<!--#include virtual="/server/header.html" --> <!-- Parent-Version:1.841.96 --> <!--#set var="DISABLE_TOP_ADDENDUM" value="yes" --> <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Please do not edit <ul class="blurbs">! Instead, edit /proprietary/workshop/mal.rec, then regenerate pages. See explanations in /proprietary/workshop/README.md. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --> <title>Proprietary Insecurity - GNU Project - Free Software Foundation</title> <link rel="stylesheet" type="text/css" href="/side-menu.css" media="screen,print" /> <style type="text/css" media="screen,print"><!-- #uefi-rootkit { padding: 0 2em 1.5em; border-radius: 1em; margin: 2em 0; } --></style> <!--#include virtual="/proprietary/po/proprietary-insecurity.translist" --> <!--#include virtual="/server/banner.html" --> <div class="nav"> <a id="side-menu-button" class="switch" href="#navlinks"> <img id="side-menu-icon" height="32" src="/graphics/icons/side-menu.png" title="Section contents" alt=" [Section contents] " /> </a> <p class="breadcrumb"> <a href="/"><img src="/graphics/icons/home.png" height="24" alt="GNU Home" title="GNU Home" /></a> / <a href="/proprietary/proprietary.html">Malware</a> / By type / </p> </div> <!--GNUN: OUT-OF-DATE NOTICE--> <!--#include virtual="/server/top-addendum.html" --> <div style="clear: both"></div> <div id="last-div" class="reduced-width"> <h2>Proprietary Insecurity</h2><a href="/proprietary/proprietary.html">Other examples of proprietary malware</a><div class="infobox"> <hr class="full-width" /> <p>Nonfree (proprietary) software is very often malware (designed to mistreat the user). Nonfree software is controlled by its developers, which puts them in a position of power over the users; <a href="/philosophy/free-software-even-more-important.html">that is the basic injustice</a>. The developers and manufacturers often exercise that power to the detriment of the users they ought to serve.</p> <p>This typically takes the form of malicious functionalities.</p> <hr class="full-width" /> </div> <div class="article"> <p>This page lists clearly established cases of insecurity in proprietary software that has grave consequences or is otherwisenoteworthy.</p> <p>Itnoteworthy. Even though most of these security flaws are unintentional, thus are not malicious functionalities in a strict sense, we report them to show that proprietary software isincorrectnot as secure as mainstream media may say.</p> <p>This doesn't imply that free software is immune tocomparebugs or insecurities. The difference between free and proprietary softwarewith a fictitious ideain this respect is the handling ofproprietarythe bugs: free software users are able to study the program and/or fix the bugs they find, often in communities asperfect, butthey are able to share the program, while proprietary program users are forced to rely on thepressprogram's developer for fixes.</p> <p>If the developer does not care to fix the problem — oftenimplicitlythe case for embedded software and old releases — the users are sunk. But if the developer does send a corrected version, it may contain new malicious functionalities as well as bug fixes.</p> <div class="important"> <p>If you know of an example thatwheneverought to be in this page but isn't here, please write to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a> to inform us. Please include the URL of asecurity holetrustworthy reference or two to serve as specific substantiation.</p> </div> <div id="uefi-rootkit" class="emph-box"> <h3>UEFI-induced vulnerability</h3> <p>UEFI makes computers <a href="https://arstechnica.com/information-technology/2022/07/researchers-unpack-unkillable-uefi-rootkit-that-survives-os-reinstalls/"> vulnerable to advanced persistent threats</a> that are almost impossible to detect once installed. Here are <a href="https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/"> technical details</a>.</p> <p>Kaspersky discovered this example by chance, but is unable to check in general for the presence of such rootkits in computers.</p> <p>Nonfree software does not make your computer secure—it does the opposite: it prevents you from trying to secure it. UEFI is afreenonfree program required for booting which isdiscovered.impossible to replace; in effect, a low-level rootkit. All the things that Intel has done to make its power over you secure against you also protect UEFI-level rootkits against you.</p> <p>Instead of allowing Intel, AMD, Apple and perhaps ARM to impose security through tyranny, we should legislate to require them to allow users to install their choice of startup software, and make available the information needed to develop such. Think of this as right-to-repair at the initialization stage.</p> </div> <div class="column-limit" id="proprietary-insecurity"></div> <ul class="blurbs"> <li id="M202211301"> <!--#set var="DATE" value='<small class="date-tag">2022-11</small>' --><!--#echo encoding="none" var="DATE" --> <p>Hackers discovered <a href="https://samcurry.net/web-hackers-vs-the-auto-industry/"> dozens of flaws in the security (in the usual narrow sense) of many brands of automobiles</a>.</p> <p>Security in the usual narrow sense means security against unknown third parties. We are more concerned with security in the broader sense—against the manufacturer as well as against unknown third parties. It is clear that each of these vulnerabilities can be exploited by the manufacturer too, and by any government that can threaten the manufacturer enough to compel the manufacturer's cooperation.</p> </li> <li id="M202210140"> <!--#set var="DATE" value='<small class="date-tag">2022-10</small>' --><!--#echo encoding="none" var="DATE" --> <p><a href="https://www.bleepingcomputer.com/news/security/microsoft-office-365-email-encryption-could-expose-message-content/"> Theexamples below showMicrosoft Office encryption is weak</a>, and susceptible to attack.</p> <p>Encryption is a tricky field, and easy to mess up. It is wise to insist on encryption software thatproprietaryis (1) free softwareisn't perfect,and (2) studied by experts.</p> </li> <li id="M202208240"> <!--#set var="DATE" value='<small class="date-tag">2022-08</small>' --><!--#echo encoding="none" var="DATE" --> <p>A security researcher found that the iOS in-app browser of TikTok <a href="https://www.theguardian.com/technology/2022/aug/24/tiktok-can-track-users-every-tap-as-they-visit-other-sites-through-ios-app-new-research-shows"> injects keylogger-like JavaScript code into outside web pages</a>. This code has the ability to track all users' activities, and to retrieve any personal data that isoften quite sloppy.</p> <p>Itentered on the pages. We have no way of verifying TikTok's claim that the keylogger-like code only serves purely technical functions. Some of the accessed data could well be saved to the company's servers, and even shared with third parties. This would open the door to extensive surveillance, including by the Chinese government (to which TikTok has indirect ties). There is also a risk that the data would beequally incorrectstolen by crackers, and used to launch malware attacks.</p> <p>The iOS in-app browsers of Instagram and Facebook behave essentially the same way as TikTok's. The main difference is that Instagram and Facebook allow users tocompareaccess third-party sites with their default browser, whereas <a href="https://www.reddit.com/r/Tiktokhelp/comments/jlep5d/how_do_i_make_urls_open_in_my_browser_instead_of/"> TikTok makes it nearly impossible</a>.</p> <p>The researcher didn't study the Android versions of in-app browsers, but we have no reason to assume they are safer than the iOS versions.</p> <p><small>Please note that the article wrongly refers to crackers as “hackers.”</small></p> </li> <li id="M202202090"> <!--#set var="DATE" value='<small class="date-tag">2022-02</small>' --><!--#echo encoding="none" var="DATE" --> <p>A security failure in Microsoft's Windows is <a href="https://www.bleepingcomputer.com/news/security/fake-windows-11-upgrade-installers-infect-you-with-redline-malware/">infecting people's computers with RedLine stealer malware</a> using a fake Windows 11 upgrade installer.</p> </li> <li id="M202201040"> <!--#set var="DATE" value='<small class="date-tag">2022-01</small>' --><!--#echo encoding="none" var="DATE" --> <p>A critical bug in Apple's iOS makes it possible for attackers to alter a shutdown event, <a href="https://blog.zecops.com/research/persistence-without-persistence-meet-the-ultimate-persistence-bug-noreboot/">tricking the user into thinking that the phone has been powered off</a>. But in fact, it's still running, and the user can't feel any difference between a real shutdown and the fake shutdown.