<!--#include virtual="/server/header.html" -->
<!-- Parent-Version: 1.79 1.84 -->
<title>Proprietary Insecurity
- GNU Project - Free Software Foundation</title>
 <!--#include virtual="/proprietary/po/proprietary-insecurity.translist" -->
<!--#include virtual="/server/banner.html" -->
<h2>Proprietary Insecurity</h2>

<a href="/proprietary/proprietary.html">Other examples of proprietary malware</a>

<p>Nonfree (proprietary) software is very often malware (designed to
mistreat the user). Nonfree software is controlled by its developers,
which puts them in a position of power over the users; <a
href="/philosophy/free-software-even-more-important.html">that is the
basic injustice</a>. The developers often exercise that power to the
detriment of the users they ought to serve.</p>

<p>This page lists clearly established cases of insecurity in
proprietary software that has grave consequences or is otherwise

<p>It is incorrect to compare free software with a fictitious idea of
proprietary software as perfect, but the press often implicitly does
that whenever a security hole in a free program is discovered.  The
examples below show that proprietary software isn't perfect, and
is often quite sloppy.</p>

<p>It would be equally incorrect to compare proprietary software with
a fictitious idea of free software as perfect.  Every nontrivial
program has bugs, and any system, free or proprietary, may have
holes.  That in itself errors.  To err is human, and not culpable.  But proprietary
software developers frequently disregard gaping holes, or even
introduce them
deliberately, and <em>the deliberately.  In any case, they keep users are helpless
<em>helpless to fix them</em>.</p> any security problems that arise</em>.  Keeping the
users helpless is what's culpable about proprietary software.</p>

  <p>A “smart” intravenous pump designed for
    hospitals is connected to the internet. Naturally <a
    its security has been cracked</a>.</p>
  <p>Note that this article misuses the term <a
     referring to crackers.</p>
  <p>The bad security in many Internet of Stings devices
    allows <a href="https://www.techdirt.com/articles/20170828/08152938092/iot-devices-provide-comcast-wonderful-new-opportunity-to-spy-you.shtml">ISPs
    to snoop on the people that use them</a>.</p>
  <p>Don't be a sucker—reject all the stings.</p>
  <p>It is unfortunate that the article uses the term <a
  <p>Siri, Alexa, and all the other voice-control systems can be
  hijacked by programs that play commands in ultrasound that humans can't
<li id="break-security-smarttv">
      Crackers found a way to break security on a “smart” TV</a> and use its camera
      to watch the people who are watching TV.</p>
  <p>Many models of Internet-connected cameras <a
  have backdoors</a>.</p>

  <p>That is a malicious functionality, but in addition it is a gross
  insecurity since anyone, including malicious crackers, <a href="https://arstechnica.com/security/2017/06/internet-cameras-expose-private-video-feeds-and-remote-controls/">can find those accounts and use them to get into
  users' cameras</a>.</p>


    Conexant HD Audio Driver Package (version and earlier)
    pre-installed on 28 models of HP laptops logged the user's
    keystroke to a file in the filesystem. Any process with access to
    the filesystem or the MapViewOfFile API could gain access to the
    log. Furthermore, <a href="https://www.modzero.ch/advisories/MZ-17-01-Conexant-Keylogger.txt">according
    to modzero</a> the “information-leak via Covert Storage
    Channel enables malware authors to capture keystrokes without
    taking the risk of being classified as malicious task by AV
<p>The proprietary code that runs pacemakers, insulin pumps, and other
medical devices is <a href="http://www.bbc.co.uk/news/technology-40042584">
full of gross security faults</a>.</p>

  <p>Exploits of bugs in Windows, which were developed by the NSA
	and then leaked by the Shadowbrokers group, are now being used to
	<a href="https://theintercept.com/2017/05/12/the-nsas-lost-digital-weapon-is-helping-hijack-computers-around-the-world/">attack a great number
	of Windows computers with ransomware</a>.

<li  id="intel-me-10-year-vulnerability">
  <p>Intel's CPU backdoor—the Intel Management Engine—had a
	<a href="https://arstechnica.com/security/2017/05/intel-patches-remote-code-execution-bug-that-lurked-in-cpus-for-10-years/">major security
	vulnerability for 10 years</a>.</p>

  <p>The vulnerability allowed a cracker to access the computer's Intel Active
      Management Technology
      (AMT) <a href="https://arstechnica.com/security/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought/">
      web interface with an empty password and gave administrative
      access</a> to access the computer's keyboard, mouse, monitor
      among other privileges.</p>

	<p>It does not help that in newer Intel processors, it is impossible
	to turn off the Intel Management Engine. Thus, even users who are 
	proactive about their security can do nothing to protect themselves 
	besides using machines that don't come with the backdoor.</p>


