<!--#include virtual="/server/header.html" -->
<!-- Parent-Version: 1.96 -->
<!--#set var="DISABLE_TOP_ADDENDUM" value="yes" -->
<!--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Please do not edit <ul class="blurbs">!
Instead, edit /proprietary/workshop/mal.rec, then regenerate pages.
See explanations in /proprietary/workshop/README.md.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-->
<title>Malware in Appliances
- GNU Project - Free Software Foundation</title>
<link rel="stylesheet" type="text/css" href="/side-menu.css" media="screen,print" />
<style type="text/css" media="screen,print"><!--
.article .emph-box {
padding: 0 2em 1.5em;
border-radius: 1em;
margin: 2em 0;
}
--></style>
<!--#include virtual="/proprietary/po/malware-appliances.translist" -->
<!--#include virtual="/server/banner.html" -->
<div class="nav">
<a id="side-menu-button" class="switch" href="#navlinks">
<img id="side-menu-icon" height="32"
src="/graphics/icons/side-menu.png"
title="Section contents"
alt=" [Section contents] " />
</a>
<p class="breadcrumb">
<a href="/"><img src="/graphics/icons/home.png" height="24"
alt="GNU Home" title="GNU Home" /></a> /
<a href="/proprietary/proprietary.html">Malware</a> /
By product /
</p>
</div>
<!--GNUN: OUT-OF-DATE NOTICE-->
<!--#include virtual="/server/top-addendum.html" -->
<div style="clear: both"></div>
<div id="last-div" class="reduced-width">
<h2>Malware in Appliances</h2>
<div class="infobox">
<hr class="full-width" />
<p>Nonfree (proprietary) software is very often malware (designed to
mistreat the user). Nonfree software is controlled by its developers,
which puts them in a position of power over the users; <a
href="/philosophy/free-software-even-more-important.html">that is the
basic injustice</a>. The developers and manufacturers often exercise
that power to the detriment of the users they ought to serve.</p>
<p>This typically takes the form of malicious functionalities.</p>
<hr class="full-width" />
</div>
<div class="article">
<div class="important">
<p>If you know of an example that ought to be in this page but isn't
here, please write
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>
to inform us. Please include the URL of a trustworthy reference or two
to serve as specific substantiation.</p>
</div>
<div class="column-limit" id="malware-appliances"></div> class="emph-box">
<h3 id="connected-appliances">Don't trust “connected”
appliances</h3>
<p>Most of the devices listed here are “connected”—they
try to talk over the internet with someone (typically a company) other
than the nominal owner. Such an appliance is inherently untrustworthy: no
matter what company it is, you should never trust it <em>that far</em>.</p>
<p>The appliances we are dealing with contain software, almost always
nonfree software. It is reasonable to treat this software as <a
href="/philosophy/free-hardware-designs.html#boundary">equivalent to a
bunch of circuits</a>, provided it is <em>never</em> changed (not even
if the change is called an “upgrade”).</p>
<p>In a connected appliance, it is hard to ensure that software won't be
changed. Typically a connected appliance will have a universal back
door—a feature that allows the company to remotely replace the
software in it, over the internet. Some appliances might be
exceptions, but we can never verify that a given appliance is an
exception. Thus, we can never be sure that software in it won't be
changed.</p>
<p>In practice, these “upgrades” can amount to sabotage.
Let's assume, for instance, that your printer accepts third-party ink
cartridges. You have no guarantee that, some day, the manufacturer
will not install malicious code to reject them. With a connected device,
you must expect this.</p>
<p>The manufacturer may try to justify these “upgrades” in the
name of “security.” You can respond by asking: “Whose
security? Security for me, or for the manufacturer against me?” If
the manufacturer writes the software, in practice it implements security
for itself against the customers.</p>
<p>Even without changing the code in the device, the company can use the
“connection” to do nasty things to you—for instance,
snoop on you, your family and your guests, or make it stop running at
all.</p>
<p>The reliable way to prevent abuse of this sort is to block the appliance
from communicating by internet with anything other than <em>your own
computer</em>. (You can make your own computer more secure by running
exclusively free software in it.)</p>
<p>In an ideal world, appliances would contain 100% free software, so our
community could correct any problems the software might have. The
free software would obey <em>us</em>, not companies. That software would
not let anyone change it without entering passwords that the
<em>owners</em> chose.</p>
</div>
<h3 id="malware-appliances">Examples of malware in appliances</h3>
<ul class="blurbs">
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M202501170">
<!--#set var="DATE" value='<small class="date-tag">2025-01</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Canon is <a
href="https://arstechnica.com/gadgets/2025/01/canon-charges-50-per-year-to-use-a-900-camera-as-a-functional-webcam/">
preventing customers from using one of its cameras as a webcam</a>
unless they create an account on the company's server, and pay an
additional subscription. This unjust practice could be eliminated if
the camera firmware were free (as in freedom).</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M202407200">
<!--#set var="DATE" value='<small class="date-tag">2024-07</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The company making a “smart” bassinet called Snoo has <a
href="https://www.theverge.com/2024/7/20/24202166/snoo-premium-subscription-happiest-baby">