</p> </li> <li id="M202111200"> <!--#set var="DATE" value='<small class="date-tag">2021-11</small>' --><!--#echo encoding="none" var="DATE" --> <p>Hundreds of Tesla drivers <a href="https://www.theguardian.com/technology/2021/nov/20/tesla-app-outage-elon-musk-apologises">were locked out of their cars as a result of Tesla's app suffering from an outage</a>, which happened because the app is tethered to company's servers.</p> </li> <li id="M202111110"> <!--#set var="DATE" value='<small class="date-tag">2021-11</small>' --><!--#echo encoding="none" var="DATE" --> <p>Some researchers at Google <a href="https://www.vice.com/en/article/93bw8y/google-caught-hackers-using-a-mac-zero-day-against-hong-kong-users">found a zero-day vulnerability on MacOS, which crackers used to target people visiting the websites</a> of a media outlet and a pro-democracy labor and political group in Hong Kong.</p> <p><small>Please note that the article wrongly refers to crackers as “<a href="/philosophy/words-to-avoid.html#Hacker">hackers</a>”.</small></p> </li> <li id="M202108170"> <!--#set var="DATE" value='<small class="date-tag">2021-08</small>' --><!--#echo encoding="none" var="DATE" --> <p>Various models of security cameras, DVRs, and baby monitors that run proprietary softwarewith<a href="https://www.wired.com/story/kalay-iot-bug-video-feeds/">are affected by afictitious ideasecurity vulnerability that could give attackers access to live feeds</a>.</p> </li> <li id="M202107180"> <!--#set var="DATE" value='<small class="date-tag">2021-07</small>' --><!--#echo encoding="none" var="DATE" --> <p><a href="https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones"> The pegasus spyware used vulnerabilities on proprietary smartphone operating systems</a> to impose surveillance on people. It can record people's calls, copy their messages, and secretly film them, using a security vulnerability. There's also <a href="https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"> a technical analysis of this spyware</a> available in PDF format.</p> <p>A freesoftwareoperating system would've let people to fix the bugs for themselves but now infected people will be compelled to wait for corporations to fix the problems.</p> <p><small>Please note that the article wrongly refers to crackers asperfect. Every nontrivial program“<a href="/philosophy/words-to-avoid.html#Hacker">hackers</a>”.</small></p> </li> <li id="M202107090"> <!--#set var="DATE" value='<small class="date-tag">2021-07</small>' --><!--#echo encoding="none" var="DATE" --> <p>A newly found Microsoft Windows vulnerability <a href="https://edition.cnn.com/2021/07/08/tech/microsoft-windows-10-printnightmare/"> can allow crackers to remotely gain access to the operating system</a> and install programs, view and delete data, or even create new user accounts with full user rights.</p> <p>The security research firm accidentally leaked instructions on how the flaw could be exploited but Windows users should still wait for Microsoft to fix the flaw, if they fix it.</p> <p><small>Please note that the article wrongly refers to crackers as “<a href="/philosophy/words-to-avoid.html#Hacker">hackers</a>”.</small></p> </li> <li id="M202106030"> <!--#set var="DATE" value='<small class="date-tag">2021-06</small>' --><!--#echo encoding="none" var="DATE" --> <p><a href="https://techcrunch.com/2021/06/03/tiktok-just-gave-itself-permission-to-collect-biometric-data-on-u-s-users-including-faceprints-and-voiceprints/">TikTok apps collect biometric identifiers and biometric information from users' smartphones</a>. The company behind it does whatever it wants and collects whatever data it can.</p> </li> <li id="M202105240"> <!--#set var="DATE" value='<small class="date-tag">2021-05</small>' --><!--#echo encoding="none" var="DATE" --> <p><a href="https://www.cpomagazine.com/data-privacy/icloud-data-turned-over-to-chinese-government-conflicts-with-apples-privacy-first-focus/">Apple is moving its Chinese customers' iCloud data to a datacenter controlled by the Chinese government</a>. Apple is already storing the encryption keys on these servers, obeying Chinese authority, making all Chinese user data available to the government.</p> </li> <li id="M202105040"> <!--#set var="DATE" value='<small class="date-tag">2021-05</small>' --><!--#echo encoding="none" var="DATE" --> <p>A motorcycle company named Klim is selling airbag vests with different payment methods, one of them is through a <a href="https://www.vice.com/en/article/93yyyd/this-motorcycle-airbag-vest-will-stop-working-if-you-miss-a-payment">proprietary subscription-based option that will block the vest from inflating if the payments don't go through</a>.</p> <p>They say there is a 30-days grace period if you miss a payment but the grace period is no excuse to the insecurity.</p> </li> <li id="M202105030"> <!--#set var="DATE" value='<small class="date-tag">2021-05</small>' --><!--#echo encoding="none" var="DATE" --> <p>The United States' government is reportedly considering <a href="https://www.infosecurity-magazine.com/news/private-companies-may-spy-on/">teaming up with private companies to monitor American citizens' private online activity and digital communications</a>.</p> <p>What creates the opportunity to try this is the fact that these companies are already snooping on users' private activities. That in turn is due to people's use of nonfree software which snoops, and online dis-services which snoop.</p> </li> <li id="M202104090"> <!--#set var="DATE" value='<small class="date-tag">2021-04</small>' --><!--#echo encoding="none" var="DATE" --> <p>A zero-day vulnerability in Zoom which <a href="https://www.zdnet.com/article/critical-zoom-vulnerability-triggers-remote-code-execution-without-user-input/">can be used to launch remote code execution (RCE) attacks</a> hasbugs,been disclosed by researchers. The researchers demonstrated a three-bug attack chain that caused an RCE on a target machine, all this without any form of user interaction.</p> </li> <li id="M202103090"> <!--#set var="DATE" value='<small class="date-tag">2021-03</small>' --><!--#echo encoding="none" var="DATE" --> <p><a href="https://www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams">Over 150 thousand security cameras that used Verkada company's proprietary software are cracked</a> by a major security breach. Crackers have had access to security archives of various gyms, hospitals, jails, schools, and police stations that have used Verkada's cameras.</p> <p><a href="/philosophy/surveillance-vs-democracy.html">It is injustice to the public</a> for gyms, stores, hospitals, jails, and schools to hand “security” footage to a company from which the government can collect it at anysystem, freetime, without even telling them.</p> <p><small>Please note that the article wrongly refers to crackers as “<a href="/philosophy/words-to-avoid.html#Hacker">hackers</a>”.</small></p> </li> <li id="M202103050"> <!--#set var="DATE" value='<small class="date-tag">2021-03</small>' --><!--#echo encoding="none" var="DATE" --> <p>At least 30 thousand organizations in the United States are newly “<a href="/philosophy/words-to-avoid.html#Hacker">cracked</a>” via <a href="https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/">holes in Microsoft's proprietary email software, named Microsoft 365</a>. It is unclear whether there are other holes and vulnerabilities in the program orproprietary, maynot but history and experience tells us it wouldn't be the last disaster with proprietary programs.</p> </li> <li id="M202102110"> <!--#set var="DATE" value='<small class="date-tag">2021-02</small>' --><!--#echo encoding="none" var="DATE" --> <p>Researchers at the security firm SentinelOne discovered a <a href="https://www.wired.com/story/windows-defender-vulnerability-twelve-years/">security flaw in proprietary program Microsoft Windows Defender that lurked undetected for 12 years</a>. If the program was free (as in freedom), more people would have had a chance to notice the problem, therefore, it could've been fixed a lot sooner.</p> </li> <li id="M202101110"> <!--#set var="DATE" value='<small class="date-tag">2021-01</small>' --><!--#echo encoding="none" var="DATE" --> <p>A cracker <a href="https://www.vice.com/en/article/m7apnn/your-cock-is-mine-now-hacker-locks-internet-connected-chastity-cage-demands-ransom">took control of people's internet-connected chastity cages and demanded ransom</a>. The chastity cages are being controlled by a proprietary app (mobile program).