<!--#include virtual="/server/header.html" -->
<!-- Parent-Version: 1.84 1.96 -->
<!--#set var="DISABLE_TOP_ADDENDUM" value="yes" -->
<!-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                  Please do not edit <ul class="blurbs">!
    Instead, edit /proprietary/workshop/mal.rec, then regenerate pages.
           See explanations in /proprietary/workshop/README.md.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-->
<title>Proprietary Insecurity
- GNU Project - Free Software Foundation</title>
<link rel="stylesheet" type="text/css" href="/side-menu.css" media="screen,print" />
 <!--#include virtual="/proprietary/po/proprietary-insecurity.translist" -->
<!--#include virtual="/server/banner.html" -->
<div class="nav">
<a id="side-menu-button" class="switch" href="#navlinks">
 <img id="side-menu-icon" height="32"
      src="/graphics/icons/side-menu.png"
      title="Section contents"
      alt=" [Section contents] " />
</a>

<p class="breadcrumb">
 <a href="/"><img src="/graphics/icons/home.png" height="24"
    alt="GNU Home" title="GNU Home" /></a> /
 <a href="/proprietary/proprietary.html">Malware</a> /
 By type /
</p>
</div>
<!--GNUN: OUT-OF-DATE NOTICE-->
<!--#include virtual="/server/top-addendum.html" -->
<div style="clear: both"></div>
<div id="last-div" class="reduced-width">
<h2>Proprietary Insecurity</h2>

<a href="/proprietary/proprietary.html">Other examples of proprietary malware</a>

<div class="infobox">
<hr class="full-width" />
<p>Nonfree (proprietary) software is very often malware (designed to
mistreat the user). Nonfree software is controlled by its developers,
which puts them in a position of power over the users; <a
href="/philosophy/free-software-even-more-important.html">that is the
basic injustice</a>. The developers and manufacturers often exercise
that power to the detriment of the users they ought to serve.</p>

<p>This typically takes the form of malicious functionalities.</p>
<hr class="full-width" />
</div>

<div class="article">
<p>This page lists clearly established cases of insecurity in proprietary
software that has grave consequences or is otherwise
noteworthy.</p>

<p>It noteworthy. Even
though most of these security flaws are unintentional, thus are not
malicious functionalities in a strict sense, we report them to show that
proprietary software is not as secure as mainstream media may say.</p>

<p>This doesn't imply that free software is incorrect immune to compare bugs or insecurities.
The difference between free and proprietary software with a fictitious idea in this respect is
the handling of
proprietary the bugs: free software users are able to study the
program and/or fix the bugs they find, often in communities as perfect, but they are
able to share the program, while proprietary program users are forced to
rely on the program's developer for fixes.</p>


<p>If the press developer does not care to fix the problem — often implicitly the case for
embedded software and old releases — the users are sunk. But if the
developer does send a corrected version, it may contain new malicious
functionalities as well as bug fixes.</p>


<div class="important">
<p>If you know of an example that whenever ought to be in this page but isn't
here, please write
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>
to inform us. Please include the URL of a trustworthy reference or two
to serve as specific substantiation.</p>
</div>

<div class="column-limit" id="proprietary-insecurity"></div>

<ul class="blurbs">
  <li id="M202108170">
    <!--#set var="DATE" value='<small class="date-tag">2021-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Various models of security hole in cameras, DVRs,
    and baby monitors that run proprietary software <a
    href="https://www.wired.com/story/kalay-iot-bug-video-feeds/">are
    affected by a security vulnerability that could give attackers access
    to live feeds</a>.</p>
  </li>

  <li id="M202107180">
    <!--#set var="DATE" value='<small class="date-tag">2021-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p><a
    href="https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones">
    The pegasus spyware used vulnerabilities on proprietary smartphone
    operating systems</a> to impose surveillance on people. It can record
    people's calls, copy their messages, and secretly film them, using a
    security vulnerability. There's also <a
    href="https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf">
 	a technical analysis of this spyware</a> available in PDF format.</p>

    <p>A free program operating system would've let people to fix the bugs for
    themselves but now infected people will be compelled to wait for corporations to
    fix the problems.</p>

    <p><small>Please note that the article
    wrongly refers to crackers as “<a
    href="/philosophy/words-to-avoid.html#Hacker">hackers</a>”.</small></p>
  </li>

  <li id="M202107090">
    <!--#set var="DATE" value='<small class="date-tag">2021-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>A newly found Microsoft Windows vulnerability <a
    href="https://edition.cnn.com/2021/07/08/tech/microsoft-windows-10-printnightmare/">
    can allow crackers to remotely gain access to the operating system</a>
    and install programs, view and delete data, or even create new user
    accounts with full user rights.</p>

    <p>The security research firm accidentally leaked instructions on
    how the flaw could be exploited but Windows users should still wait
    for Microsoft to fix the flaw, if they fix it.</p>

    <p><small>Please note that the article
    wrongly refers to crackers as “<a
    href="/philosophy/words-to-avoid.html#Hacker">hackers</a>”.</small></p>
  </li>

  <li id="M202106030">
    <!--#set var="DATE" value='<small class="date-tag">2021-06</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p><a
    href="https://techcrunch.com/2021/06/03/tiktok-just-gave-itself-permission-to-collect-biometric-data-on-u-s-users-including-faceprints-and-voiceprints/">TikTok
    apps collect biometric identifiers and biometric information from
    users' smartphones</a>. The company behind it does whatever it wants
    and collects whatever data it can.</p>
  </li>

  <li id="M202105240">
    <!--#set var="DATE" value='<small class="date-tag">2021-05</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p><a
    href="https://www.cpomagazine.com/data-privacy/icloud-data-turned-over-to-chinese-government-conflicts-with-apples-privacy-first-focus/">Apple
    is moving its Chinese customers' iCloud data to a datacenter controlled
    by the Chinese government</a>. Apple is already storing the encryption
    keys on these servers, obeying Chinese authority, making all Chinese
    user data available to the government.</p>
  </li>

  <li id="M202105040">
    <!--#set var="DATE" value='<small class="date-tag">2021-05</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>A motorcycle company named Klim is selling airbag
    vests with different payment methods, one of them is discovered. through a <a
    href="https://www.vice.com/en/article/93yyyd/this-motorcycle-airbag-vest-will-stop-working-if-you-miss-a-payment">proprietary
    subscription-based option that will block the vest from inflating if
    the payments don't go through</a>.</p>

    <p>They say there is a 30-days grace period if you miss a payment
    but the grace period is no excuse to the insecurity.</p>
  </li>

  <li id="M202105030">
    <!--#set var="DATE" value='<small class="date-tag">2021-05</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The United States' government is reportedly considering <a
    href="https://www.infosecurity-magazine.com/news/private-companies-may-spy-on/">teaming
    up with private companies to monitor American citizens' private online
    activity and digital communications</a>.</p>

    <p>What creates the opportunity to try this is the fact that these
    companies are already snooping on users' private activities. That
    in turn is due to people's use of nonfree software which snoops,
    and online dis-services which snoop.</p>
  </li>

  <li id="M202104090">
    <!--#set var="DATE" value='<small class="date-tag">2021-04</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>A zero-day vulnerability in Zoom which <a
    href="https://www.zdnet.com/article/critical-zoom-vulnerability-triggers-remote-code-execution-without-user-input/">can
    be used to launch remote code execution (RCE) attacks</a> has been
    disclosed by researchers. The
examples below show researchers demonstrated a three-bug
    attack chain that caused an RCE on a target machine, all this without
    any form of user interaction.</p>
  </li>