locked the most advanced functionalities of the Snoo behind a
paywall</a>. This unexpected change mainly affects users who received
the appliance as a gift, or bought it second-hand on the assumption
that all these functionalities would be available to them, as they
used to be. This is another example of the deceptive behavior of
proprietary software developers who take advantage of their power
over users to change rules at will.</p>
<p>Another malicious feature of the Snoo is the fact that users
need to create an account with the company, which thus has access
to personal data, location (SSID), appliance log, etc., as well as
manual notes about baby history.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M202312230">
<!--#set var="DATE" value='<small class="date-tag">2023-12</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Surveillance cameras put in by government
A to surveil for it may be surveilling for
government B as well. That's because A put in a product <a
href="https://www.rferl.org/a/ukraine-cctv-moscow-spying-schemes-investigation/32747767.html">
made by B with nonfree software</a>.</p>
<p><small>(Please note that this article misuses the word “<a
href="/philosophy/words-to-avoid.html#Hacker">hack</a>” to
mean “break security.”)</small></p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M202311100">
<!--#set var="DATE" value='<small class="date-tag">2023-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>In Australia, people assume that “smart”
means “tethered.” When people's ISP goes down, <a
href="https://www.theguardian.com/business/2023/nov/10/optus-went-down-and-the-smart-lights-came-on-and-then-marayke-was-stranded-in-bed">
all the tethered devices become useless</a>.</p>
<p>That's in addition to the nasty things tethered devices do when
they are “functioning” normally—such as snoop on
the commands sent to the device and the results they report.</p>
<p>Smart <em>users</em> know better than to accept tethered
devices.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M202311070">
<!--#set var="DATE" value='<small class="date-tag">2023-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Chamberlain Group <a
href="https://arstechnica.com/gadgets/2023/11/chamberlain-blocks-smart-garage-door-opener-from-working-with-smart-homes/">blocks
users from using third-party software</a> with its garage
openers. This is an intentional attack on using free software. The
official garage opener proprietary mobile app is now also <a
href="https://pluralistic.net/2023/11/09/lead-me-not-into-temptation/#chamberlain">infested
with ads, including up-selling its other services and devices.</a></p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M202309270">
<!--#set var="DATE" value='<small class="date-tag">2023-09</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Philips Hue, the most ubiquitous
home automation product in the US, is planning to soon <a
href="https://boingboing.net/2023/09/27/philips-hue-to-make-you-create-an-account-and-log-in-to-adjust-your-lightbulbs.html">
force users to log in to the app server</a> in order to be able to
adjust a lightbulb, or use other functionalities, in what amounts to
a massive user-tracking data grab.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M202309050">
<!--#set var="DATE" value='<small class="date-tag">2023-09</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Google Nest snooper/surveillance cameras are always
tethered to Google servers, record videos 24/7, and are
<a href="https://arstechnica.com/gadgets/2023/09/google-nest-cameras-get-a-25-33-subscription-price-hike/">
subscription-based, which is an injustice to people who
use them</a>. The article discusses the rise in prices for
“plans” you can buy from Google, which include storing
videos in the “cloud”—another word for someone
else's computer.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M202308220">
<!--#set var="DATE" value='<small class="date-tag">2023-08</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Some Bambu Lab 3D printers were reported to <a
href="https://arstechnica.com/gadgets/2023/08/3d-printers-print-break-on-their-own-due-to-cloud-outage/">
start printing without user's consent</a>, as a result of a malfunction
of the servers to which they were tethered. This caused significant
damage.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M202307040">
<!--#set var="DATE" value='<small class="date-tag">2023-07</small>'
--><!--#echo encoding="none" var="DATE" -->
<p><a
href="https://www.theguardian.com/technology/2023/jul/04/smile-youre-on-camera-self-driving-cars-are-here-and-theyre-watching-you">
Driverless cars in San Francisco collect videos constantly</a>, using
cameras inside and outside, and governments have already collected
those videos secretly.</p>
<p>As the Surveillance Technology Oversight Project says, they are
“driving us straight into authoritarianism.” We must <a
href="/philosophy/surveillance-vs-democracy.html">regulate <em>all</em>
cameras that collect images that can be used to track people</a>,
to make sure they are not used for that.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M202305100">
<!--#set var="DATE" value='<small class="date-tag">2023-05</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>HP delivers printers with a
universal back door, and recently used it to <a
href="https://www.theguardian.com/money/2023/may/10/how-can-hp-block-me-from-using-a-cheaper-printer-cartridge">
sabotage them by remotely installing malware</a>. The malware makes the
printer refuse to function with non-HP ink cartrides, and even with old
HP cartridges which HP now declares to have “expired.”