</p> <p><small>(Please note that the article wrongly refers to crackers as "<a href="/philosophy/words-to-avoid.html#Hacker">hackers</a>".)</small></p> </li> <li id="M202012200"> <!--#set var="DATE" value='<small class="date-tag">2020-12</small>' --><!--#echo encoding="none" var="DATE" --> <p>Commercial crackware can <a href="https://www.theguardian.com/technology/2020/dec/20/iphones-vulnerable-to-hacking-tool-for-months-researchers-say"> get passwords out of an iMonster</a>, use the microphone and camera, and other things.</p> </li> <li id="M202012190"> <!--#set var="DATE" value='<small class="date-tag">2020-12</small>' --><!--#echo encoding="none" var="DATE" --> <p><a href="https://www.washingtonpost.com/technology/2020/12/18/zoom-helped-china-surveillance/"> A Zoom executive carried out snooping and censorship for China</a>.</p> <p>This abuse of Zoom's power shows how dangerous that power is. The root problem is not the surveillance and censorship, but rather the power that Zoom has. It gets that power partly from the use of its server, but also partly from the nonfree client program.</p> </li> <li id="M202012150"> <!--#set var="DATE" value='<small class="date-tag">2020-12</small>' --><!--#echo encoding="none" var="DATE" --> <p>United States officials are facing one of biggest crackings against them in years, when <a href="https://www.theguardian.com/technology/2020/dec/15/orion-hack-solar-winds-explained-us-treasury-commerce-department">malicious code was sneaked into SolarWinds' proprietary software named Orion</a>. Crackers got access to networks when users downloaded a tainted software update. Crackers were able to monitor internal emails at some of the top agencies in the US.</p> <p><small>(Please note that the article wrongly refers to crackers as "<a href="/philosophy/words-to-avoid.html#Hacker">hackers</a>".)</small></p> </li> <li id="M202012070"> <!--#set var="DATE" value='<small class="date-tag">2020-12</small>' --><!--#echo encoding="none" var="DATE" --> <p>Baidu apps were <a href="https://www.zdnet.com/article/baidus-android-apps-caught-collecting-sensitive-user-details/"> caught collecting sensitive personal data</a> that can be used for lifetime tracking of users, and putting them in danger. More than 1.4 billion people worldwide are affected by these proprietary apps, and users' privacy is jeopardized by this surveillance tool. Data collected by Baidu may be handed over to the Chinese government, possibly putting Chinese people in danger.</p> </li> <li id="M202011120"> <!--#set var="DATE" value='<small class="date-tag">2020-11</small>' --><!--#echo encoding="none" var="DATE" --> <p>Apple has <a href="https://sneak.berlin/20201112/your-computer-isnt-yours/">implemented a malware in its computers that imposes surveillance</a> on users and reports users' computing to Apple.</p> <p>The reports are even unencrypted and they've been leaking this data for two years already. This malware is reporting to Apple what user opens what program at what time. It also gives Apple power to sabotage users' computing.</p> </li> <li id="M202010120"> <!--#set var="DATE" value='<small class="date-tag">2020-10</small>' --><!--#echo encoding="none" var="DATE" --> <p>Samsung is forcing its smartphone users in Hong Kong (and Macau) <a href="https://blog.headuck.com/2020/10/12/samsung-phones-force-mainland-china-dns-service-upon-hong-kong-wifi-users/">to use a public DNS in Mainland China</a>, using software update released in September 2020, which causes many unease and privacy concerns.</p> </li> <li id="M202008110"> <!--#set var="DATE" value='<small class="date-tag">2020-08</small>' --><!--#echo encoding="none" var="DATE" --> <p>TikTok <a href="https://boingboing.net/2020/08/11/tiktok-exploited-android-secur.html"> exploited an Android vulnerability</a> to obtain user MAC addresses.</p> </li> <li id="M202006160"> <!--#set var="DATE" value='<small class="date-tag">2020-06</small>' --><!--#echo encoding="none" var="DATE" --> <p><a href="https://www.wired.com/story/ripple20-iot-vulnerabilities/?bxid=5bd66d4c2ddf9c619437e4b8&cndid=9608804&esrc=Wired_etl_load&source=EDT_WIR_NEWSLETTER_0_DAILY_ZZ&utm_bran%5C"> A disasterous securityerrors. To errbug</a> touches millions of products in the Internet of Stings.</p> <p>As a result, anyone can sting the user, not only the manufacturer.</p> </li> <li id="M202004270"> <!--#set var="DATE" value='<small class="date-tag">2020-04</small>' --><!--#echo encoding="none" var="DATE" --> <p>The proprietary program Microsoft Teams' insecurity <a href="https://www.forbes.com/sites/thomasbrewster/2020/04/27/your-whole-companys-microsoft-teams-data-couldve-been-stolen-with-an-evil-gif/">could have let a malicious GIF steal user data from Microsoft Teams accounts</a>, possibly across an entire company, and taken control of “an organization's entire roster of Teams accounts.”</p> </li> <li id="M202004150"> <!--#set var="DATE" value='<small class="date-tag">2020-04</small>' --><!--#echo encoding="none" var="DATE" --> <p>Riot Games' new anti-cheat ishuman,malware; <a href="https://www.extremetech.com/gaming/309320-riot-games-new-anti-cheat-system-runs-at-system-boot-uses-kernel-driver">runs on system boot at kernel level</a> on Windows. It is insecure software that increases the attack surface of the operating system.</p> </li> <li id="M201912170"> <!--#set var="DATE" value='<small class="date-tag">2019-12</small>' --><!--#echo encoding="none" var="DATE" --> <p>Some security breakers (wrongly referred in this article as <a href="/philosophy/words-to-avoid.html#Hacker">“hackers”</a>) managed to interfere the Amazon Ring proprietary system, and <a href="https://www.theguardian.com/technology/2019/dec/13/ring-hackers-reportedly-watching-talking-strangers-in-home-cameras">access its camera, speakers and microphones</a>.</p> </li> <li id="M201911190"> <!--#set var="DATE" value='<small class="date-tag">2019-11</small>' --><!--#echo encoding="none" var="DATE" --> <p>Internet-tethered Amazon Ring had a security vulnerability that enabled attackers to <a href="https://www.commondreams.org/newswire/2019/11/07/amazons-ring-doorbells-leaks-customers-wi-fi-username-and-password"> access the user's wifi password</a>, and snoop on the household through connected surveillance devices.</p> <p>Knowledge of the wifi password would notculpable.be sufficient to carry out any significant surveillance if the devices implemented proper security, including encryption. But many devices with proprietary softwaredevelopers frequently disregard gaping holes,lack this. Of course, they are also used by their manufacturers for snooping.</p> </li> <li id="M201908310"> <!--#set var="DATE" value='<small class="date-tag">2019-08</small>' --><!--#echo encoding="none" var="DATE" --> <p>A series of vulnerabilities <a href="https://www.forbes.com/sites/gordonkelly/2019/08/31/apple-iphone-ipad-security-ios-upgrade-iphone-xs-max-xr-update/">found in iOS allowed attackers to gain access to sensitive information including private messages, passwords, photos and contacts stored on the user's iMonster</a>.</p> <p>The deep insecurity of iMonsters is even more pertinent given that Apple's proprietary software makes users totally dependent on Apple for even a modicum of security. It also means that the devices do not even try to offer security against Apple itself.</p> </li> <li id="M201908020"> <!--#set var="DATE" value='<small class="date-tag">2019-08</small>' --><!--#echo encoding="none" var="DATE" --> <p>Out of 21 gratis Android antivirus apps that were tested by security researchers, eight <a href="https://www.comparitech.com/antivirus/android-antivirus-vulnerabilities/"> failed to detect a test virus</a>. All of them asked for dangerous permissions or contained advertising trackers, with seven being more risky than the average of the 100 most popular Android apps.</p> <p><small>(Note that the article refers to these proprietary apps as “free”. It should have said “gratis” instead.)</small></p> </li> <li id="M201907080"> <!--#set var="DATE" value='<small class="date-tag">2019-07</small>' --><!--#echo encoding="none" var="DATE" --> <p>Many Android apps can track users' movements evenintroducewhen the user says <a href="https://www.theverge.com/2019/7/8/20686514/android-covert-channel-permissions-data-collection-imei-ssid-location"> not to allow themdeliberately. In any case,access to locations</a>.</p> <p>This involves an apparently unintentional weakness in Android, exploited intentionally by malicious apps.</p> </li> <li id="M201905150"> <!