  <li id="M202103090">
    <!--#set var="DATE" value='<small class="date-tag">2021-03</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p><a href="https://www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams">Over 150 thousand security cameras that used Verkada
    company's proprietary software isn't perfect, are cracked</a> by a major security
    breach. Crackers have had access to security archives of various
    gyms, hospitals, jails, schools, and police stations that have used
    Verkada's cameras.</p>

    <p><a href="/philosophy/surveillance-vs-democracy.html">It is often quite sloppy.</p>

<p>It would be equally incorrect injustice
    to the public</a> for gyms, stores, hospitals, jails, and schools to
    hand “security” footage to compare a company from which the government can
    collect it at any time, without even telling them.</p>

    <p><small>Please note that the article
    wrongly refers to crackers as “<a
    href="/philosophy/words-to-avoid.html#Hacker">hackers</a>”.</small></p>
  </li>

  <li id="M202103050">
    <!--#set var="DATE" value='<small class="date-tag">2021-03</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>At least 30 thousand organizations
    in the United States are newly “<a
    href="/philosophy/words-to-avoid.html#Hacker">cracked</a>” via <a
    href="https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/">holes
    in Microsoft's proprietary software email software, named Microsoft 365</a>. It
    is unclear whether there are other holes and vulnerabilities in the
    program or not but history and experience tells us it wouldn't be
    the last disaster with proprietary programs.</p>
  </li>

  <li id="M202102110">
    <!--#set var="DATE" value='<small class="date-tag">2021-02</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Researchers at the security firm SentinelOne discovered a fictitious idea of <a
    href="https://www.wired.com/story/windows-defender-vulnerability-twelve-years/">security
    flaw in proprietary program Microsoft Windows Defender that lurked
    undetected for 12 years</a>. If the program was free (as in freedom),
    more people would have had a chance to notice the problem, therefore,
    it could've been fixed a lot sooner.</p>
  </li>

  <li id="M202101110">
    <!--#set var="DATE" value='<small class="date-tag">2021-01</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>A cracker <a
    href="https://www.vice.com/en/article/m7apnn/your-cock-is-mine-now-hacker-locks-internet-connected-chastity-cage-demands-ransom">took
    control of people's internet-connected chastity cages and demanded
    ransom</a>. The chastity cages are being controlled by a proprietary
    app (mobile program).</p>

    <p><small>(Please note that the article
    wrongly refers to crackers as "<a
    href="/philosophy/words-to-avoid.html#Hacker">hackers</a>".)</small></p>
  </li>

  <li id="M202012200">
    <!--#set var="DATE" value='<small class="date-tag">2020-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Commercial crackware can <a
    href="https://www.theguardian.com/technology/2020/dec/20/iphones-vulnerable-to-hacking-tool-for-months-researchers-say">
    get passwords out of an iMonster</a>, use the microphone and camera,
    and other things.</p>
  </li>

  <li id="M202012190">
    <!--#set var="DATE" value='<small class="date-tag">2020-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p><a
    href="https://www.washingtonpost.com/technology/2020/12/18/zoom-helped-china-surveillance/">
    A Zoom executive carried out snooping and censorship for
    China</a>.</p>

    <p>This abuse of Zoom's power shows how dangerous that power is. The
    root problem is not the surveillance and censorship, but rather the
    power that Zoom has. It gets that power partly from the use of its
    server, but also partly from the nonfree client program.</p>
  </li>

  <li id="M202012150">
    <!--#set var="DATE" value='<small class="date-tag">2020-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>United States officials are facing
    one of biggest crackings against them in years, when <a
    href="https://www.theguardian.com/technology/2020/dec/15/orion-hack-solar-winds-explained-us-treasury-commerce-department">malicious
    code was sneaked into SolarWinds' proprietary software named
    Orion</a>. Crackers got access to networks when users downloaded
    a tainted software update. Crackers were able to monitor internal
    emails at some of the top agencies in the US.</p>

    <p><small>(Please note that the article
    wrongly refers to crackers as perfect.  Every nontrivial
program has bugs, "<a
    href="/philosophy/words-to-avoid.html#Hacker">hackers</a>".)</small></p>
  </li>

  <li id="M202012070">
    <!--#set var="DATE" value='<small class="date-tag">2020-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Baidu apps were <a
    href="https://www.zdnet.com/article/baidus-android-apps-caught-collecting-sensitive-user-details/">
    caught collecting sensitive personal data</a> that can be used for
    lifetime tracking of users, and any system, free or proprietary, putting them in danger. More than 1.4
    billion people worldwide are affected by these proprietary apps, and
    users' privacy is jeopardized by this surveillance tool. Data collected
    by Baidu may have be handed over to the Chinese government, possibly
    putting Chinese people in danger.</p>
  </li>

  <li id="M202011120">
    <!--#set var="DATE" value='<small class="date-tag">2020-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Apple has <a
    href="https://sneak.berlin/20201112/your-computer-isnt-yours">implemented
    a malware in its computers that imposes surveillance</a> on users
    and reports users' computing to Apple.</p>

    <p>The reports are even unencrypted and they've been leaking this
    data for two years already. This malware is reporting to Apple what
    user opens what program at what time. It also gives Apple
    power to sabotage users' computing.</p>
  </li>

  <li id="M202010120">
    <!--#set var="DATE" value='<small class="date-tag">2020-10</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Samsung is forcing its smartphone users in Hong Kong (and Macau) <a
    href="https://blog.headuck.com/2020/10/12/samsung-phones-force-mainland-china-dns-service-upon-hong-kong-wifi-users/">to
    use a public DNS in Mainland China</a>, using software update released
    in September 2020, which causes many unease and privacy concerns.</p>
  </li>

  <li id="M202008110">
    <!--#set var="DATE" value='<small class="date-tag">2020-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>TikTok <a
    href="https://boingboing.net/2020/08/11/tiktok-exploited-android-secur.html">
    exploited an Android vulnerability</a> to obtain user MAC
    addresses.</p>
  </li>

  <li id="M202006160">
    <!--#set var="DATE" value='<small class="date-tag">2020-06</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p><a
    href="https://www.wired.com/story/ripple20-iot-vulnerabilities/?bxid=5bd66d4c2ddf9c619437e4b8&cndid=9608804&esrc=Wired_etl_load&source=EDT_WIR_NEWSLETTER_0_DAILY_ZZ&utm_bran%5C">
    A disasterous security errors.  To err bug</a> touches millions of products in the
    Internet of Stings.</p>

    <p>As a result, anyone can sting the user, not only the
    manufacturer.</p>
  </li>

  <li id="M202004270">
    <!--#set var="DATE" value='<small class="date-tag">2020-04</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The proprietary program Microsoft Teams' insecurity <a
    href="https://www.forbes.com/sites/thomasbrewster/2020/04/27/your-whole-companys-microsoft-teams-data-couldve-been-stolen-with-an-evil-gif">could
    have let a malicious GIF steal user data from Microsoft Teams
    accounts</a>, possibly across an entire company, and taken control
    of “an organization's entire roster of Teams accounts.”</p>
  </li>