  <p>Many Android devices <a href="https://arstechnica.com/security/2017/04/wide-range-of-android-phones-vulnerable-to-device-hijacks-over-wi-fi/">
	can be hijacked through their Wi-Fi chips</a> because of a bug in
	Broadcom's non-free firmware.</p>

<p>When Miele's Internet of Stings hospital disinfectant dishwasher is
<a href="https://motherboard.vice.com/en_us/article/a-hackable-dishwasher-is-connecting-hospitals-to-the-internet-of-shit">connected to the Internet,
its security is crap</a>.</p>

<p>For example, a cracker can gain access to the dishwasher's filesystem, 
infect it with malware, and force the dishwasher to launch attacks on other
devices in the network. Since these dishwashers are used in hospitals, such
attacks could potentially put hundreds of lives at risk.</p>

<li><p>WhatsApp has a feature that 
    <a href="https://techcrunch.com/2017/01/13/encrypted-messaging-platform-whatsapp-denies-backdoor-claim/">
      has been described as a “back door”</a>
    because it would enable governments to nullify its encryption.</p>
  <p>The developers say that it wasn't intended as a back door, and that
    may well be true. But that leaves the crucial question of whether it
    functions as one. Because the program is nonfree, we cannot check by
    studying it.</p></li>

<p>The “smart” toys My Friend Cayla and i-Que can be
<a href="https://www.forbrukerradet.no/siste-nytt/connected-toys-violate-consumer-laws">remotely controlled with a mobile phone</a>; physical access
is not necessary. This would enable crackers to listen in on a child's
conversations, and even speak into the toys themselves.</p>

<p>This means a burglar could speak into the toys and ask the child to
unlock the front door while Mommy's not looking.</p>

<p>The mobile apps for
communicating <a href="https://www.bleepingcomputer.com/news/security/millions-of-smart-cars-vulnerable-due-to-insecure-android-apps/">with
a smart but foolish car have very bad security</a>.</p>

<p>This is in addition to the fact that the car contains a cellular
modem that tells big brother all the time where it is.  If you own
such a car, it would be wise to disconnect the modem so as to turn off
the tracking.</p>

<p>If you buy a used “smart” car, house, TV, refrigerator,
usually <a href="http://boingboing.net/2017/02/20/the-previous-owners-of-used.html">the
previous owners can still remotely control it</a>.</p>

phones <a href="https://www.bleepingcomputer.com/news/security/sms-exploitable-bug-in-samsung-galaxy-phones-can-be-used-for-ransomware-attacks/">have
a security hole that allows an SMS message to install

<p>4G LTE phone networks are drastically insecure. They can be
<a href="https://web.archive.org/web/20161027223907/http://www.theregister.co.uk/2016/10/23/every_lte_call_text_can_be_intercepted_blacked_out_hacker_finds/">
over by third parties and used for man-in-the-middle attacks</a>.</p>

<p>Due to weak security, <a href="http://jalopnik.com/almost-every-volkswagen-built-since-1995-is-vulnerable-1785159844">it
is easy to open the doors of 100 million cars built by Volkswagen</a>.</p>

<p>Ransomware <a href="https://www.pentestpartners.com/blog/thermostat-ransomware-a-lesson-in-iot-security/">has
been developed for a thermostat that uses proprietary software</a>.</p>

<p>A <a href="http://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/">flaw in
Internet Explorer and Edge</a> allows an attacker to retrieve
Microsoft account credentials, if the user is tricked into visiting a
malicious link.</p>

<p><a href="https://techcrunch.com/2016/07/29/research-shows-deleted-whatsapp-messages-arent-actually-deleted/">“Deleted”
WhatsApp messages are not entirely deleted</a>. They can be recovered
in various ways.

<p>A vulnerability in Apple's Image I/O API allowed an attacker to
<a href="https://www.theguardian.com/technology/2016/jul/22/stagefright-flaw-ios-iphone-imessage-apple">execute
  malacious code from any application which uses this API to render a
  certain kind of image file</a>.</p>
<p>A bug in a proprietary ASN.1 library, used in cell phone towers as
well as cell phones and
routers, <a href="http://arstechnica.com/security/2016/07/software-flaw-puts-mobile-phones-and-networks-at-risk-of-complete-takeover">allows
taking control of those systems</a>.</p>

<p>Antivirus programs have so many errors
  that <a href="https://theconversation.com/as-more-vulnerabilities-are-discovered-is-it-time-to-uninstall-antivirus-software-61374">they
  may make security worse</a>.</p>
<p>GNU/Linux does not need antivirus software.</p>

<p>Over 70 brands of network-connected surveillance
cameras <a href="http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html">have
security bugs that allow anyone to watch through them</a>.</p>