--#set var="DATE" value='<small class="date-tag">2019-05</small>' --><!--#echo encoding="none" var="DATE" --> <p>Users caught in the jail of an iMonster are <a href="https://boingboing.net/2019/05/15/brittle-security.html"> sitting ducks for other attackers</a>, and the app censorship prevents security companies from figuring out how those attacks work.</p> <p>Apple's censorship of apps is fundamentally unjust, and would be inexcusable even if it didn't lead to security threats as well.</p> </li> <li id="M201903210"> <!--#set var="DATE" value='<small class="date-tag">2019-03</small>' --><!--#echo encoding="none" var="DATE" --> <p>The Medtronics Conexus Telemetry Protocol has <a href="https://www.startribune.com/750-000-medtronic-defibrillators-vulnerable-to-hacking/507470932/"> two vulnerabilities that affect several models of implantable defibrillators</a> and the devices theykeep users <em>helplessconnect to.</p> <p>This protocol has been around since 2006, and similar vulnerabilities were discovered in an earlier Medtronics communication protocol in 2008. Apparently, nothing was done by the company to correct them. This means you can't rely on proprietary software developers to fixany security problemsbugs in their products.</p> </li> <li id="M201902270"> <!--#set var="DATE" value='<small class="date-tag">2019-02</small>' --><!--#echo encoding="none" var="DATE" --> <p>The Ring (now Amazon) doorbell camera is designed so thatarise</em>. Keepingtheusers helplessmanufacturer (now Amazon) can watch all the time. Now it turns out that <a href="https://web.archive.org/web/20190918024432/https://dojo.bullguard.com/dojo-by-bullguard/blog/ring/"> anyone else can also watch, and fake videos too</a>.</p> <p>The third party vulnerability iswhat's culpable about proprietary software.</p> <ul>presumably unintentional and Amazon will probably fix it. However, we do not expect Amazon to change the design that <a href="/proprietary/proprietary-surveillance.html#M201901100">allows Amazon to watch</a>.</p> </li> <liid="break-security-smarttv"> <p><a href="http://www.dailymail.co.uk/sciencetech/article-2249303/Hackers-penetrate-home-Crack-Samsungs-Smart-TV-allows-attacker-seize-control-microphone-cameras.html"> Crackersid="M201809240"> <!--#set var="DATE" value='<small class="date-tag">2018-09</small>' --><!--#echo encoding="none" var="DATE" --> <p>Researchers have discovered how to <a href="https://news.rub.de/english/press-releases/2018-09-24-it-security-secret-messages-alexa-and-co"> hide voice commands in other audio</a>, so that people cannot hear them, but Alexa and Siri can.</p> </li> <li id="M201808130"> <!--#set var="DATE" value='<small class="date-tag">2018-08</small>' --><!--#echo encoding="none" var="DATE" --> <p>Since the beginning of 2017, <a href="https://qz.com/1131515/google-collects-android-users-locations-even-when-location-services-are-disabled">Android phones have been collecting the addresses of nearby cellular towers</a>, even when location services are disabled, and sending that data back to Google.</p> </li> <li id="M201808120"> <!--#set var="DATE" value='<small class="date-tag">2018-08</small>' --><!--#echo encoding="none" var="DATE" --> <p>Crackers found a way to break the securityonof an Amazon device, and <a href="https://boingboing.net/2018/08/12/alexa-bob-carol.html"> turn it into a“smart” TV</a>listening device</a> for them.</p> <p>It was very difficult for them to do this. The job would be much easier for Amazon. And if some government such as China or the US told Amazon to do this, or cease to sell the product in that country, do you think Amazon would have the moral fiber to say no?</p> <p><small>(These crackers are probably hackers too, but please <a href="https://stallman.org/articles/on-hacking.html"> don't use “hacking” to mean “breaking security”</a>.)</small></p> </li> <li id="M201807100"> <!--#set var="DATE" value='<small class="date-tag">2018-07</small>' --><!--#echo encoding="none" var="DATE" --> <p>Siri, Alexa, and all the other voice-control systems can be <a href="https://www.fastcompany.com/90139019/a-simple-design-flaw-makes-it-astoundingly-easy-to-hack-siri-and-alexa"> hijacked by programs that play commands in ultrasound that humans can't hear</a>.</p> </li> <li id="M201807020"> <!--#set var="DATE" value='<small class="date-tag">2018-07</small>' --><!--#echo encoding="none" var="DATE" --> <p>Some Samsung phones randomly <a href="https://www.theverge.com/circuitbreaker/2018/7/2/17528076/samsung-phones-text-rcs-update-messages">send photos to people in the owner's contact list</a>.</p> </li> <li id="M201712240"> <!--#set var="DATE" value='<small class="date-tag">2017-12</small>' --><!--#echo encoding="none" var="DATE" --> <p>One of the dangers of the “internet of stings” is that, if you lose your internet service, you also <a href="https://torrentfreak.com/piracy-notices-can-mess-with-your-thermostat-isp-warns-171224/"> lose control of your house and appliances</a>.</p> <p>For your safety, don't use any appliance with a connection to the real internet.</p> </li> <li id="M201711204"> <!--#set var="DATE" value='<small class="date-tag">2017-11</small>' --><!--#echo encoding="none" var="DATE" --> <p>Intel's intentional “management engine” back door has <a href="https://www.theregister.com/2017/11/20/intel_flags_firmware_flaws/"> unintended back doors</a> too.</p> </li> <li id="M201711200"> <!--#set var="DATE" value='<small class="date-tag">2017-11</small>' --><!--#echo encoding="none" var="DATE" --> <p>Amazon recently invited consumers to be suckers and <a href="https://www.techdirt.com/2017/11/22/vulnerability-found-amazon-key-again-showing-how-dumber-tech-is-often-smarter-option/"> allow delivery staff to open their front doors</a>. Wouldn't you know it, the system has a grave security flaw.</p> </li> <li id="M201709290"> <!--#set var="DATE" value='<small class="date-tag">2017-09</small>' --><!--#echo encoding="none" var="DATE" --> <p>Bad security in some cars makes it possible to <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14937"> remotely activate the airbags</a>.</p> </li> <li id="M201709200"> <!--#set var="DATE" value='<small class="date-tag">2017-09</small>' --><!--#echo encoding="none" var="DATE" --> <p>A “smart” intravenous pump designed for hospitals is connected to the internet. Naturally <a href="https://www.techdirt.com/2017/09/22/smart-hospital-iv-pump-vulnerable-to-remote-hack-attack/"> itscamerasecurity has been cracked</a>.</p> <p><small>(Note that this article misuses the term <a href="/philosophy/words-to-avoid.html#Hacker">“hackers”</a> referring towatchcrackers.)</small></p> </li> <li id="M201708280"> <!--#set var="DATE" value='<small class="date-tag">2017-08</small>' --><!--#echo encoding="none" var="DATE" --> <p>The bad security in many Internet of Stings devices allows <a href="https://www.techdirt.com/2017/08/28/iot-devices-provide-comcast-wonderful-new-opportunity-to-spy-you/">ISPs to snoop on the peoplewho are watching TV.</p>that use them</a>.</p> <p>Don't be a sucker—reject all the stings.</p> <p><small>(It is unfortunate that the article uses the term <a href="/philosophy/words-to-avoid.html#Monetize">“monetize”</a>.)</small></p> </li><li><li id="M201706200.1"> <!--#set var="DATE" value='<small class="date-tag">2017-06</small>' --><!--#echo encoding="none" var="DATE" --> <p>Many models of Internet-connected cameras <a href="/proprietary/proprietary-back-doors.html#InternetCameraBackDoor"> have backdoors</a>.</p> <p>That is a malicious functionality, but in addition it is a gross insecurity since anyone, including malicious crackers, <ahref="https://arstechnica.com/security/2017/06/internet-cameras-expose-private-video-feeds-and-remote-controls/">canhref="https://arstechnica.com/information-technology/2017/06/internet-cameras-expose-private-video-feeds-and-remote-controls/">can find those accounts and use them to get into users' cameras</a>.</p> </li><li> <p> Conexant<li id="M201706050"> <!--#set var="DATE" value='<small class="date-tag">2017-06</small>' --><!--#echo encoding="none" var="DATE" --> <p id="intel-me-10-year-vulnerability">Intel's CPU backdoor—the Intel Management Engine—had a <a href="https://arstechnica.com/information-technology/2017/05/intel-patches-remote-code-execution-bug-that-lurked-in-cpus-for-10-years/">major security vulnerability for 10 years</a>.</p> <p>The vulnerability allowed a cracker to access the computer's Intel Active Management Technology (AMT) <a href="https://arstechnica.com/information-technology/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought/"> web interface with an empty password and gave administrative access</a> to access the computer's keyboard, mouse, monitor among other privileges.