HP calls the back door “dynamic security,”
and has the gall to claim that this “security” protects
users from malware.</p>
<p>If you own an HP printer that can still use non-HP cartridges,
we urge you to disconnect it from the internet. This will ensure that
HP doesn't sabotage it by “updating” its software.</p>
<p><small>Note how the author of the Guardian article credulously
repeats HP's assertion that the “dynamic security”
feature protects users against malware, not recognizing that the
article demonstrates it does the opposite.</small></p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M202305040">
<!--#set var="DATE" value='<small class="date-tag">2023-05</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Controlling Honeywell internet thermostats with the dedicated
app has proven unreliable, due to <a
href="https://piunikaweb.com/2022/03/15/honeywell-total-connect-comfort-app-website-not-working-issue/">
recurrent connection issues with the server these thermostats are
tethered to</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M202209000">
<!--#set var="DATE" value='<small class="date-tag">2022-09</small>'
--><!--#echo encoding="none" var="DATE" -->
<p><a hreflang="ja"
href="https://ja.wikipedia.org/wiki/B-CAS">B-CAS</a> <a
href="#m1">[1]</a> is the digital restrictions management (DRM) system
used by Japanese TV broadcasters, including NHK (public-service TV).
It is sold
by the B-CAS company, which has a de-facto monopoly on it. Initially
intended for pay-TV, its use was extended to digital free-to-air
broadcasting as a means to enforce restrictions on copyrighted
works. The system encrypts works that permit free redistribution
just like other works, thus denying users their nominal rights.</p>
<p>On the client side, B-CAS is typically implemented by a card
that plugs into a compatible receiver, or alternatively by a tuner
card that plugs into a computer. Beside implementing drastic copying
and viewing restrictions, this system gives broadcasters full power
over users, through back doors among other means. For example:</p>
<ul>
<li>It can force messages to the user's TV screen, and the user
can't turn them off.</li>
<li>It can collect viewing information and send it to other
companies to take surveys. Until 2011, user registration was
required, so the viewing habits of each customer were recorded. We
don't know whether this personal information was deleted from the
company's servers after 2011.</li>
<li>Each card has an ID, which enables broadcasters to force
customer-specific updates via the back door normally used to update
the decryption key. Thus pay-TV broadcasters can disable decryption
of the broadcast wave if subscription fees are not paid on time.
This feature could also be used by any broadcaster (possibly
instructed by the government) to stop certain persons from watching
TV.</li>
<li>As the export of B-CAS cards is illegal, people outside Japan
can't (officially) decrypt the satellite broadcast signal that may
spill over to their location. They are thus deprived of a valuable
source of information about what happens in Japan.</li>
</ul>
<p>These unacceptable restrictions led to a sort of cat-and-mouse
game, with some users doing their best to bypass the system, and
broadcasters trying to stop them without much success: cryptographic
keys were retrieved through the back door of the B-CAS card, illegal
cards were made and sold on the black market, as well as a tuner for
PC that disables the copy control signal.</p>
<p>While B-CAS cards are still in use with older equipment, modern
high definition TVs have an even nastier version of this DRM (called
ACAS) in a special chip that is built into the receiver. The chip
can update its own software from the company's servers, even when
the receiver is turned off (but still plugged into an outlet). This
feature could be abused to disable stored TV programs that the power
in place doesn't agree with, thus interfering with free speech.</p>
<p>Being part of the receiver, the ACAS chip is supposed to be
tamper-resistant. Time will tell…</p>
<p id="m1"><small>[1] We thank the free software supporter who
translated this article from Japanese, and shared his experience of
B-CAS with us. (Unfortunately, the article presents DRM as a good
thing.)</small></p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M202208070">
<!--#set var="DATE" value='<small class="date-tag">2022-08</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Some Epson printers are programmed to <a
href="https://hardware.slashdot.org/story/22/08/07/0350244/epson-programs-some-printers-to-stop-operating-claiming-danger-of-ink-spills">
stop working after they have printed a predetermined number
of pages</a>, on the pretext that ink pads become saturated
with ink. This constitutes an unacceptable infringement on
users' freedom to use their printers as they wish, and on their <a
href="https://fighttorepair.substack.com/p/citing-danger-of-ink-spills-epson">
right to repair them</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M202204140">
<!--#set var="DATE" value='<small class="date-tag">2022-04</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Today's “smart” TVs <a
href="https://www.techdirt.com/2022/04/14/its-still-stupidly-ridiculously-difficult-to-buy-a-dumb-tv/">
push people to surrender to tracking via internet</a>. Some won't work
unless they have a chance to download nonfree software. And they are
designed for programmed obsolescence.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M202202190">
<!--#set var="DATE" value='<small class="date-tag">2022-02</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Hewlett-Packard is <a
href="https://www.theguardian.com/money/2022/feb/19/how-cheap-ink-cartridges-can-cost-you-dear">