Samsung's “Smart Home” has a big security
hole; <a href="http://arstechnica.com/security/2016/05/samsung-smart-home-flaws-lets-hackers-make-keys-to-front-door/">unauthorized
people can remotely control it</a>.</p>

<p>Samsung claims that this is an “open” platform so the
problem is partly the fault of app developers. That is clearly true if
the apps are proprietary software.</p>

<p>Anything whose name is “Smart” is most likely going to
screw you.</p>

The Nissan Leaf has a built-in cell phone modem which allows
anyone <a href="https://www.troyhunt.com/controlling-vehicle-features-of-nissan/">to
access its computers remotely and make changes in various

<p>That's easy to do because the system has no authentication when
accessed through the modem.  However, even if it asked for
authentication, you couldn't be confident that Nissan has no
access.  The software in the car is
proprietary, <a href="/philosophy/free-software-even-more-important.html">which
means it demands blind faith from its users</a>.</p>

<p>Even if no one connects to the car remotely, the cell phone modem
enables the phone company to track the car's movements all the time;
it is possible to physically remove the cell phone modem though.</p>

Malware found
on <a href="http://www.slate.com/blogs/future_tense/2016/04/11/security_cameras_sold_through_amazon_have_malware_according_to_security.html">security
cameras available through Amazon</a>.

<p>A camera that records locally on physical media, and has no network
  connection, does not threaten people with surveillance—neither by
  watching people through the camera, nor through malware in the camera.

<p>A bug in the iThings Messages
app <a href="https://theintercept.com/2016/04/12/apple-bug-exposed-chat-history-with-a-single-click/">allowed
a malicious web site to extract all the user's messaging history</a>.

<p>Many proprietary payment apps <a
transmit personal data in an insecure way</a>.
However, the worse aspect of these apps is that
<a href="/philosophy/surveillance-vs-democracy.html">payment is not anonymous</a>.

FitBit fitness trackers <a href="http://www.tripwire.com/state-of-security/latest-security-news/10-second-hack-delivers-first-ever-malware-to-fitness-trackers/">
have a Bluetooth vulnerability</a> that allows
attackers to send malware to the devices, which can subsequently spread
to computers and other FitBit trackers that interact with them.

“Self-encrypting” disk drives do the encryption with proprietary
firmware so you can't trust it. Western Digital's “My Passport”
<a href="https://motherboard.vice.com/en_uk/read/some-popular-self-encrypting-hard-drives-have-really-bad-encryption">have a back door</a>.

Mac OS X had an
<a href="https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/">
intentional local back door for 4 years</a>, which could be
exploited by attackers to gain root privileges.

<p>Security researchers discovered a
<a href="http://www.theguardian.com/technology/2015/aug/12/hack-car-brakes-sms-text">
vulnerability in diagnostic dongles used for vehicle tracking and
insurance</a> that let them take remote control of a car or
lorry using an SMS.

Crackers were able to
<a href="http://arstechnica.com/security/2015/07/fiat-chrysler-connected-car-bug-lets-hackers-take-over-jeep-remotely/">take remote control of the Jeep</a>
“connected car”.
<br/>They could track the car, start or stop the engine, and
activate or deactivate the brakes, and more.
I expect that Chrysler and the NSA can do this too.
If I ever own a car, and it contains a portable phone, I will
deactivate that.

Hospira infusion pumps, which are used to administer drugs to
a patient, were rated
secure IP device I've ever seen</a>”
by a security researcher.
Depending on what drug is being infused, the insecurity could
open the door to murder.

Due to bad security in a drug pump, crackers could use it to
<a href="http://www.wired.com/2015/06/hackers-can-send-fatal-doses-hospital-drug-pumps/">kill patients</a>.

<a href="http://www.spiegel.de/international/world/privacy-scandal-nsa-can-spy-on-smart-phone-data-a-920971.html">
The NSA can tap data in smart phones, including iPhones, Android, and
BlackBerry</a>.  While there is not much detail here, it seems that
this does not operate via the universal back door that we know nearly
all portable phones have.  It may involve exploiting various bugs.
are <a href="http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone">
lots of bugs in the phones' radio software</a>.

<p><a href="http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/">
“Smart homes”</a> turn out to be stupidly vulnerable to

<a href="http://arstechnica.com/security/2014/02/crypto-weaknesses-in-whatsapp-the-kind-of-stuff-the-nsa-would-love/">insecurity of WhatsApp</a>
makes eavesdropping a snap.</p>

<p><a href="http://www.nytimes.com/2013/09/05/technology/ftc-says-webcams-flaw-put-users-lives-on-display.html">
The FTC punished a company for making webcams with bad security so
that it was easy for anyone to watch them</a>.