</p> <p>It does not help that in newer Intel processors, it is impossible to turn off the Intel Management Engine. Thus, even users who are proactive about their security can do nothing to protect themselves besides using machines that don't come with the backdoor.</p> </li> <li id="M201705250"> <!--#set var="DATE" value='<small class="date-tag">2017-05</small>' --><!--#echo encoding="none" var="DATE" --> <p>The proprietary code that runs pacemakers, insulin pumps, and other medical devices is <a href="https://www.bbc.com/news/technology-40042584"> full of gross security faults</a>.</p> </li> <li id="M201705160"> <!--#set var="DATE" value='<small class="date-tag">2017-05</small>' --><!--#echo encoding="none" var="DATE" --> <p>Conexant HD Audio Driver Package (version 1.0.0.46 and earlier) pre-installed on 28 models of HP laptops logged the user's keystroke to a file in the filesystem. Any process with access to the filesystem or the MapViewOfFile API could gain access to the log. Furthermore, <ahref="https://www.modzero.ch/advisories/MZ-17-01-Conexant-Keylogger.txt">accordinghref="https://www.modzero.com/advisories/MZ-17-01-Conexant-Keylogger.txt">according to modzero</a> the “information-leak via Covert Storage Channel enables malware authors to capture keystrokes without taking the risk of being classified as malicious task by AVheuristics”. </p> </li> <li> <p>The proprietary code that runs pacemakers, insulin pumps, and other medical devices is <a href="http://www.bbc.co.uk/news/technology-40042584"> full of gross security faults</a>.</p>heuristics”.</p> </li><li><li id="M201705120"> <!--#set var="DATE" value='<small class="date-tag">2017-05</small>' --><!--#echo encoding="none" var="DATE" --> <p>Exploits of bugs in Windows, which were developed by the NSA and then leaked by the Shadowbrokers group, are now being used to <a href="https://theintercept.com/2017/05/12/the-nsas-lost-digital-weapon-is-helping-hijack-computers-around-the-world/">attack a great number of Windows computers withransomware</a>. </p>ransomware</a>.</p> </li> <liid="intel-me-10-year-vulnerability"> <p>Intel's CPU backdoor—the Intel Management Engine—had a <a href="https://arstechnica.com/security/2017/05/intel-patches-remote-code-execution-bug-that-lurked-in-cpus-for-10-years/">major security vulnerability for 10 years</a>.</p> <p>The vulnerability allowed a cracker to access the computer's Intel Active Management Technology (AMT) <a href="https://arstechnica.com/security/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought/"> web interface with an empty password and gave administrative access</a> to access the computer's keyboard, mouse, monitor among other privileges.</p> <p>It does not help that in newer Intel processors, it is impossible to turn off the Intel Management Engine. Thus, even users who are proactive about their security can do nothing to protect themselves besides using machines that don't come with the backdoor.</p> </li> <li>id="M201704050"> <!--#set var="DATE" value='<small class="date-tag">2017-04</small>' --><!--#echo encoding="none" var="DATE" --> <p>Many Android devices <ahref="https://arstechnica.com/security/2017/04/wide-range-of-android-phones-vulnerable-to-device-hijacks-over-wi-fi/">href="https://arstechnica.com/information-technology/2017/04/wide-range-of-android-phones-vulnerable-to-device-hijacks-over-wi-fi/"> can be hijacked through their Wi-Fi chips</a> because of a bug in Broadcom'snon-freenonfree firmware.</p> </li><li><li id="M201703270"> <!--#set var="DATE" value='<small class="date-tag">2017-03</small>' --><!--#echo encoding="none" var="DATE" --> <p>When Miele's Internet of Stings hospital disinfectant dishwasher is <ahref="https://motherboard.vice.com/en_us/article/a-hackable-dishwasher-is-connecting-hospitals-to-the-internet-of-shit">connectedhref="https://www.vice.com/en/article/pg9qkv/a-hackable-dishwasher-is-connecting-hospitals-to-the-internet-of-shit"> connected to the Internet, its security is crap</a>.</p> <p>For example, a cracker can gain access to the dishwasher's filesystem, infect it with malware, and force the dishwasher to launch attacks on other devices in the network. Since these dishwashers are used in hospitals, such attacks could potentially put hundreds of lives at risk.</p> </li><li><p>WhatsApp<li id="M201703070"> <!--#set var="DATE" value='<small class="date-tag">2017-03</small>' --><!--#echo encoding="none" var="DATE" --> <p>The CIA exploited existing vulnerabilities in “smart” TVs and phones to design a malware that <a href="https://www.independent.co.uk/tech/wikileaks-vault-7-android-iphone-cia-phones-handsets-tv-smart-julian-assange-a7616651.html"> spies through their microphones and cameras while making them appear to be turned off</a>. Since the spyware sniffs signals, it bypasses encryption.</p> </li> <li id="M201702200"> <!--#set var="DATE" value='<small class="date-tag">2017-02</small>' --><!--#echo encoding="none" var="DATE" --> <p>If you buy a used “smart” car, house, TV, refrigerator, etc., usually <a href="https://boingboing.net/2017/02/20/the-previous-owners-of-used.html">the previous owners can still remotely control it</a>.</p> </li> <li id="M201702170"> <!--#set var="DATE" value='<small class="date-tag">2017-02</small>' --><!--#echo encoding="none" var="DATE" --> <p>The mobile apps for communicating <a href="https://www.bleepingcomputer.com/news/security/millions-of-smart-cars-vulnerable-due-to-insecure-android-apps/">with a smart but foolish car have very bad security</a>.</p> <p>This is in addition to the fact that the car contains a cellular modem that tells big brother all the time where it is. If you own such a car, it would be wise to disconnect the modem so as to turn off the tracking.</p> </li> <li id="M201701271"> <!--#set var="DATE" value='<small class="date-tag">2017-01</small>' --><!--#echo encoding="none" var="DATE" --> <p>A cracker would be able to <a href="https://uploadvr.com/hackable-webcam-oculus-sensor-be-aware/"> turn the Oculus Rift sensors into spy cameras</a> after breaking into the computer they are connected to.</p> <p><small>(Unfortunately, the article <a href="/philosophy/words-to-avoid.html#Hacker">improperly refers to crackers as “hackers”</a>.)</small></p> </li> <li id="M201701270"> <!--#set var="DATE" value='<small class="date-tag">2017-01</small>' --><!--#echo encoding="none" var="DATE" --> <p>Samsung phones <a href="https://www.bleepingcomputer.com/news/security/sms-exploitable-bug-in-samsung-galaxy-phones-can-be-used-for-ransomware-attacks/">have a security hole that allows an SMS message to install ransomware</a>.</p> </li> <li id="M201701130"> <!--#set var="DATE" value='<small class="date-tag">2017-01</small>' --><!--#echo encoding="none" var="DATE" --> <p>WhatsApp has a feature that <a href="https://techcrunch.com/2017/01/13/encrypted-messaging-platform-whatsapp-denies-backdoor-claim/"> has been described as a “back door”</a> because it would enable governments to nullify its encryption.</p> <p>The developers say that it wasn't intended as a back door, and that may well be true. But that leaves the crucial question of whether it functions as one. Because the program is nonfree, we cannot check by studyingit.</p></li> <li>it.</p> </li> <li id="M201612060.1"> <!--#set var="DATE" value='<small class="date-tag">2016-12</small>' --><!--#echo encoding="none" var="DATE" --> <p>The “smart” toys My Friend Cayla and i-Que can be <ahref="https://www.forbrukerradet.no/siste-nytt/connected-toys-violate-consumer-laws">remotelyhref="https://www.forbrukerradet.no/siste-nytt/connected-toys-violate-consumer-laws/">remotely controlled with a mobile phone</a>; physical access is not necessary. This would enable crackers to listen in on a child's conversations, and even speak into the toys themselves.</p> <p>This means a burglar could speak into the toys and ask the child to unlock the front door while Mommy's not looking.</p> </li><li> <p>The mobile apps for communicating <a href="https://www.bleepingcomputer.com/news/security/millions-of-smart-cars-vulnerable-due-to-insecure-android-apps/">with a smart but foolish car have very bad security</a>.</p> <p>This is in addition to the fact that the car contains a cellular modem that tells big brother all the time where it is. If you own such a car, it would be wise to disconnect the modem so as to turn off the tracking.