSA to invade computers, with the help of Microsoft,
    say respected security experts.
</p> experts.</p>

  <li id="M201307114">
    <!--#set var="DATE" value='<small class="date-tag">2013-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>HP “storage appliances” that
    use the proprietary “Left Hand”
    operating system have back doors that give HP <a
    remote login access</a> to them.  HP claims that this does not
    give HP access to the customer's data, but if the back door allows
    installation of software changes, a change could be installed that
    would give access to the customer's data.</p>

<div class="column-limit"></div>

<p>The EFF has other examples of the <a href="https://www.eff.org/deeplinks/2015/02/who-really-owns-your-drones">use
use of back doors</a>.</p>

</div><!-- for id="content", starts in the include above

<!--#include virtual="/proprietary/proprietary-menu.html" -->
<!--#include virtual="/server/footer.html" -->
<div id="footer"> id="footer" role="contentinfo">
<div class="unprintable">

<p>Please send general FSF & GNU inquiries to
<a href="mailto:gnu@gnu.org"><gnu@gnu.org></a>.
There are also <a href="/contact/">other ways to contact</a>
the FSF.  Broken links and other corrections or suggestions can be sent
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>.</p>

<p><!-- TRANSLATORS: Ignore the original text in this paragraph,
        replace it with the translation of these two:

        We work hard and do our best to provide accurate, good quality
        translations.  However, we are not exempt from imperfection.
        Please send your comments and general suggestions in this regard
        to <a href="mailto:web-translators@gnu.org">

        <p>For information on coordinating and submitting contributing translations of
        our web pages, see <a
        README</a>. -->
Please see the <a
README</a> for information on coordinating and submitting contributing translations
of this article.</p>

<p>Copyright © 2014-2017 2014-2022 Free Software Foundation, Inc.</p>

<p>This page is licensed under a <a rel="license"
Commons Attribution-NoDerivatives Attribution 4.0 International License</a>.</p>

<!--#include virtual="/server/bottom-notes.html" -->

<p class="unprintable">Updated:
<!-- timestamp start -->
$Date: 2022/08/28 07:32:03 $
<!-- timestamp end -->
</div><!-- for class="inner", starts in the banner include -->