  <li id="M202004150">
    <!--#set var="DATE" value='<small class="date-tag">2020-04</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Riot Games' new anti-cheat is human, malware; <a
    href="https://www.extremetech.com/gaming/309320-riot-games-new-anti-cheat-system-runs-at-system-boot-uses-kernel-driver">runs
    on system boot at kernel level</a> on Windows. It is insecure software
    that increases the attack surface of the operating system.</p>
  </li>

  <li id="M201912170">
    <!--#set var="DATE" value='<small class="date-tag">2019-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Some security breakers (wrongly referred in this article as <a
    href="/philosophy/words-to-avoid.html#Hacker">“hackers”</a>)
    managed to interfere the Amazon Ring proprietary system, and <a
    href="https://www.theguardian.com/technology/2019/dec/13/ring-hackers-reportedly-watching-talking-strangers-in-home-cameras">access
    its camera, speakers and microphones</a>.</p>
  </li>

  <li id="M201911190">
    <!--#set var="DATE" value='<small class="date-tag">2019-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Internet-tethered Amazon Ring had
    a security vulnerability that enabled attackers to <a
    href="https://www.commondreams.org/newswire/2019/11/07/amazons-ring-doorbells-leaks-customers-wi-fi-username-and-password">
    access the user's wifi password</a>, and snoop on the household
    through connected surveillance devices.</p>

    <p>Knowledge of the wifi password would not culpable. be sufficient to carry
    out any significant surveillance if the devices implemented proper
    security, including encryption. But many devices with proprietary
    software developers frequently disregard gaping holes, or even
introduce them deliberately.  In any case, lack this. Of course, they keep are also used by their
    manufacturers for snooping.</p>
  </li>

  <li id="M201908310">
    <!--#set var="DATE" value='<small class="date-tag">2019-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>A series of vulnerabilities <a
    href="https://www.forbes.com/sites/gordonkelly/2019/08/31/apple-iphone-ipad-security-ios-upgrade-iphone-xs-max-xr-update/">found
    in iOS allowed attackers to gain access to sensitive information
    including private messages, passwords, photos and contacts stored on
    the user's iMonster</a>.</p>

    <p>The deep insecurity of iMonsters is even more pertinent given that
    Apple's proprietary software makes users
<em>helpless totally dependent on Apple
    for even a modicum of security.  It also means that the devices do
    not even try to fix any offer security problems against Apple itself.</p>
  </li>

  <li id="M201908020">
    <!--#set var="DATE" value='<small class="date-tag">2019-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Out of 21 gratis Android antivirus apps
    that arise</em>.  Keeping were tested by security researchers, eight <a
    href="https://www.comparitech.com/antivirus/android-antivirus-vulnerabilities/">
    failed to detect a test virus</a>. All of them asked for dangerous
    permissions or contained advertising trackers, with seven being more
    risky than the
users helpless is what's culpable about average of the 100 most popular Android apps.</p>

    <p><small>(Note that the article refers to these proprietary software.</p>

<p>If you know apps as
    “free”. It should have said “gratis”
    instead.)</small></p>
  </li>

  <li id="M201907080">
    <!--#set var="DATE" value='<small class="date-tag">2019-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Many Android apps can track
    users' movements even when the user says <a
    href="https://www.theverge.com/2019/7/8/20686514/android-covert-channel-permissions-data-collection-imei-ssid-location">
    not to allow them access to locations</a>.</p>

    <p>This involves an apparently unintentional weakness in Android,
    exploited intentionally by malicious apps.</p>
  </li>

  <li id="M201905150">
    <!--#set var="DATE" value='<small class="date-tag">2019-05</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Users caught in the jail of an example iMonster are <a
    href="https://boingboing.net/2019/05/15/brittle-security.html"> sitting
    ducks for other attackers</a>, and the app censorship prevents security
    companies from figuring out how those attacks work.</p>

    <p>Apple's censorship of apps is fundamentally unjust, and would be
    inexcusable even if it didn't lead to security threats as well.</p>
  </li>

  <li id="M201903210">
    <!--#set var="DATE" value='<small class="date-tag">2019-03</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The Medtronics Conexus Telemetry Protocol has <a
    href="http://www.startribune.com/750-000-medtronic-defibrillators-vulnerable-to-hacking/507470932/">
    two vulnerabilities that ought affect several models of implantable
    defibrillators</a> and the devices they connect to.</p>

    <p>This protocol has been around since 2006, and similar
    vulnerabilities were discovered in an earlier Medtronics communication
    protocol in 2008. Apparently, nothing was done by the company to be
    correct them. This means you can't rely on proprietary software
    developers to fix bugs in this page but isn't
here, please write their products.</p>
  </li>

  <li id="M201902270">
    <!--#set var="DATE" value='<small class="date-tag">2019-02</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The Ring (now Amazon) doorbell camera is designed so that the
    manufacturer (now Amazon) can watch all the time. Now it turns out
    that <a
    href="https://web.archive.org/web/20190918024432/https://dojo.bullguard.com/dojo-by-bullguard/blog/ring/">
    anyone else can also watch, and fake videos too</a>.</p>

    <p>The third party vulnerability is presumably
    unintentional and Amazon will probably fix it. However, we
    do not expect Amazon to change the design that <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>
    href="/proprietary/proprietary-surveillance.html#M201901100">allows
    Amazon to inform us. Please include watch</a>.</p>
  </li>

  <li id="M201809240">
    <!--#set var="DATE" value='<small class="date-tag">2018-09</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Researchers have discovered how to <a
    href="http://news.rub.de/english/press-releases/2018-09-24-it-security-secret-messages-alexa-and-co">
    hide voice commands in other audio</a>, so that people cannot hear
    them, but Alexa and Siri can.</p>
  </li>

  <li id="M201808130">
    <!--#set var="DATE" value='<small class="date-tag">2018-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Since the URL beginning of 2017, <a
    href="https://qz.com/1131515/google-collects-android-users-locations-even-when-location-services-are-disabled/">Android
    phones have been collecting the addresses of nearby cellular
    towers</a>, even when location services are disabled, and sending
    that data back to Google.</p>
  </li>

  <li id="M201808120">
    <!--#set var="DATE" value='<small class="date-tag">2018-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Crackers found a trustworthy reference way to break the security of an Amazon device,
    and <a href="https://boingboing.net/2018/08/12/alexa-bob-carol.html">
    turn it into a listening device</a> for them.</p>

    <p>It was very difficult for them to do this. The job would be much
    easier for Amazon. And if some government such as China or two the US
    told Amazon to do this, or cease to sell the product in that country,
    do you think Amazon would have the moral fiber to say no?</p>

    <p><small>(These crackers are probably hackers too, but please <a
    href="https://stallman.org/articles/on-hacking.html"> don't use
    “hacking” to present mean “breaking security”</a>.)</small></p>
  </li>

  <li id="M201807100">
    <!--#set var="DATE" value='<small class="date-tag">2018-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Siri, Alexa, and all the specifics.</p>

<ul>
<li> other voice-control systems can be <a
    href="https://www.fastcodesign.com/90139019/a-simple-design-flaw-makes-it-astoundingly-easy-to-hack-siri-and-alexa">
    hijacked by programs that play commands in ultrasound that humans
    can't hear</a>.</p>
  </li>

  <li id="M201807020">
    <!--#set var="DATE" value='<small class="date-tag">2018-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Some Samsung phones randomly <a
    href="https://www.theverge.com/circuitbreaker/2018/7/2/17528076/samsung-phones-text-rcs-update-messages">send
    photos to people in the owner's contact list</a>.</p>
  </li>
<li>