</p> </li> <li> <p>If you buy a used “smart” car, house, TV, refrigerator, etc., usually <a href="http://boingboing.net/2017/02/20/the-previous-owners-of-used.html">the previous owners can still remotely control it</a>.</p> </li> <li> <p>Samsung phones <a href="https://www.bleepingcomputer.com/news/security/sms-exploitable-bug-in-samsung-galaxy-phones-can-be-used-for-ransomware-attacks/">have a security hole that allows an SMS message to install ransomeware</a>.</p> </li> <li><li id="M201610230"> <!--#set var="DATE" value='<small class="date-tag">2016-10</small>' --><!--#echo encoding="none" var="DATE" --> <p>4G LTE phone networks are drastically insecure. They can be <ahref="https://web.archive.org/web/20161027223907/http://www.theregister.co.uk/2016/10/23/every_lte_call_text_can_be_intercepted_blacked_out_hacker_finds/">href="https://www.theregister.com/2016/10/23/every_lte_call_text_can_be_intercepted_blacked_out_hacker_finds/"> taken over by third parties and used for man-in-the-middle attacks</a>.</p> </li><li><li id="M201608110"> <!--#set var="DATE" value='<small class="date-tag">2016-08</small>' --><!--#echo encoding="none" var="DATE" --> <p>Due to weak security, <ahref="http://jalopnik.com/almost-every-volkswagen-built-since-1995-is-vulnerable-1785159844">ithref="https://jalopnik.com/almost-every-volkswagen-built-since-1995-is-vulnerable-1785159844">it is easy to open the doors of 100 million cars built by Volkswagen</a>.</p> </li><li><li id="M201608080"> <!--#set var="DATE" value='<small class="date-tag">2016-08</small>' --><!--#echo encoding="none" var="DATE" --> <p>Ransomware <ahref="https://www.pentestpartners.com/blog/thermostat-ransomware-a-lesson-in-iot-security/">hashref="https://www.pentestpartners.com/security-blog/thermostat-ransomware-a-lesson-in-iot-security/"> has been developed for a thermostat that uses proprietary software</a>.</p> </li><li><li id="M201608020"> <!--#set var="DATE" value='<small class="date-tag">2016-08</small>' --><!--#echo encoding="none" var="DATE" --> <p>A <ahref="http://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/">flawhref="https://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/">flaw in Internet Explorer and Edge</a> allows an attacker to retrieve Microsoft account credentials, if the user is tricked into visiting a malicious link.</p> </li><li><li id="M201607290"> <!--#set var="DATE" value='<small class="date-tag">2016-07</small>' --><!--#echo encoding="none" var="DATE" --> <p><a href="https://techcrunch.com/2016/07/29/research-shows-deleted-whatsapp-messages-arent-actually-deleted/">“Deleted” WhatsApp messages are not entirely deleted</a>. They can be recovered in variousways. </p>ways.</p> </li><li><li id="M201607220"> <!--#set var="DATE" value='<small class="date-tag">2016-07</small>' --><!--#echo encoding="none" var="DATE" --> <p>A vulnerability in Apple's Image I/O API allowed an attacker to <a href="https://www.theguardian.com/technology/2016/jul/22/stagefright-flaw-ios-iphone-imessage-apple">executemalaciousmalicious code from any application which uses this API to render a certain kind of image file</a>.</p> </li><li><li id="M201607190"> <!--#set var="DATE" value='<small class="date-tag">2016-07</small>' --><!--#echo encoding="none" var="DATE" --> <p>A bug in a proprietary ASN.1 library, used in cell phone towers as well as cell phones and routers, <ahref="http://arstechnica.com/security/2016/07/software-flaw-puts-mobile-phones-and-networks-at-risk-of-complete-takeover">allowshref="https://arstechnica.com/information-technology/2016/07/software-flaw-puts-mobile-phones-and-networks-at-risk-of-complete-takeover/">allows taking control of those systems</a>.</p> </li><li><li id="M201606290"> <!--#set var="DATE" value='<small class="date-tag">2016-06</small>' --><!--#echo encoding="none" var="DATE" --> <p>Antivirus programs have so many errors that <a href="https://theconversation.com/as-more-vulnerabilities-are-discovered-is-it-time-to-uninstall-antivirus-software-61374">they may make security worse</a>.</p> <p>GNU/Linux does not need antivirus software.</p> </li><li> <p>Over 70 brands of network-connected surveillance cameras <a href="http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html">have security bugs that allow anyone to watch through them</a>.</p> </li> <li> <p> Samsung's<li id="M201605020"> <!--#set var="DATE" value='<small class="date-tag">2016-05</small>' --><!--#echo encoding="none" var="DATE" --> <p>Samsung's “Smart Home” has a big security hole; <ahref="http://arstechnica.com/security/2016/05/samsung-smart-home-flaws-lets-hackers-make-keys-to-front-door/">unauthorizedhref="https://arstechnica.com/information-technology/2016/05/samsung-smart-home-flaws-lets-hackers-make-keys-to-front-door/"> unauthorized people can remotely control it</a>.</p> <p>Samsung claims that this is an “open” platform so the problem is partly the fault of app developers. That is clearly true if the apps are proprietary software.</p> <p>Anything whose name is “Smart” is most likely going to screw you.</p> </li><li> <p> The<li id="M201604120"> <!--#set var="DATE" value='<small class="date-tag">2016-04</small>' --><!--#echo encoding="none" var="DATE" --> <p>A bug in the iThings Messages app <a href="https://theintercept.com/2016/04/12/apple-bug-exposed-chat-history-with-a-single-click/">allowed a malicious web site to extract all the user's messaging history</a>.</p> </li> <li id="M201604110"> <!--#set var="DATE" value='<small class="date-tag">2016-04</small>' --><!--#echo encoding="none" var="DATE" --> <p>Malware was found on <a href="http://www.slate.com/blogs/future_tense/2016/04/11/security_cameras_sold_through_amazon_have_malware_according_to_security.html"> security cameras available through Amazon</a>.</p> <p>A camera that records locally on physical media, and has no network connection, does not threaten people with surveillance—neither by watching people through the camera, nor through malware in the camera.</p> </li> <li id="M201603220"> <!--#set var="DATE" value='<small class="date-tag">2016-03</small>' --><!--#echo encoding="none" var="DATE" --> <p>Over 70 brands of network-connected surveillance cameras have <a href="http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html"> security bugs that allow anyone to watch through them</a>.</p> </li> <li id="M201603100"> <!--#set var="DATE" value='<small class="date-tag">2016-03</small>' --><!--#echo encoding="none" var="DATE" --> <p>Many proprietary payment apps <a href="https://www.bloomberg.com/news/articles/2016-03-10/many-mobile-payments-startups-aren-t-properly-securing-user-data">transmit personal data in an insecure way</a>. However, the worse aspect of these apps is that <a href="/philosophy/surveillance-vs-democracy.html">payment is not anonymous</a>.</p> </li> <li id="M201602240"> <!--#set var="DATE" value='<small class="date-tag">2016-02</small>' --><!--#echo encoding="none" var="DATE" --> <p id="nissan-modem">The Nissan Leaf has a built-in cell phone modem which allows effectively anyone to <ahref="https://www.troyhunt.com/controlling-vehicle-features-of-nissan/">tohref="https://www.troyhunt.com/controlling-vehicle-features-of-nissan/"> access its computers remotely and make changes in various settings</a>.</p> <p>That's easy to do because the system has no authentication when accessed through the modem. However, even if it asked for authentication, you couldn't be confident that Nissan has no access. The software in the car is proprietary, <a href="/philosophy/free-software-even-more-important.html">which means it demands blind faith from its users</a>.</p> <p>Even if no one connects to the car remotely, the cell phone modem enables the phone company to track the car's movements all the time; it is possible to physically remove the cell phonemodemmodem, though.</p> </li><li> <p> Malware found on <a href="http://www.slate.com/blogs/future_tense/2016/04/11/security_cameras_sold_through_amazon_have_malware_according_to_security.html">security cameras available through Amazon</a>. </p><li id="M201602110"> <!--#set var="DATE" value='<small class="date-tag">2016-02</small>' --><!