implementing DRM in its printers</a> so they refuse to print with
ink cartridges from another supplier.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M202202150">
<!--#set var="DATE" value='<small class="date-tag">2022-02</small>'
--><!--#echo encoding="none" var="DATE" -->
<p><a
href="https://www.eff.org/deeplinks/2022/02/worst-timeline-printer-company-putting-drm-paper-now">
Dymo is now embedding DRM in the paper rolls for its label
printers</a> to make those printers reject equivalent paper rolls made
by other companies. This is implemented by an RFID tag, which keeps
track of how many labels remain on the roll, and blocks further
printing when the roll is empty—an efficient way to prevent
reusing the same RFID with a third-party roll.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M202201290">
<!--#set var="DATE" value='<small class="date-tag">2022-01</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>“Smart” TV manufacturers <a
href="https://www.theguardian.com/technology/2022/jan/29/what-your-smart-tv-knows-about-you-and-how-to-stop-it-harvesting-data">
spy on people using various methods</a>, and harvest their
data. They are collecting audio, video, and TV usage data to profile
people.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M202111201">
<!--#set var="DATE" value='<small class="date-tag">2021-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>NordicTrack, a company that sells
exercise machines with ability to show videos <a
href="https://arstechnica.com/information-technology/2021/11/locked-out-of-god-mode-runners-are-hacking-their-treadmills/">limits
what people can watch, and recently disabled a feature</a> that was
originally functional. This happened through automatic update and
probably involved a universal back door.</p>
</li>
<li id="M202110160">
<!--#set var="DATE" value='<small class="date-tag">2021-10</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Canon's all-in-one printer, scanner, and fax machine <a
href="https://www.bleepingcomputer.com/news/legal/canon-sued-for-disabling-scanner-when-printers-run-out-of-ink/">will
stop you from using any of its features if it's out of ink</a>! Since
there's no need for ink to use scan or fax, Canon is sued by its
customers for this malicious behavior. The proprietary software
installed on Canon machines arbitrarily restricts users
<!-- Copied from using
their device as they wish.</p>
</li> workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M202108240">
<!--#set var="DATE" value='<small class="date-tag">2021-08</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Recent Samsung TVs have a back door with which Samsung can <a
href="https://www.pcmag.com/news/samsung-can-remotely-disable-any-of-its-tvs-worldwide">
brick them remotely</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M202101050">
<!--#set var="DATE" value='<small class="date-tag">2021-01</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Most Internet connected devices in Mozilla's <a
href="https://foundation.mozilla.org/en/privacynotincluded">“Privacy
href="https://www.mozillafoundation.org/privacynotincluded/">“Privacy
Not Included”</a> list <a
href="https://foundation.mozilla.org/privacynotincluded/arlo-video-doorbell">are
href="https://www.mozillafoundation.org/privacynotincluded/arlo-video-doorbell/">are
designed to snoop on users</a> even if they meet
Mozilla's “Minimum Security Standards.” Insecure
design of the program running on some of these devices <a
href="https://foundation.mozilla.org/privacynotincluded/vibratissimo-panty-buster">makes
href="https://www.mozillafoundation.org/privacynotincluded/vibratissimo-panty-buster/">makes
the user susceptible to be snooped on and exploited by crackers as
well</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M202011230">
<!--#set var="DATE" value='<small class="date-tag">2020-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Some Wavelink and JetStream wifi routers have
universal back doors that enable unauthenticated
users to remotely control not only the routers, but
also any devices connected to the network. There is evidence that <a
href="https://cybernews.com/security/walmart-exclusive-routers-others-made-in-china-contain-backdoors-to-control-devices/">
this vulnerability is actively exploited</a>.</p>
<p>If you consider buying a router, we encourage you to get one
that <a href="https://ryf.fsf.org/categories/routers">runs on free
software</a>. Any attempts at introducing malicious functionalities in
it (e.g., through a firmware update) will be detected by the community,
and soon corrected.</p>
<p>If unfortunately you own a router that runs on
proprietary software, don't panic! You may be able to
replace its firmware with a free operating system such as <a
href="https://librecmc.org">libreCMC</a>. If you don't know how,
you can get help from a nearby GNU/Linux user group.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M202007280">
<!--#set var="DATE" value='<small class="date-tag">2020-07</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The Focals eyeglass display, with snooping
microphone, has been eliminated. Google eliminated
it by buying the manufacturer and shutting it down. It also <a
href="https://www.ctvnews.ca/sci-tech/canadian-smart-glasses-going-offline-weeks-after-company-bought-by-google-1.5042010">shut
href="https://www.ctvnews.ca/sci-tech/article/canadian-smart-glasses-going-offline-weeks-after-company-bought-by-google/">shut
down the server these devices depend on</a>, which caused the ones
already sold to cease to function.</p>
<p>It may be a good thing to wipe out this product—for
“smart,” read “snoop”—but Google
didn't do that for the sake of privacy. Rather, it was eliminating