  <li id="M201712240">
    <!--#set var="DATE" value='<small class="date-tag">2017-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>One of the dangers of the “internet of stings”
    is that, if you lose your internet service, you also <a
    href="https://torrentfreak.com/piracy-notices-can-mess-with-your-thermostat-isp-warns-171224/">
    lose control of your house and appliances</a>.</p>

    <p>For your safety, don't use any appliance with a connection to the
    real internet.</p>
  </li>
<li>

  <li id="M201711204">
    <!--#set var="DATE" value='<small class="date-tag">2017-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Intel's intentional “management engine” back door has <a
    href="https://www.theregister.co.uk/2017/11/20/intel_flags_firmware_flaws/">
    unintended back doors</a> too.</p>
  </li>

  <li id="M201711200">
    <!--#set var="DATE" value='<small class="date-tag">2017-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Amazon recently invited consumers to be suckers and <a
    href="https://www.techdirt.com/articles/20171120/10533238651/vulnerability-fo">
    allow delivery staff to open their front doors</a>. Wouldn't you know
    it, the system has a grave security flaw.</p>
  </li>
<li>
  <p>Intel's intentional “management engine” back door has <a
href="https://www.theregister.co.uk/2017/11/20/intel_flags_firmware_flaws/">
    unintended back doors</a> too.</p>
</li>
<li>

  <li id="M201709290">
    <!--#set var="DATE" value='<small class="date-tag">2017-09</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Bad security in some cars makes it possible to <a
    href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14937">
    remotely activate the airbags</a>.</p>
  </li>
<li>

  <li id="M201709200">
    <!--#set var="DATE" value='<small class="date-tag">2017-09</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>A “smart” intravenous pump
    designed for hospitals is connected to the internet. Naturally <a
    href="https://www.techdirt.com/articles/20170920/09450338247/smart-hospital-iv-pump-vulnerable-to-remote-hack-attack.shtml">
    its security has been cracked</a>.</p>
  <p>Note

    <p><small>(Note that this article misuses the term <a
    href="/philosophy/words-to-avoid.html#Hacker">“hackers”</a>
    referring to crackers.</p> crackers.)</small></p>
  </li>
<li>

  <li id="M201708280">
    <!--#set var="DATE" value='<small class="date-tag">2017-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The bad security in many Internet of Stings devices allows <a
    href="https://www.techdirt.com/articles/20170828/08152938092/iot-devices-provide-comcast-wonderful-new-opportunity-to-spy-you.shtml">ISPs
    to snoop on the people that use them</a>.</p>

    <p>Don't be a sucker—reject all the stings.</p>
  <p>It

    <p><small>(It is unfortunate that the article uses the term <a
     href="/philosophy/words-to-avoid.html#Monetize">
     “monetize”</a>.</p>
</li>
<li>
  <p>Siri, Alexa, and all the other voice-control systems can be
  <a
href="https://www.fastcodesign.com/90139019/a-simple-design-flaw-makes-it-astoundingly-easy-to-hack-siri-and-alexa">
  hijacked by programs that play commands in ultrasound that humans can't
  hear</a>.</p>
    href="/philosophy/words-to-avoid.html#Monetize">“monetize”</a>.)</small></p>
  </li>

  <li id="break-security-smarttv">
  <p><a
	href="http://www.dailymail.co.uk/sciencetech/article-2249303/Hackers-penetrate-home-Crack-Samsungs-Smart-TV-allows-attacker-seize-control-microphone-cameras.html">
      Crackers found a way to break security on a “smart” TV</a> and use its camera
      to watch the people who are watching TV.</p>
</li>
<li> id="M201706200.1">
    <!--#set var="DATE" value='<small class="date-tag">2017-06</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Many models of Internet-connected cameras <a
    href="/proprietary/proprietary-back-doors.html#InternetCameraBackDoor">
    have backdoors</a>.</p>

    <p>That is a malicious functionality, but in addition it
    is a gross insecurity since anyone, including malicious crackers, <a
    href="https://arstechnica.com/security/2017/06/internet-cameras-expose-private-video-feeds-and-remote-controls/">can
    find those accounts and use them to get into users' cameras</a>.</p>
  </li>

<li>
  <p>
    Conexant

  <li id="M201706050">
    <!--#set var="DATE" value='<small class="date-tag">2017-06</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p id="intel-me-10-year-vulnerability">Intel's
    CPU backdoor—the Intel Management Engine—had a <a
    href="https://arstechnica.com/security/2017/05/intel-patches-remote-code-execution-bug-that-lurked-in-cpus-for-10-years/">major
    security vulnerability for 10 years</a>.</p>

    <p>The vulnerability allowed a cracker to access
    the computer's Intel Active Management Technology (AMT) <a
    href="https://arstechnica.com/security/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought/">
    web interface with an empty password and gave administrative
    access</a> to access the computer's keyboard, mouse, monitor among
    other privileges.</p>

    <p>It does not help that in newer Intel processors, it is impossible
    to turn off the Intel Management Engine. Thus, even users who are
    proactive about their security can do nothing to protect themselves
    besides using machines that don't come with the backdoor.</p>
  </li>

  <li id="M201705250">
    <!--#set var="DATE" value='<small class="date-tag">2017-05</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The proprietary code that runs pacemakers,
    insulin pumps, and other medical devices is <a
    href="http://www.bbc.co.uk/news/technology-40042584"> full of gross
    security faults</a>.</p>
  </li>

  <li id="M201705160">
    <!--#set var="DATE" value='<small class="date-tag">2017-05</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Conexant HD Audio Driver Package (version 1.0.0.46 and earlier)
    pre-installed on 28 models of HP laptops logged the user's keystroke
    to a file in the filesystem. Any process with access to the filesystem
    or the MapViewOfFile API could gain access to the log. Furthermore, <a
    href="https://www.modzero.ch/advisories/MZ-17-01-Conexant-Keylogger.txt">according
    to modzero</a> the “information-leak via Covert Storage Channel
    enables malware authors to capture keystrokes without taking the risk
    of being classified as malicious task by AV
    heuristics”.
  </p> heuristics”.</p>
  </li>
<li>
<p>The proprietary code that runs pacemakers, insulin pumps, and other
medical devices is <a href="http://www.bbc.co.uk/news/technology-40042584">
full of gross security faults</a>.</p>
</li>


<li>

  <li id="M201705120">
    <!--#set var="DATE" value='<small class="date-tag">2017-05</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Exploits of bugs in Windows, which were developed by the NSA
    and then leaked by the Shadowbrokers group, are now being used to <a
    href="https://theintercept.com/2017/05/12/the-nsas-lost-digital-weapon-is-helping-hijack-computers-around-the-world/">attack
    a great number of Windows computers with ransomware</a>.
	</p> ransomware</a>.</p>
  </li>

  <li  id="intel-me-10-year-vulnerability">
  <p>Intel's CPU backdoor—the Intel Management Engine—had a
	<a href="https://arstechnica.com/security/2017/05/intel-patches-remote-code-execution-bug-that-lurked-in-cpus-for-10-years/">major security
	vulnerability for 10 years</a>.</p>

  <p>The vulnerability allowed a cracker to access the computer's Intel Active
      Management Technology
      (AMT) <a href="https://arstechnica.com/security/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought/">
      web interface with an empty password and gave administrative
      access</a> to access the computer's keyboard, mouse, monitor
      among other privileges.</p>