--#echo encoding="none" var="DATE" --> <p>Acamera that records locally on physical media,pacemaker running proprietary code <a href="https://www.wired.com/2016/02/i-want-to-know-what-code-is-running-inside-my-body/">was misconfigured andhas no network connection, does not threaten people with surveillance—neither by watching people through the camera, nor through malware incould have killed thecamera. </p> </li> <li> <p>A bug inimplanted person</a>. In order to find out what was wrong and get it fixed, theiThings Messages app <a href="https://theintercept.com/2016/04/12/apple-bug-exposed-chat-history-with-a-single-click/">allowed a malicious web siteperson needed toextract allbreak into theuser's messaging history</a>. </p> </li> <li> <p>Many proprietary payment apps <a href="http://www.bloomberg.com/news/articles/2016-03-10/many-mobile-payments-startups-aren-t-properly-securing-user-data"> transmit personal dataremote device that sets parameters inan insecure way</a>. However,theworse aspect of these apps is that <a href="/philosophy/surveillance-vs-democracy.html">payment is not anonymous</a>. </p>pacemaker (possibly infringing upon manufacturer's rights under the DMCA). If this system had run free software, it could have been fixed much sooner.</p> </li><li> <p> FitBit<li id="M201510210"> <!--#set var="DATE" value='<small class="date-tag">2015-10</small>' --><!--#echo encoding="none" var="DATE" --> <p>FitBit fitness trackers<a href="http://www.tripwire.com/state-of-security/latest-security-news/10-second-hack-delivers-first-ever-malware-to-fitness-trackers/">have a <a href="https://www.tripwire.com/state-of-security/latest-security-news/10-second-hack-delivers-first-ever-malware-to-fitness-trackers/"> Bluetooth vulnerability</a> that allows attackers to send malware to the devices, which can subsequently spread to computers and other FitBit trackers that interact withthem. </p>them.</p> </li><li> <p> “Self-encrypting”<li id="M201510200"> <!--#set var="DATE" value='<small class="date-tag">2015-10</small>' --><!--#echo encoding="none" var="DATE" --> <p>“Self-encrypting” disk drives do the encryption with proprietary firmware so you can't trust it. Western Digital's “My Passport” drives <ahref="https://motherboard.vice.com/en_uk/read/some-popular-self-encrypting-hard-drives-have-really-bad-encryption">havehref="https://www.vice.com/en/article/mgbmma/some-popular-self-encrypting-hard-drives-have-really-bad-encryption"> have a backdoor</a>. </p> </li> <li> <p> Mac OS X had an <a href="https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/"> intentional local back door for 4 years</a>, which could be exploited by attackers to gain root privileges. </p>door</a>.</p> </li><li><li id="M201508120"> <!--#set var="DATE" value='<small class="date-tag">2015-08</small>' --><!--#echo encoding="none" var="DATE" --> <p>Security researchers discovered a <ahref="http://www.theguardian.com/technology/2015/aug/12/hack-car-brakes-sms-text">href="https://www.theguardian.com/technology/2015/aug/12/hack-car-brakes-sms-text"> vulnerability in diagnostic dongles used for vehicle tracking and insurance</a> that let them take remote control of a car or lorry using anSMS. </p>SMS.</p> </li><li> <p> Crackers<li id="M201507214"> <!--#set var="DATE" value='<small class="date-tag">2015-07</small>' --><!--#echo encoding="none" var="DATE" --> <p>Crackers were able to <ahref="http://arstechnica.com/security/2015/07/fiat-chrysler-connected-car-bug-lets-hackers-take-over-jeep-remotely/">takehref="https://arstechnica.com/information-technology/2015/07/fiat-chrysler-connected-car-bug-lets-hackers-take-over-jeep-remotely/"> take remote control of the Jeep</a> “connected car”.<br/>TheyThey could track the car, start or stop the engine, and activate or deactivate the brakes, andmore. </p> <p> Imore.</p> <p>We expect that Chrysler and the NSA can do thistoo. </p> <p> If I evertoo.</p> <p>If you own acar, and itcar that contains aportable phone, I willphone modem, it would be a good idea to deactivatethat. </p>this.</p> </li><li> <p> Hospira<li id="M201506080"> <!--#set var="DATE" value='<small class="date-tag">2015-06</small>' --><!--#echo encoding="none" var="DATE" --> <p>Due to bad security in a drug pump, crackers could use it to <a href="https://www.wired.com/2015/06/hackers-can-send-fatal-doses-hospital-drug-pumps/"> kill patients</a>.</p> </li> <li id="M201505294"> <!--#set var="DATE" value='<small class="date-tag">2015-05</small>' --><!--#echo encoding="none" var="DATE" --> <p><a href="https://phys.org/news/2015-05-app-vulnerability-threatens-millions-users.html"> Many smartphone apps use insecure authentication methods when storing your personal data on remote servers</a>. This leaves personal information like email addresses, passwords, and health information vulnerable. Because many of these apps are proprietary it makes it hard to impossible to know which apps are at risk.</p> </li> <li id="M201505050"> <!--#set var="DATE" value='<small class="date-tag">2015-05</small>' --><!--#echo encoding="none" var="DATE" --> <p>Hospira infusion pumps, which are used to administer drugs to a patient, were rated “<a href="https://securityledger.com/2015/05/researcher-drug-pump-the-least-secure-ip-device-ive-ever-seen/">least secure IP device I've ever seen</a>” by a securityresearcher. </p> <p> Dependingresearcher.</p> <p>Depending on what drug is being infused, the insecurity could open the door tomurder. </p>murder.</p> </li><li> <p> Due to bad security in a drug pump, crackers could use it to <a href="http://www.wired.com/2015/06/hackers-can-send-fatal-doses-hospital-drug-pumps/">kill patients</a>. </p> </li> <li> <p><li id="M201504090"> <!--#set var="DATE" value='<small class="date-tag">2015-04</small>' --><!--#echo encoding="none" var="DATE" --> <p>Mac OS X had an <ahref="http://www.spiegel.de/international/world/privacy-scandal-nsa-can-spy-on-smart-phone-data-a-920971.html"> The NSA can tap data in smart phones, including iPhones, Android, and BlackBerry</a>. While there is not much detail here, it seems that this does not operate via the universalhref="https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/"> intentional local back doorthat we know nearly all portable phones have. It may involve exploiting various bugs. There are <a href="http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone"> lots of bugs in the phones' radio software</a>. </p> </li> <li> <p><a href="http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/"> “Smart homes”</a> turn out to be stupidly vulnerable to intrusion.</p> </li> <li> <p>The <a href="http://arstechnica.com/security/2014/02/crypto-weaknesses-in-whatsapp-the-kind-of-stuff-the-nsa-would-love/">insecurity of WhatsApp</a> makes eavesdropping a snap.</p> </li> <li> <p><a href="http://www.nytimes.com/2013/09/05/technology/ftc-says-webcams-flaw-put-users-lives-on-display.html"> The FTC punished a companyformaking webcams with bad security so that it was easy for anyone to watch them</a>. </p> </li> <li> <p><a href="http://www.pcworld.idg.com.au/article/379477/hacking_music_can_take_control_your_car/"> It is possible to take control of some car computers through malware in music files</a>. Also <a href="http://www.nytimes.com/2011/03/10/business/10hack.html?_r=0">by radio</a>. Here is <a href="http://www.autosec.org/faq.html">more information</a>. </p> </li> <li> <p><a href="http://siliconangle.com/blog/2013/07/27/famed-hacker-barnaby-jack-dies-days-before-scheduled-black-hat-appearance/"> It is possible to kill people by taking control of medical implants by radio</a>. Here is <a href="http://www.bbc.co.uk/news/technology-17631838">more information</a>. And <a href="http://blog.ioactive.com/2013/02/broken-hearts-how-plausible-was.html">here</a>. </p> </li> <li> <p>Lots of <a href="http://www.wired.com/2014/04/hospital-equipment-vulnerable/">hospital equipment has lousy security</a>, and it can4 years</a>, which could befatal. </p> </li> <li> <p><a href="http://arstechnica.com/security/2013/12/credit-card-fraud-comes-of-age-with-first-known-point-of-sale-botnet/"> Point-of-sale terminals running Windows were taken over and turned into a botnet for the purpose of collecting customers' credit card numbers</a>. </p>exploited by attackers to gain root privileges.</p> </li><li><li id="M201405190"> <!--#set var="DATE" value='<small class="date-tag">2014-05</small>' --><!--#echo encoding="none" var="DATE" --> <p>An app to prevent “identity theft” (access to personal data) by storing users' data on a special server <ahref="http://arstechnica.com/tech-policy/2014/05/id-theft-protector-lifelock-deletes-user-data-over-concerns-that-app-isnt-safe/">washref="https://arstechnica.com/tech-policy/2014/05/id-theft-protector-lifelock-deletes-user-data-over-concerns-that-app-isnt-safe/">was deactivated by its developer</a> which had discovered a securityflaw. </p> <p> Thatflaw.</p> <p>That developer seems to be conscientious about protecting personal data from third parties in general, but it can't protect that data from the state. Quite the contrary: confiding your data to someone else's server, if not first encrypted by you with free software, undermines yourrights. </p>rights.