competition for its own snooping product.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M202007270">
<!--#set var="DATE" value='<small class="date-tag">2020-07</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The Mellow sous-vide cooker is
tethered to a server. The company suddenly <a
href="https://www.slashgear.com/mellow-sous-vide-owners-get-unwelcome-subscription-surprise-27630842/">
href="https://www.slashgear.com/mellow-sous-vide-owners-get-unwelcome-subscription-surprise-28630842/">
turned this tethering into a subscription</a>, forbidding users from
taking advantage of the “advanced features” of the cooker
unless they pay a monthly fee.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M202006250">
<!--#set var="DATE" value='<small class="date-tag">2020-06</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>TV manufacturers are able to <a
href="https://www.zdnet.com/article/fbi-warns-about-snoopy-smart-tvs-spying-on-you/">snoop
every second of what the user is watching</a>. This is illegal due to
the Video Privacy Protection Act of 1988, but they're circumventing
it through EULAs.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M202006160">
<!--#set var="DATE" value='<small class="date-tag">2020-06</small>'
--><!--#echo encoding="none" var="DATE" -->
<p><a
href="https://www.wired.com/story/ripple20-iot-vulnerabilities/?bxid=5bd66d4c2ddf9c619437e4b8&cndid=9608804&esrc=Wired_etl_load&source=EDT_WIR_NEWSLETTER_0_DAILY_ZZ&utm_bran%5C">
href="https://www.wired.com/story/ripple20-iot-vulnerabilities/">
A disasterous security bug</a> touches millions of products in the
Internet of Stings.</p>
<p>As a result, anyone can sting the user, not only the
manufacturer.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M202005070">
<!--#set var="DATE" value='<small class="date-tag">2020-05</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Wink sells a “smart” home hub that is tethered
to a server. In May 2020, it ordered the purchasers to start <a
href="https://www.techhive.com/article/3542631/wink-users-revolt-following-its-sudden-shift-to-a-subscription-model.html">
href="https://www.techhive.com/article/578539/wink-users-revolt-following-its-sudden-shift-to-a-subscription-model.html">
paying a monthly fee for the use of that server</a>. Because of the
tethering, the hub is useless without that.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201912170"> id="M202001290">
<!--#set var="DATE" value='<small class="date-tag">2019-12</small>' class="date-tag">2020-01</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Some security breakers (wrongly referred in this article as <a
href="/philosophy/words-to-avoid.html#Hacker">“hackers”</a>)
managed to interfere the
<p>The Amazon Ring proprietary system, app does <a
href="https://www.theguardian.com/technology/2020/jan/29/ring-smart-doorbell-company-surveillance-eff-report">
surveillance for other companies as well as for Amazon</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201912110">
<!--#set var="DATE" value='<small class="date-tag">2019-12</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>As tech companies add microphones to a wide range
of products, including refrigerators and motor vehicles,
they also set up transcription farms where human employees <a
href="https://www.theguardian.com/technology/2019/dec/13/ring-hackers-reportedly-watching-talking-strangers-in-home-cameras">access
its camera, speakers
href="https://getpocket.com/explore/item/silicon-valley-got-millions-to-let-siri-and-alexa-listen-in">
listen to what people say</a> and microphones</a>.</p> tweak the recognition algorithms.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201911190">
<!--#set var="DATE" value='<small class="date-tag">2019-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Internet-tethered Amazon Ring had
a security vulnerability that enabled attackers to <a
href="https://www.commondreams.org/newswire/2019/11/07/amazons-ring-doorbells-leaks-customers-wi-fi-username-and-password">
access the user's wifi password</a>, and snoop on the household
through connected surveillance devices.</p>
<p>Knowledge of the wifi password would not be sufficient to carry
out any significant surveillance if the devices implemented proper
security, including encryption. But many devices with proprietary
software lack this. Of course, they are also used by their
manufacturers for snooping.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201909061">
<!--#set var="DATE" value='<small class="date-tag">2019-09</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Best Buy made controllable appliances and <a
href="https://www.theverge.com/2019/9/6/20853671/best-buy-connect-insignia-smart-plug-wifi-freezer-mobile-app-shutdown-november-6">
shut down the service to control them through</a>.</p>
<p>While it is laudable that Best
<p>Best Buy recognized acknowledged that it was mistreating
the its customers by
doing so, this doesn't alter and offered reimbursement of the facts affected appliances. The
fact remains, however, that tethering the a device to a particular server is a path to screwing the
users, and that it is a consequence way
of having restricting and harassing users. The nonfree software in the
device.</p>
device is what stops users from cutting the tether.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201904260">
<!--#set var="DATE" value='<small class="date-tag">2019-04</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The Jibo robot toys were tethered to the manufacturer's server,
and <a href="https://www.apnews.com/99c9ec8ebad242ca88178e22c7642648"> href="https://apnews.com/article/san-francisco-north-america-technology-business-ap-top-news-99c9ec8ebad242ca88178e22c7642648">
the company made them all cease to work</a> by shutting down that