	<p>It does not help that in newer Intel processors, it is impossible
	to turn off the Intel Management Engine. Thus, even users who are 
	proactive about their security can do nothing to protect themselves 
	besides using machines that don't come with the backdoor.</p>

</li>

<li> id="M201704050">
    <!--#set var="DATE" value='<small class="date-tag">2017-04</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Many Android devices <a
    href="https://arstechnica.com/security/2017/04/wide-range-of-android-phones-vulnerable-to-device-hijacks-over-wi-fi/">
    can be hijacked through their Wi-Fi chips</a> because of a bug in
    Broadcom's non-free firmware.</p>
  </li>

<li>

  <li id="M201703270">
    <!--#set var="DATE" value='<small class="date-tag">2017-03</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>When Miele's Internet of
    Stings hospital disinfectant dishwasher is <a
href="https://motherboard.vice.com/en_us/article/pg9qkv/a-hackable-dishwasher-is-connecting-hospitals-to-the-internet-of-shit">
    href="https://www.vice.com/en/article/pg9qkv/a-hackable-dishwasher-is-connecting-hospitals-to-the-internet-of-shit">
    connected to the Internet, its security is crap</a>.</p>

    <p>For example, a cracker can gain access to the dishwasher's
    filesystem, infect it with malware, and force the dishwasher to launch
    attacks on other devices in the network. Since these dishwashers are
    used in hospitals, such attacks could potentially put hundreds of
    lives at risk.</p>
  </li>
<li><p>WhatsApp

  <li id="M201703070">
    <!--#set var="DATE" value='<small class="date-tag">2017-03</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The CIA exploited existing vulnerabilities
    in “smart” TVs and phones to design a malware that <a
    href="https://www.independent.co.uk/life-style/gadgets-and-tech/news/wikileaks-vault-7-android-iphone-cia-phones-handsets-tv-smart-julian-assange-a7616651.html">
    spies through their microphones and cameras while making them appear
    to be turned off</a>. Since the spyware sniffs signals, it bypasses
    encryption.</p>
  </li>

  <li id="M201702200">
    <!--#set var="DATE" value='<small class="date-tag">2017-02</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>If you buy a used “smart”
    car, house, TV, refrigerator, etc., usually <a
    href="http://boingboing.net/2017/02/20/the-previous-owners-of-used.html">the
    previous owners can still remotely control it</a>.</p>
  </li>

  <li id="M201702170">
    <!--#set var="DATE" value='<small class="date-tag">2017-02</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The mobile apps for communicating <a
    href="https://www.bleepingcomputer.com/news/security/millions-of-smart-cars-vulnerable-due-to-insecure-android-apps/">with
    a smart but foolish car have very bad security</a>.</p>

    <p>This is in addition to the fact that the car contains a cellular
    modem that tells big brother all the time where it is.  If you own
    such a car, it would be wise to disconnect the modem so as to turn
    off the tracking.</p>
  </li>

  <li id="M201701271">
    <!--#set var="DATE" value='<small class="date-tag">2017-01</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>A cracker would be able to <a
    href="https://uploadvr.com/hackable-webcam-oculus-sensor-be-aware/">
    turn the Oculus Rift sensors into spy cameras</a> after breaking into
    the computer they are connected to.</p>

    <p><small>(Unfortunately, the article <a
    href="/philosophy/words-to-avoid.html#Hacker">improperly refers
    to crackers as “hackers”</a>.)</small></p>
  </li>

  <li id="M201701270">
    <!--#set var="DATE" value='<small class="date-tag">2017-01</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Samsung phones <a
    href="https://www.bleepingcomputer.com/news/security/sms-exploitable-bug-in-samsung-galaxy-phones-can-be-used-for-ransomware-attacks/">have
    a security hole that allows an SMS message to install
    ransomware</a>.</p>
  </li>

  <li id="M201701130">
    <!--#set var="DATE" value='<small class="date-tag">2017-01</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>WhatsApp has a feature that <a
    href="https://techcrunch.com/2017/01/13/encrypted-messaging-platform-whatsapp-denies-backdoor-claim/">
    has been described as a “back door”</a> because it would
    enable governments to nullify its encryption.</p>

    <p>The developers say that it wasn't intended as a back door, and that
    may well be true. But that leaves the crucial question of whether it
    functions as one. Because the program is nonfree, we cannot check by
    studying it.</p></li>

<li> it.</p>
  </li>

  <li id="M201612060.1">
    <!--#set var="DATE" value='<small class="date-tag">2016-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The “smart” toys My Friend Cayla and i-Que can be <a
    href="https://www.forbrukerradet.no/siste-nytt/connected-toys-violate-consumer-laws">remotely
    controlled with a mobile phone</a>; physical access is not
    necessary. This would enable crackers to listen in on a child's
    conversations, and even speak into the toys themselves.</p>

    <p>This means a burglar could speak into the toys and ask the child
    to unlock the front door while Mommy's not looking.</p>
  </li>

<li>
<p>The mobile apps for
communicating <a href="https://www.bleepingcomputer.com/news/security/millions-of-smart-cars-vulnerable-due-to-insecure-android-apps/">with
a smart but foolish car have very bad security</a>.</p>

<p>This is in addition to the fact that the car contains a cellular
modem that tells big brother all the time where it is.  If you own
such a car, it would be wise to disconnect the modem so as to turn off
the tracking.</p>
</li>

<li>
<p>If you buy a used “smart” car, house, TV, refrigerator,
etc.,
usually <a href="http://boingboing.net/2017/02/20/the-previous-owners-of-used.html">the
previous owners can still remotely control it</a>.</p>
</li>

<li>
<p>Samsung
phones <a href="https://www.bleepingcomputer.com/news/security/sms-exploitable-bug-in-samsung-galaxy-phones-can-be-used-for-ransomware-attacks/">have
a security hole that allows an SMS message to install
ransomware</a>.</p>
</li>

<li>

  <li id="M201610230">
    <!--#set var="DATE" value='<small class="date-tag">2016-10</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>4G LTE phone networks are drastically insecure. They can be <a href="https://web.archive.org/web/20161027223907/http://www.theregister.co.uk/2016/10/23/every_lte_call_text_can_be_intercepted_blacked_out_hacker_finds/">
    href="https://www.theregister.co.uk/2016/10/23/every_lte_call_text_can_be_intercepted_blacked_out_hacker_finds/">
    taken over by third parties and used for man-in-the-middle
    attacks</a>.</p>
  </li>

<li>

  <li id="M201608110">
    <!--#set var="DATE" value='<small class="date-tag">2016-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Due to weak security, <a
    href="http://jalopnik.com/almost-every-volkswagen-built-since-1995-is-vulnerable-1785159844">it
    is easy to open the doors of 100 million cars built by
    Volkswagen</a>.</p>
  </li>

<li>

  <li id="M201608080">
    <!--#set var="DATE" value='<small class="date-tag">2016-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Ransomware <a
    href="https://www.pentestpartners.com/security-blog/thermostat-ransomware-a-lesson-in-iot-security/">
    has been developed for a thermostat that uses proprietary
    software</a>.</p>
  </li>

<li>

  <li id="M201608020">
    <!--#set var="DATE" value='<small class="date-tag">2016-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>A <a
    href="http://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/">flaw
    in Internet Explorer and Edge</a> allows an attacker to retrieve
    Microsoft account credentials, if the user is tricked into visiting
    a malicious link.</p>
  </li>