</p> </li><li><li id="M201404250"> <!--#set var="DATE" value='<small class="date-tag">2014-04</small>' --><!--#echo encoding="none" var="DATE" --> <p>Lots of <a href="https://www.wired.com/2014/04/hospital-equipment-vulnerable/"> hospital equipment has lousy security</a>, and it can be fatal.</p> </li> <li id="M201402210"> <!--#set var="DATE" value='<small class="date-tag">2014-02</small>' --><!--#echo encoding="none" var="DATE" --> <p>The <a href="https://arstechnica.com/information-technology/2014/02/crypto-weaknesses-in-whatsapp-the-kind-of-stuff-the-nsa-would-love/">insecurity of WhatsApp</a> makes eavesdropping a snap.</p> </li> <li id="M201312290"> <!--#set var="DATE" value='<small class="date-tag">2013-12</small>' --><!--#echo encoding="none" var="DATE" --> <p><ahref="http://www.bunniestudios.com/blog/?p=3554">href="https://www.bunniestudios.com/blog/?p=3554"> Some flash memories have modifiable software</a>, which makes them vulnerable to viruses.</p> <p>We don't call this a “back door” because it is normal that you can install a new system in acomputercomputer, given physical access to it. However, memory sticks and cards should not be modifiable in this way.</p> </li><li><li id="M201312040"> <!--#set var="DATE" value='<small class="date-tag">2013-12</small>' --><!--#echo encoding="none" var="DATE" --> <p><a href="https://arstechnica.com/information-technology/2013/12/credit-card-fraud-comes-of-age-with-first-known-point-of-sale-botnet/"> Point-of-sale terminals running Windows were taken over</a> and turned into a botnet for the purpose of collecting customers' credit card numbers.</p> </li> <li id="M201311120"> <!--#set var="DATE" value='<small class="date-tag">2013-11</small>' --><!--#echo encoding="none" var="DATE" --> <p><a href="https://web.archive.org/web/20180816030205/http://www.spiegel.de/international/world/privacy-scandal-nsa-can-spy-on-smart-phone-data-a-920971.html"> The NSA can tap data in smart phones, including iPhones, Android, and BlackBerry</a>. While there is not much detail here, it seems that this does not operate via the universal back door that we know nearly all portable phones have. It may involve exploiting various bugs. There are <a href="https://www.osnews.com/story/27416/the-second-operating-system-hiding-in-every-mobile-phone/"> lots of bugs in the phones' radio software</a>.</p> </li> <li id="M201309054"> <!--#set var="DATE" value='<small class="date-tag">2013-09</small>' --><!--#echo encoding="none" var="DATE" --> <p><a href="https://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security">The NSA has put back doors into nonfree encryption software</a>. We don't know which ones they are, but we can be sure they include some widely used systems. This reinforces the point that you can never trust the security of nonfree software.</p> </li> <li id="M201309050"> <!--#set var="DATE" value='<small class="date-tag">2013-09</small>' --><!--#echo encoding="none" var="DATE" --> <p>The FTC punished a company for making webcams with <a href="https://www.nytimes.com/2013/09/05/technology/ftc-says-webcams-flaw-put-users-lives-on-display.html"> bad security so that it was easy for anyone to watch through them</a>.</p> </li> <li id="M201308060"> <!--#set var="DATE" value='<small class="date-tag">2013-08</small>' --><!--#echo encoding="none" var="DATE" --> <p><a href="http://spritesmods.com/?art=hddhack&page=6"> Replaceable nonfree software in disk drives can be written by a nonfreeprogram.</a>program</a>. This makes any system vulnerable to persistent attacks that normal forensics won't detect.</p> </li><li> <p><a href="http://phys.org/news/2015-05-app-vulnerability-threatens-millions-users.html"> Many smartphone apps use insecure authentication methods when storing your personal data on remote servers.</a> This leaves personal<li id="M201307270"> <!--#set var="DATE" value='<small class="date-tag">2013-07</small>' --><!--#echo encoding="none" var="DATE" --> <p> It is possible to <a href="https://siliconangle.com/2013/07/27/famed-hacker-barnaby-jack-dies-days-before-scheduled-black-hat-appearance/"> kill people by taking control of medical implants by radio</a>. More informationlike email addresses, passwords,in <a href="https://www.bbc.com/news/technology-17631838">BBC News</a> andhealth information vulnerable. Because many of these apps are proprietary it makes it hard<a href="https://ioactive.com/broken-hearts-how-plausible-was-the-homeland-pacemaker-hack/"> IOActive Labs Research blog</a>.</p> </li> <li id="M201307260"> <!--#set var="DATE" value='<small class="date-tag">2013-07</small>' --><!--#echo encoding="none" var="DATE" --> <p><a href="https://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/"> “Smart homes”</a> turn out toimpossiblebe stupidly vulnerable toknow which appsintrusion.</p> </li> <li id="M201212170"> <!--#set var="DATE" value='<small class="date-tag">2012-12</small>' --><!--#echo encoding="none" var="DATE" --> <p id="break-security-smarttv"><a href="http://www.dailymail.co.uk/sciencetech/article-2249303/Hackers-penetrate-home-Crack-Samsungs-Smart-TV-allows-attacker-seize-control-microphone-cameras.html"> Crackers found a way to break security on a “smart” TV</a> and use its camera to watch the people who areat risk.</p>watching TV.</p> </li></ul> </div><!-- for id="content", starts<li id="M201103110"> <!--#set var="DATE" value='<small class="date-tag">2011-03</small>' --><!--#echo encoding="none" var="DATE" --> <p>It is possible to <a href="https://www.pcworld.idg.com.au/article/379477/hacking_music_can_take_control_your_car/"> take control of some car computers through malware inthe include abovemusic files</a>. Also <a href="https://www.nytimes.com/2011/03/10/business/10hack.html"> by radio</a>. More information in <a href="http://www.autosec.org/faq.html"> Automotive Security And Privacy Center</a>.</p> </li> </ul> </div> </div> <!--#include virtual="/proprietary/proprietary-menu.html" --> <!--#include virtual="/server/footer.html" --> <divid="footer">id="footer" role="contentinfo"> <div class="unprintable"> <p>Please send general FSF & GNU inquiries to <a href="mailto:gnu@gnu.org"><gnu@gnu.org></a>. There are also <a href="/contact/">other ways to contact</a> the FSF. Broken links and other corrections or suggestions can be sent to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>.</p> <p><!-- TRANSLATORS: Ignore the original text in this paragraph, replace it with the translation of these two: We work hard and do our best to provide accurate, good quality translations. However, we are not exempt from imperfection. Please send your comments and general suggestions in this regard to <a href="mailto:web-translators@gnu.org"> <web-translators@gnu.org></a>.</p> <p>For information on coordinating andsubmittingcontributing translations of our web pages, see <a href="/server/standards/README.translations.html">Translations README</a>. --> Please see the <a href="/server/standards/README.translations.html">Translations README</a> for information on coordinating andsubmittingcontributing translations of this article.</p> </div> <!-- Regarding copyright, in general, standalone pages (as opposed to files generated as part of manuals) on the GNU web server should be under CC BY-ND 4.0. Please do NOT change or remove this without talking with the webmasters or licensing team first. Please make sure the copyright date is consistent with the document. For web pages, it is ok to list just the latest year the document was modified, or published. If you wish to list earlier years, that is ok too. Either "2001, 2002, 2003" or "2001-2003" are ok for specifying years, as long as each year in the range is in fact a copyrightable year, i.e., a year in which the document was published (including being publicly visible on the web or in a revision control system). There is more detail about copyright years in the GNU Maintainers Information document, www.gnu.org/prep/maintain. --> <p>Copyright © 2013,2015, 2016, 20172015-2023 Free Software Foundation, Inc.</p> <p>This page is licensed under a <a rel="license"href="http://creativecommons.org/licenses/by-nd/4.0/">Creativehref="http://creativecommons.org/licenses/by/4.0/">Creative CommonsAttribution-NoDerivativesAttribution 4.0 International License</a>.</p> <!--#include virtual="/server/bottom-notes.html" --> <p class="unprintable">Updated: <!-- timestamp start --> $Date: 2023/01/08 18:03:10 $ <!-- timestamp end --> </p> </div></div></div><!-- for class="inner", starts in the banner include --> </body> </html>