server.</p>
<p>The shutdown might ironically be good for their users, since the
product was designed to manipulate people by presenting a phony
semblance of emotions, and was most certainly spying on them.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201903250">
<!--#set var="DATE" value='<small class="date-tag">2019-03</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The British supermarket Tesco sold tablets which were tethered
to Tesco's server for reinstalling default settings. Tesco <a
href="https://www.theguardian.com/money/2019/mar/25/tesco-hudl-tablet-support-kill-fix">
turned off the server for old models</a>, so now if you try to
reinstall the default settings, it bricks them instead.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201903210">
<!--#set var="DATE" value='<small class="date-tag">2019-03</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The Medtronics Conexus Telemetry Protocol has <a
href="http://www.startribune.com/750-000-medtronic-defibrillators-vulnerable-to-hacking/507470932/">
href="https://www.startribune.com/750-000-medtronic-defibrillators-vulnerable-to-hacking/507470932/">
two vulnerabilities that affect several models of implantable
defibrillators</a> and the devices they connect to.</p>
<p>This protocol has been around since 2006, and similar
vulnerabilities were discovered in an earlier Medtronics communication
protocol in 2008. Apparently, nothing was done by the company to
correct them. This means you can't rely on proprietary software
developers to fix bugs in their products.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201902270">
<!--#set var="DATE" value='<small class="date-tag">2019-02</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The Ring (now Amazon) doorbell camera is designed so that the
manufacturer (now Amazon) can watch all the time. Now it turns out
that <a
href="https://web.archive.org/web/20190918024432/https://dojo.bullguard.com/dojo-by-bullguard/blog/ring/">
anyone else can also watch, and fake videos too</a>.</p>
<p>The third party vulnerability is presumably
unintentional and Amazon will probably fix it. However, we
do not expect Amazon to change the design that <a
href="/proprietary/proprietary-surveillance.html#M201901100">allows
Amazon to watch</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201902080">
<!--#set var="DATE" value='<small class="date-tag">2019-02</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The HP <a
href="https://boingboing.net/2019/02/08/inkjet-dystopias.html">
“ink subscription” cartridges have DRM that constantly
communicates with HP servers</a> to make sure the user is still
paying for the subscription, and hasn't printed more pages than were
paid for.</p>
<p>Even though the ink subscription program may be cheaper in some
specific cases, it spies on users, and involves totally unacceptable
restrictions in the use of ink cartridges that would otherwise be in
working order.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201901100">
<!--#set var="DATE" value='<small class="date-tag">2019-01</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Amazon Ring “security” devices <a
href="https://www.engadget.com/2019/01/10/ring-gave-employees-access-customer-video-feeds/">
href="https://www.engadget.com/2019-01-10-ring-gave-employees-access-customer-video-feeds.html">
send the video they capture to Amazon servers</a>, which save it
long-term.</p>
<p>In many cases, the video shows everyone that comes near, or merely
passes by, the user's front door.</p>
<p>The article focuses on how Ring used to let individual employees look
at the videos freely. It appears Amazon has tried to prevent that
secondary abuse, but the primary abuse—that Amazon gets the
video—Amazon expects society to surrender to.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201901070">
<!--#set var="DATE" value='<small class="date-tag">2019-01</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Vizio TVs <a
href="https://www.theverge.com/2019/1/7/18172397/airplay-2-homekit-vizio-tv-bill-baxter-interview-vergecast-ces-2019">
collect “whatever the TV sees,”</a> in the own words of the company's
CTO, and this data is sold to third parties. This is in return for
“better service” (meaning more intrusive ads?) and slightly
lower retail prices.</p>
<p>What is supposed to make this spying acceptable, according to him,
is that it is opt-in in newer models. But since the Vizio software is
nonfree, we don't know what is actually happening behind the scenes,
and there is no guarantee that all future updates will leave the
settings unchanged.</p>
<p>If you already own a Vizio “smart” TV (or any “smart” TV, for that
matter), the easiest way to make sure it isn't spying on you is
to disconnect it from the Internet, and use a terrestrial antenna
instead. Unfortunately, this is not always possible. Another option,
if you are technically oriented, is to get your own router (which can
be an old computer running completely free software), and set up a
firewall to block connections to Vizio's servers. Or, as a last resort,
you can replace your TV with another model.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201810300">
<!--#set var="DATE" value='<small class="date-tag">2018-10</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Nearly all “home security cameras” <a
href="https://www.consumerreports.org/privacy/d-link-camera-poses-data-security-risk--consumer-reports-finds/">
href="https://www.consumerreports.org/privacy/d-link-camera-poses-data-security-risk--consumer-reports-finds-a8814384448/">
give the manufacturer an unencrypted copy of everything they
see</a>. “Home insecurity camera” would be a better
name!</p>