<li>

  <li id="M201607290">
    <!--#set var="DATE" value='<small class="date-tag">2016-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p><a
    href="https://techcrunch.com/2016/07/29/research-shows-deleted-whatsapp-messages-arent-actually-deleted/">“Deleted”
    WhatsApp messages are not entirely deleted</a>. They can be recovered
    in various ways.
</p> ways.</p>
  </li>

<li>

  <li id="M201607220">
    <!--#set var="DATE" value='<small class="date-tag">2016-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>A vulnerability in Apple's Image I/O API allowed an attacker to <a
    href="https://www.theguardian.com/technology/2016/jul/22/stagefright-flaw-ios-iphone-imessage-apple">execute
    malicious code from any application which uses this API to render a
    certain kind of image file</a>.</p>
  </li>
<li>

  <li id="M201607190">
    <!--#set var="DATE" value='<small class="date-tag">2016-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>A bug in a proprietary ASN.1 library, used
    in cell phone towers as well as cell phones and routers, <a
    href="http://arstechnica.com/security/2016/07/software-flaw-puts-mobile-phones-and-networks-at-risk-of-complete-takeover">allows
    taking control of those systems</a>.</p>
  </li>

<li>

  <li id="M201606290">
    <!--#set var="DATE" value='<small class="date-tag">2016-06</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Antivirus programs have so many errors that <a
    href="https://theconversation.com/as-more-vulnerabilities-are-discovered-is-it-time-to-uninstall-antivirus-software-61374">they
    may make security worse</a>.</p>

    <p>GNU/Linux does not need antivirus software.</p>
  </li>

<li>
<p>Over 70 brands of network-connected surveillance
cameras <a href="http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html">have
security bugs that allow anyone to watch through them</a>.</p>
</li>

<li>
<p>
Samsung's

  <li id="M201605020">
    <!--#set var="DATE" value='<small class="date-tag">2016-05</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Samsung's “Smart Home” has a big security hole; <a href="http://arstechnica.com/security/2016/05/samsung-smart-home-flaws-lets-hackers-make-keys-to-front-door/">unauthorized
    href="http://arstechnica.com/security/2016/05/samsung-smart-home-flaws-lets-hackers-make-keys-to-front-door/">
    unauthorized people can remotely control it</a>.</p>

    <p>Samsung claims that this is an “open” platform so the
    problem is partly the fault of app developers. That is clearly true
    if the apps are proprietary software.</p>

    <p>Anything whose name is “Smart” is most likely going
    to screw you.</p>
  </li>

<li>
<p>
The

  <li id="M201604120">
    <!--#set var="DATE" value='<small class="date-tag">2016-04</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>A bug in the iThings Messages app <a
    href="https://theintercept.com/2016/04/12/apple-bug-exposed-chat-history-with-a-single-click/">allowed
    a malicious web site to extract all the user's messaging
    history</a>.</p>
  </li>

  <li id="M201604110">
    <!--#set var="DATE" value='<small class="date-tag">2016-04</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Malware was found on <a
    href="http://www.slate.com/blogs/future_tense/2016/04/11/security_cameras_sold_through_amazon_have_malware_according_to_security.html">
    security cameras available through Amazon</a>.</p>

    <p>A camera that records locally on physical media, and has no network
    connection, does not threaten people with surveillance—neither
    by watching people through the camera, nor through malware in the
    camera.</p>
  </li>

  <li id="M201603220">
    <!--#set var="DATE" value='<small class="date-tag">2016-03</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Over 70 brands of network-connected surveillance cameras have <a
    href="http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html">
    security bugs that allow anyone to watch through them</a>.</p>
  </li>

  <li id="M201603100">
    <!--#set var="DATE" value='<small class="date-tag">2016-03</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Many proprietary payment apps <a
    href="http://www.bloomberg.com/news/articles/2016-03-10/many-mobile-payments-startups-aren-t-properly-securing-user-data">transmit
    personal data in an insecure way</a>. However,
    the worse aspect of these apps is that <a
    href="/philosophy/surveillance-vs-democracy.html">payment is not
    anonymous</a>.</p>
  </li>

  <li id="M201602240">
    <!--#set var="DATE" value='<small class="date-tag">2016-02</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p id="nissan-modem">The Nissan Leaf has a built-in
    cell phone modem which allows effectively anyone to <a href="https://www.troyhunt.com/controlling-vehicle-features-of-nissan/">to
    href="https://www.troyhunt.com/controlling-vehicle-features-of-nissan/">
    access its computers remotely and make changes in various
    settings</a>.</p>

    <p>That's easy to do because the system has no authentication
    when accessed through the modem.  However, even if it asked
    for authentication, you couldn't be confident that Nissan
    has no access.  The software in the car is proprietary, <a
    href="/philosophy/free-software-even-more-important.html">which means
    it demands blind faith from its users</a>.</p>

    <p>Even if no one connects to the car remotely, the cell phone modem
    enables the phone company to track the car's movements all the time;
    it is possible to physically remove the cell phone modem modem, though.</p>
  </li>

<li>
<p>
Malware found
on <a href="http://www.slate.com/blogs/future_tense/2016/04/11/security_cameras_sold_through_amazon_have_malware_according_to_security.html">security
cameras available through Amazon</a>.
</p>

  <li id="M201602110">
    <!--#set var="DATE" value='<small class="date-tag">2016-02</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>A camera that records locally on physical media, pacemaker running proprietary code <a
    href="https://www.wired.com/2016/02/i-want-to-know-what-code-is-running-inside-my-body/">was
    misconfigured and has no network
  connection, does not threaten people with surveillance—neither by
  watching people through the camera, nor through malware in could have killed the camera.
</p>
</li>

<li>
<p>A bug in implanted person</a>. In order
    to find out what was wrong and get it fixed, the iThings Messages
app <a href="https://theintercept.com/2016/04/12/apple-bug-exposed-chat-history-with-a-single-click/">allowed
a malicious web site person needed to extract all break
    into the user's messaging history</a>.
</p>
</li>

<li>
<p>Many proprietary payment apps <a
href="http://www.bloomberg.com/news/articles/2016-03-10/many-mobile-payments-startups-aren-t-properly-securing-user-data">
transmit personal data remote device that sets parameters in an insecure way</a>.
However, the worse aspect of these apps is that
<a href="/philosophy/surveillance-vs-democracy.html">payment is not anonymous</a>.
</p> pacemaker (possibly
    infringing upon manufacturer's rights under the DMCA). If this system
    had run free software, it could have been fixed much sooner.</p>
  </li>

<li>
<p>
FitBit

  <li id="M201510210">
    <!--#set var="DATE" value='<small class="date-tag">2015-10</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>FitBit fitness trackers <a href="http://www.tripwire.com/state-of-security/latest-security-news/10-second-hack-delivers-first-ever-malware-to-fitness-trackers/"> have a <a
    href="http://www.tripwire.com/state-of-security/latest-security-news/10-second-hack-delivers-first-ever-malware-to-fitness-trackers/">
    Bluetooth vulnerability</a> that allows attackers to send malware
    to the devices, which can subsequently spread to computers and other
    FitBit trackers that interact with them.
</p> them.</p>
  </li>

<li>
<p>
“Self-encrypting”