<p><a href="http://www.pcworld.idg.com.au/article/379477/hacking_music_can_take_control_your_car/">
It is possible to take control of some car computers through malware
in music files</a>.
Also <a href="http://www.nytimes.com/2011/03/10/business/10hack.html?_r=0">by
radio</a>.  Here is <a href="http://www.autosec.org/faq.html">more

<p><a href="http://siliconangle.com/blog/2013/07/27/famed-hacker-barnaby-jack-dies-days-before-scheduled-black-hat-appearance/">
It is possible to kill people by taking control of medical implants by
radio</a>.  Here
is <a href="http://www.bbc.co.uk/news/technology-17631838">more
information</a>.  And <a href="http://blog.ioactive.com/2013/02/broken-hearts-how-plausible-was.html">here</a>.

<p>Lots of <a href="http://www.wired.com/2014/04/hospital-equipment-vulnerable/">hospital equipment has lousy security</a>, and it can be fatal.

<p><a href="http://arstechnica.com/security/2013/12/credit-card-fraud-comes-of-age-with-first-known-point-of-sale-botnet/">
Point-of-sale terminals running Windows were taken over and turned
into a botnet for the purpose of collecting customers' credit card

<p>An app to prevent “identity theft” (access to personal data)
by storing users' data on a special server
<a href="http://arstechnica.com/tech-policy/2014/05/id-theft-protector-lifelock-deletes-user-data-over-concerns-that-app-isnt-safe/">was
deactivated by its developer</a> which had discovered a security flaw.

That developer seems to be conscientious about protecting personal
data from third parties in general, but it can't protect that data
from the state.  Quite the contrary: confiding your data to someone
else's server, if not first encrypted by you with free software,
undermines your rights.

<p><a href="http://www.bunniestudios.com/blog/?p=3554"> Some flash
memories have modifiable software</a>, which makes them vulnerable to

<p>We don't call this a “back door” because it is normal
that you can install a new system in a computer given physical access
to it.  However, memory sticks and cards should not be modifiable in
this way.</p>

<p><a href="http://spritesmods.com/?art=hddhack&page=6"> Replaceable
nonfree software in disk drives can be written by a nonfree
program.</a>  This makes any system vulnerable to persistent attacks
that normal forensics won't detect.</p>

<p><a href="http://phys.org/news/2015-05-app-vulnerability-threatens-millions-users.html">
Many smartphone apps use insecure authentication methods when storing
your personal data on remote servers.</a>
This leaves personal information like email addresses, passwords, and health information vulnerable. Because many
of these apps are proprietary it makes it hard to impossible to know which apps are at risk.</p>


</div><!-- for id="content", starts in the include above -->
<!--#include virtual="/server/footer.html" -->
<div id="footer">
<div class="unprintable">

<p>Please send general FSF & GNU inquiries to
<a href="mailto:gnu@gnu.org"><gnu@gnu.org></a>.
There are also <a href="/contact/">other ways to contact</a>
the FSF.  Broken links and other corrections or suggestions can be sent
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>.</p>

<p><!-- TRANSLATORS: Ignore the original text in this paragraph,
        replace it with the translation of these two:

        We work hard and do our best to provide accurate, good quality
        translations.  However, we are not exempt from imperfection.
        Please send your comments and general suggestions in this regard
        to <a href="mailto:web-translators@gnu.org">

        <p>For information on coordinating and submitting translations of
        our web pages, see <a
        README</a>. -->
Please see the <a
README</a> for information on coordinating and submitting translations
of this article.</p>

<!-- Regarding copyright, in general, standalone pages (as opposed to
     files generated as part of manuals) on the GNU web server should
     be under CC BY-ND 4.0.  Please do NOT change or remove this
     without talking with the webmasters or licensing team first.
     Please make sure the copyright date is consistent with the
     document.  For web pages, it is ok to list just the latest year the
     document was modified, or published.

     If you wish to list earlier years, that is ok too.
     Either "2001, 2002, 2003" or "2001-2003" are ok for specifying
     years, as long as each year in the range is in fact a copyrightable
     year, i.e., a year in which the document was published (including
     being publicly visible on the web or in a revision control system).

     There is more detail about copyright years in the GNU Maintainers
     Information document, www.gnu.org/prep/maintain. -->

<p>Copyright © 2013, 2015, 2016 2016, 2017 Free Software Foundation, Inc.</p>

<p>This page is licensed under a <a rel="license"
Commons Attribution-NoDerivatives 4.0 International License</a>.</p>

<!--#include virtual="/server/bottom-notes.html" -->

<p class="unprintable">Updated:
<!-- timestamp start -->
$Date: 2017/10/02 07:32:00 $
<!-- timestamp end -->