<p>When Consumer Reports tested them, it suggested that these
manufacturers promise not to look at what's in the videos. That's not
security for your home. Security means making sure they don't get to
see through your camera.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201810150">
<!--#set var="DATE" value='<small class="date-tag">2018-10</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Printer manufacturers are very innovative—at blocking the
use of independent replacement ink cartridges. Their “security
upgrades” occasionally impose new forms of cartridge DRM. <a
href="https://www.vice.com/en/article/pa98ab/printer-makers-are-crippling-cheap-ink-cartridges-via-bogus-security-updates">
HP and Epson have done this</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201809260">
<!--#set var="DATE" value='<small class="date-tag">2018-09</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Honeywell's “smart” thermostats communicate
only through the company's server. They have
all the nasty characteristics of such devices: <a
href="https://www.businessinsider.com/honeywell-iot-thermostats-server-outage-2018-9">
surveillance, and danger of sabotage</a> (of a specific user, or of
all users at once), as well as the risk of an outage (which is what
just happened).</p>
<p>In addition, setting the desired temperature requires running
nonfree software. With an old-fashioned thermostat, you can do it
using controls right on the thermostat.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201809240">
<!--#set var="DATE" value='<small class="date-tag">2018-09</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Researchers have discovered how to <a
href="http://news.rub.de/english/press-releases/2018-09-24-it-security-secret-messages-alexa-and-co">
href="https://news.rub.de/english/press-releases/2018-09-24-it-security-secret-messages-alexa-and-co">
hide voice commands in other audio</a>, so that people cannot hear
them, but Alexa and Siri can.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201807050">
<!--#set var="DATE" value='<small class="date-tag">2018-07</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The Jawbone fitness tracker was tethered to a proprietary phone
app. In 2017, the company shut down and made the app stop working. <a
href="https://www.theguardian.com/technology/2018/jul/05/defunct-jawbone-fitness-trackers-kept-selling-after-app-closure-says-which">All
the existing trackers stopped working forever</a>.</p>
<p>The article focuses on a further nasty fillip, that sales of the
broken devices continued. But we think that is a secondary issue;
it made the nasty consequences extend to some additional people.
The fundamental wrong was to design the devices to depend on something
else that didn't respect users' freedom.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201804140">
<!--#set var="DATE" value='<small class="date-tag">2018-04</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>A medical insurance company <a
href="https://wolfstreet.com/2018/04/14/our-dental-insurance-sent-us-free-internet-connected-toothbrushes-and-this-is-what-happened-next">
href="https://wolfstreet.com/2018/04/14/our-dental-insurance-sent-us-free-internet-connected-toothbrushes-and-this-is-what-happened-next/">
offers a gratis electronic toothbrush that snoops on its user by
sending usage data back over the Internet</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201804010">
<!--#set var="DATE" value='<small class="date-tag">2018-04</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Some “Smart” TVs automatically <a
href="https://web.archive.org/web/20180405014828/https:/twitter.com/buro9/status/980349887006076928">
load downgrades that install a surveillance app</a>.</p>
<p>We link to the article for the facts it presents. It
is too bad that the article finishes by advocating the
moral weakness of surrendering to Netflix. The Netflix app <a
href="/proprietary/malware-google.html#netflix-app-geolocation-drm">is
malware too</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201802120">
<!--#set var="DATE" value='<small class="date-tag">2018-02</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Apple devices lock users in <a
href="https://gizmodo.com/homepod-is-the-ultimate-apple-product-in-a-bad-way-1822883347">
solely to Apple services</a> by being designed to be incompatible
with all other options, ethical or unethical.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201712240">
<!--#set var="DATE" value='<small class="date-tag">2017-12</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>One of the dangers of the “internet of stings”
is that, if you lose your internet service, you also <a
href="https://torrentfreak.com/piracy-notices-can-mess-with-your-thermostat-isp-warns-171224/">
lose control of your house and appliances</a>.</p>
<p>For your safety, don't use any appliance with a connection to the
real internet.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201711200">
<!--#set var="DATE" value='<small class="date-tag">2017-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Amazon recently invited consumers to be suckers and <a
href="https://www.techdirt.com/articles/20171120/10533238651/vulnerability-fo">
href="https://www.techdirt.com/2017/11/22/vulnerability-found-amazon-key-again-showing-how-dumber-tech-is-often-smarter-option/">
allow delivery staff to open their front doors</a>. Wouldn't you know
it, the system has a grave security flaw.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201711100">
<!--#set var="DATE" value='<small class="date-tag">2017-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>A remote-control sex toy was found to make <a
href="https://www.theverge.com/2017/11/10/16634442/lovense-sex-toy-spy-survei">audio