  <li id="M201510200">
    <!--#set var="DATE" value='<small class="date-tag">2015-10</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>“Self-encrypting” disk drives
    do the encryption with proprietary firmware so you
    can't trust it.  Western Digital's “My Passport” drives <a href="https://motherboard.vice.com/en_us/article/mgbmma/some-popular-self-encrypting-hard-drives-have-really-bad-encryption">have
    href="https://www.vice.com/en/article/mgbmma/some-popular-self-encrypting-hard-drives-have-really-bad-encryption">
    have a back door</a>.
</p> door</a>.</p>
  </li>

<li>
<p>
Mac OS X had an
<a href="https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/">
intentional local back door for 4 years</a>, which could be
exploited by attackers to gain root privileges.
</p>
</li>

<li>

  <li id="M201508120">
    <!--#set var="DATE" value='<small class="date-tag">2015-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Security researchers discovered a <a
    href="http://www.theguardian.com/technology/2015/aug/12/hack-car-brakes-sms-text">
    vulnerability in diagnostic dongles used for vehicle tracking and
    insurance</a> that let them take remote control of a car or lorry
    using an SMS.
</p> SMS.</p>
  </li>

<li>
<p>
Crackers

  <li id="M201507214">
    <!--#set var="DATE" value='<small class="date-tag">2015-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Crackers were able to <a href="http://arstechnica.com/security/2015/07/fiat-chrysler-connected-car-bug-lets-hackers-take-over-jeep-remotely/">take
    href="http://arstechnica.com/security/2015/07/fiat-chrysler-connected-car-bug-lets-hackers-take-over-jeep-remotely/">
    take remote control of the Jeep</a> “connected car”.
<br/>They They
    could track the car, start or stop the engine, and activate or
    deactivate the brakes, and more.
</p>
<p>
I more.</p>

    <p>We expect that Chrysler and the NSA can do this too.
</p>
<p>
If I ever too.</p>

    <p>If you own a car, and it car that contains a portable phone, I will phone modem, it would be a good
    idea to deactivate that.
</p> this.</p>
  </li>

<li>
<p>
Hospira

  <li id="M201506080">
    <!--#set var="DATE" value='<small class="date-tag">2015-06</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Due to bad security in a drug pump, crackers could use it to <a
    href="http://www.wired.com/2015/06/hackers-can-send-fatal-doses-hospital-drug-pumps/">
    kill patients</a>.</p>
  </li>

  <li id="M201505294">
    <!--#set var="DATE" value='<small class="date-tag">2015-05</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p><a
    href="http://phys.org/news/2015-05-app-vulnerability-threatens-millions-users.html">
    Many smartphone apps use insecure authentication methods when storing
    your personal data on remote servers</a>. This leaves personal
    information like email addresses, passwords, and health information
    vulnerable. Because many of these apps are proprietary it makes it
    hard to impossible to know which apps are at risk.</p>
  </li>

  <li id="M201505050">
    <!--#set var="DATE" value='<small class="date-tag">2015-05</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Hospira infusion pumps, which are used
    to administer drugs to a patient, were rated “<a
    href="https://securityledger.com/2015/05/researcher-drug-pump-the-least-secure-ip-device-ive-ever-seen/">least
    secure IP device I've ever seen</a>” by a security researcher.
</p>
<p>
Depending
    researcher.</p>

    <p>Depending on what drug is being infused, the insecurity could open
    the door to murder.
</p>
</li>

<li>
<p>
Due to bad security in a drug pump, crackers could use it to
<a href="http://www.wired.com/2015/06/hackers-can-send-fatal-doses-hospital-drug-pumps/">kill patients</a>.
</p> murder.</p>
  </li>

<li>
<p>

  <li id="M201504090">
    <!--#set var="DATE" value='<small class="date-tag">2015-04</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Mac OS X had an <a href="http://www.spiegel.de/international/world/privacy-scandal-nsa-can-spy-on-smart-phone-data-a-920971.html">
The NSA can tap data in smart phones, including iPhones, Android, and
BlackBerry</a>.  While there is not much detail here, it seems that
this does not operate via the universal
    href="https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/">
    intentional local back door that we know nearly
all portable phones have.  It may involve exploiting various bugs.
There
are <a href="http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone">
lots of bugs in the phones' radio software</a>.
</p>
</li>

<li>
<p><a href="http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/">
“Smart homes”</a> turn out to be stupidly vulnerable to
intrusion.</p>
</li>

<li>
<p>The
<a href="http://arstechnica.com/security/2014/02/crypto-weaknesses-in-whatsapp-the-kind-of-stuff-the-nsa-would-love/">insecurity of WhatsApp</a>
makes eavesdropping a snap.</p>
</li>

<li>
<p><a href="http://www.nytimes.com/2013/09/05/technology/ftc-says-webcams-flaw-put-users-lives-on-display.html">
The FTC punished a company for making webcams with bad security so
that it was easy for anyone to watch them</a>.
</p>
</li>

<li>
<p><a href="http://www.pcworld.idg.com.au/article/379477/hacking_music_can_take_control_your_car/">
It is possible to take control of some car computers through malware
in music files</a>.
Also <a href="http://www.nytimes.com/2011/03/10/business/10hack.html?_r=0">by
radio</a>.  Here is <a href="http://www.autosec.org/faq.html">more
information</a>.
</p>
</li>

<li>
<p><a href="http://siliconangle.com/blog/2013/07/27/famed-hacker-barnaby-jack-dies-days-before-scheduled-black-hat-appearance/">
It is possible to kill people by taking control of medical implants by
radio</a>.  Here
is <a href="http://www.bbc.co.uk/news/technology-17631838">more
information</a>.  And <a
href="https://web.archive.org/web/20180203130244/http://blog.ioactive.com/2013/02/broken-hearts-how-plausible-was.html">here</a>.
</p>
</li>

<li>
<p>Lots of <a href="http://www.wired.com/2014/04/hospital-equipment-vulnerable/">hospital equipment has lousy security</a>, and it can 4 years</a>, which could be fatal.
</p>
</li>

<li>
<p><a href="http://arstechnica.com/security/2013/12/credit-card-fraud-comes-of-age-with-first-known-point-of-sale-botnet/">
Point-of-sale terminals running Windows were taken over and turned
into a botnet for the purpose of collecting customers' credit card
numbers</a>.
</p> exploited
    by attackers to gain root privileges.</p>
  </li>

<li>

  <li id="M201405190">
    <!--#set var="DATE" value='<small class="date-tag">2014-05</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>An app to prevent “identity theft”
    (access to personal data) by storing users' data on a special server <a
    href="http://arstechnica.com/tech-policy/2014/05/id-theft-protector-lifelock-deletes-user-data-over-concerns-that-app-isnt-safe/">was
    deactivated by its developer</a> which had discovered a security flaw.
</p>

<p>
That
    flaw.</p>

    <p>That developer seems to be conscientious about protecting personal
    data from third parties in general, but it can't protect that data
    from the state.  Quite the contrary: confiding your data to someone
    else's server, if not first encrypted by you with free software,
    undermines your rights.
</p> rights.</p>
  </li>

  <li id="M201404250">
    <!--#set var="DATE" value='<small class="date-tag">2014-04</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Lots of <a
    href="http://www.wired.com/2014/04/hospital-equipment-vulnerable/">
    hospital equipment has lousy security</a>, and it can be fatal.</p>
  </li>

  <li id="M201402210">
    <!--#set var="DATE" value='<small class="date-tag">2014-02</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The <a
    href="http://arstechnica.com/security/2014/02/crypto-weaknesses-in-whatsapp-the-kind-of-stuff-the-nsa-would-love/">insecurity
    of WhatsApp</a> makes eavesdropping a snap.</p>
  </li>

<li>

  <li id="M201312290">
    <!--#set var="DATE" value='<small class="date-tag">2013-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p><a href="http://www.bunniestudios.com/blog/?p=3554"> Some flash
    memories have modifiable software</a>, which makes them vulnerable
    to viruses.</p>

    <p>We don't call this a “back door” because it is normal
    that you can install a new system in a computer computer, given physical access
    to it.  However, memory sticks and cards should not be modifiable in
    this way.</p>
  </li>

<li>

  <li id="M201312040">
    <!--#set var="DATE" value='<small class="date-tag">2013-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p><a
    href="http://arstechnica.com/security/2013/12/credit-card-fraud-comes-of-age-with-first-known-point-of-sale-botnet/">
    Point-of-sale terminals running Windows were taken over</a> and
    turned into a botnet for the purpose of collecting customers' credit
    card numbers.</p>
  </li>

  <li id="M201311120">
    <!--#set var="DATE" value='<small class="date-tag">2013-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p><a
    href="https://web.archive.org/web/20180816030205/http://www.spiegel.de/international/world/privacy-scandal-nsa-can-spy-on-smart-phone-data-a-920971.html">
    The NSA can tap data in smart phones, including iPhones,
    Android, and BlackBerry</a>.  While there is not much
    detail here, it seems that this does not operate via
    the universal back door that we know nearly all portable
    phones have. It may involve exploiting various bugs.  There are <a
    href="http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone">
    lots of bugs in the phones' radio software</a>.</p>
  </li>

  <li id="M201309054">
    <!--#set var="DATE" value='<small class="date-tag">2013-09</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p><a
    href="http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security">The
    NSA has put back doors into nonfree encryption software</a>. We don't
    know which ones they are, but we can be sure they include some widely
    used systems.  This reinforces the point that you can never trust
    the security of nonfree software.</p>
  </li>

  <li id="M201309050">
    <!--#set var="DATE" value='<small class="date-tag">2013-09</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The FTC punished a company for making webcams with <a
    href="http://www.nytimes.com/2013/09/05/technology/ftc-says-webcams-flaw-put-users-lives-on-display.html">
    bad security so that it was easy for anyone to watch through
    them</a>.</p>
  </li>

  <li id="M201308060">
    <!--#set var="DATE" value='<small class="date-tag">2013-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p><a href="http://spritesmods.com/?art=hddhack&page=6">
    Replaceable nonfree software in disk drives can be written by a
    nonfree
program.</a> program</a>. This makes any system vulnerable to persistent
    attacks that normal forensics won't detect.</p>
  </li>

<li>
<p><a href="http://phys.org/news/2015-05-app-vulnerability-threatens-millions-users.html">
Many smartphone apps use insecure authentication methods when storing
your personal data on remote servers.</a>
This leaves personal

  <li id="M201307270">
    <!--#set var="DATE" value='<small class="date-tag">2013-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p> It is possible to <a
    href="http://siliconangle.com/blog/2013/07/27/famed-hacker-barnaby-jack-dies-days-before-scheduled-black-hat-appearance/">
    kill people by taking control of medical
    implants by radio</a>.  More information like email addresses, passwords, in <a
    href="http://www.bbc.co.uk/news/technology-17631838">BBC
    News</a> and health information vulnerable. Because many
of these apps are proprietary it makes it hard <a
    href="https://ioactive.com/broken-hearts-how-plausible-was-the-homeland-pacemaker-hack/">
    IOActive Labs Research blog</a>.</p>
  </li>

  <li id="M201307260">
    <!--#set var="DATE" value='<small class="date-tag">2013-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p><a
    href="http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/">
    “Smart homes”</a> turn out to impossible be stupidly vulnerable to know which apps
    intrusion.</p>
  </li>

  <li id="M201212170">
    <!--#set var="DATE" value='<small class="date-tag">2012-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p id="break-security-smarttv"><a
    href="http://www.dailymail.co.uk/sciencetech/article-2249303/Hackers-penetrate-home-Crack-Samsungs-Smart-TV-allows-attacker-seize-control-microphone-cameras.html">
    Crackers found a way to break security on a “smart” TV</a>
    and use its camera to watch the people who are at risk.</p> watching TV.</p>
  </li>

</ul>

</div><!-- for id="content", starts

  <li id="M201103110">
    <!--#set var="DATE" value='<small class="date-tag">2011-03</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>It is possible to <a
    href="http://www.pcworld.idg.com.au/article/379477/hacking_music_can_take_control_your_car/">  
    take control of some car computers through malware in the include above music files</a>. 
    Also <a
    href="http://www.nytimes.com/2011/03/10/business/10hack.html?_r=0">
    by radio</a>. More information in <a
    href="http://www.autosec.org/faq.html"> Automotive Security And
    Privacy Center</a>.</p>
  </li>
</ul>
</div>

</div>
<!--#include virtual="/proprietary/proprietary-menu.html" -->
<!--#include virtual="/server/footer.html" -->
<div id="footer"> id="footer" role="contentinfo">
<div class="unprintable">

<p>Please send general FSF & GNU inquiries to
<a href="mailto:gnu@gnu.org"><gnu@gnu.org></a>.
There are also <a href="/contact/">other ways to contact</a>
the FSF.  Broken links and other corrections or suggestions can be sent
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>.</p>

<p><!-- TRANSLATORS: Ignore the original text in this paragraph,
        replace it with the translation of these two:

        We work hard and do our best to provide accurate, good quality
        translations.  However, we are not exempt from imperfection.
        Please send your comments and general suggestions in this regard
        to <a href="mailto:web-translators@gnu.org">
        <web-translators@gnu.org></a>.</p>

        <p>For information on coordinating and submitting contributing translations of
        our web pages, see <a
        href="/server/standards/README.translations.html">Translations
        README</a>. -->
Please see the <a
href="/server/standards/README.translations.html">Translations
README</a> for information on coordinating and submitting contributing translations
of this article.</p>
</div>

<!-- Regarding copyright, in general, standalone pages (as opposed to
     files generated as part of manuals) on the GNU web server should
     be under CC BY-ND 4.0.  Please do NOT change or remove this
     without talking with the webmasters or licensing team first.
     Please make sure the copyright date is consistent with the
     document.  For web pages, it is ok to list just the latest year the
     document was modified, or published.

     If you wish to list earlier years, that is ok too.
     Either "2001, 2002, 2003" or "2001-2003" are ok for specifying
     years, as long as each year in the range is in fact a copyrightable
     year, i.e., a year in which the document was published (including
     being publicly visible on the web or in a revision control system).

     There is more detail about copyright years in the GNU Maintainers
     Information document, www.gnu.org/prep/maintain. -->

<p>Copyright © 2013, 2015, 2016, 2017, 2018 2015-2021 Free Software Foundation, Inc.</p>

<p>This page is licensed under a <a rel="license"
href="http://creativecommons.org/licenses/by/4.0/">Creative
Commons Attribution 4.0 International License</a>.</p>

<!--#include virtual="/server/bottom-notes.html" -->

<p class="unprintable">Updated:
<!-- timestamp start -->
$Date: 2021/11/09 09:06:04 $
<!-- timestamp end -->
</p>
</div>
</div>
</div><!-- for class="inner", starts in the banner include -->
</body>
</html>