href="https://www.theverge.com/2017/11/10/16634442/lovense-sex-toy-spy-surveillance">audio
recordings of the conversation between two users</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201711080">
<!--#set var="DATE" value='<small class="date-tag">2017-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Logitech will sabotage
all Harmony Link household control devices by <a
href="https://arstechnica.com/gadgets/2017/11/logitech-to-shut-down-service-and-support-for-harmony-link-devices-in-2018/">
turning off the server through which the products' supposed owners
communicate with them</a>.</p>
<p>The owners suspect this is to pressure them to buy a newer model. If
they are wise, they will learn, rather, to distrust any product that
requires users to talk with them through some specialized service.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201711010">
<!--#set var="DATE" value='<small class="date-tag">2017-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Sony has brought back its robotic pet Aibo, this time <a
href="https://www.vice.com/en/article/bj778v/sony-wants-to-sell-you-a-subscription-to-a-robot-dog-aibo-90s-pet">
with a universal back door, and tethered to a server that requires
a subscription</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201710040.1">
<!--#set var="DATE" value='<small class="date-tag">2017-10</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The Canary home surveillance
camera has been sabotaged by its manufacturer, <a
href="https://www.theverge.com/circuitbreaker/2017/10/4/16426394/canary-smart-home-camera-free-service-update-change">
turning off many features unless the user starts paying for a
subscription</a>.</p>
<p>With manufacturers like these, who needs security breakers?</p>
<p>The purchasers should learn the larger lesson and reject connected
appliances with embedded proprietary software. Every such product is
a temptation to commit sabotage.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201710040">
<!--#set var="DATE" value='<small class="date-tag">2017-10</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Every “home security” camera, if its
manufacturer can communicate with it, is a surveillance device. <a
href="https://www.theverge.com/circuitbreaker/2017/10/4/16426394/canary-smart-home-camera-free-service-update-change">
Canary camera is an example</a>.</p>
<p>The article describes wrongdoing by the manufacturer, based on
the fact that the device is tethered to a server.</p>
<p><a href="/proprietary/proprietary-tethers.html">More about
proprietary tethering</a>.</p>
<p>But it also demonstrates that the device gives the company
surveillance capability.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201709200">
<!--#set var="DATE" value='<small class="date-tag">2017-09</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>A “smart” intravenous pump
designed for hospitals is connected to the internet. Naturally <a
href="https://www.techdirt.com/articles/20170920/09450338247/smart-hospital-iv-pump-vulnerable-to-remote-hack-attack.shtml">
href="https://www.techdirt.com/2017/09/22/smart-hospital-iv-pump-vulnerable-to-remote-hack-attack/">
its security has been cracked</a>.</p>
<p><small>(Note that this article misuses the term <a
href="/philosophy/words-to-avoid.html#Hacker">“hackers”</a>
referring to crackers.)</small></p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201708280">
<!--#set var="DATE" value='<small class="date-tag">2017-08</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The bad security in many Internet of Stings devices allows <a
href="https://www.techdirt.com/articles/20170828/08152938092/iot-devices-provide-comcast-wonderful-new-opportunity-to-spy-you.shtml">ISPs
href="https://www.techdirt.com/2017/08/28/iot-devices-provide-comcast-wonderful-new-opportunity-to-spy-you/">ISPs
to snoop on the people that use them</a>.</p>
<p>Don't be a sucker—reject all the stings.</p>
<p><small>(It is unfortunate that the article uses the term <a
href="/philosophy/words-to-avoid.html#Monetize">“monetize”</a>.)</small></p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201708230">
<!--#set var="DATE" value='<small class="date-tag">2017-08</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Sonos <a
href="http://www.zdnet.com/article/sonos-accept-new-privacy-policy-speakers-cease-to-function/">
href="https://www.zdnet.com/article/sonos-accept-new-privacy-policy-speakers-cease-to-function/">
told all its customers, “Agree”
to snooping or the product will stop working</a>. <a
href="https://www.consumerreports.org/consumerist/sonos-holds-software-updates-hostage-if-you-dont-sign-new-privacy-agreement/">
Another article</a> says they won't forcibly change the software, but
people won't be able to get any upgrades and eventually it will
stop working.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201708040">
<!--#set var="DATE" value='<small class="date-tag">2017-08</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>While you're using a DJI drone
to snoop on other people, DJI is in many cases <a
href="https://www.theverge.com/2017/8/4/16095244/us-army-stop-using-dji-drones-cybersecurity">snooping
on you</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201706200">
<!--#set var="DATE" value='<small class="date-tag">2017-06</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Many models of Internet-connected cameras
are tremendously insecure. They have login
accounts with hard-coded passwords, which can't be changed, and <a
href="https://arstechnica.com/security/2017/06/internet-cameras-expose-private-video-feeds-and-remote-controls/">there
href="https://arstechnica.com/information-technology/2017/06/internet-cameras-expose-private-video-feeds-and-remote-controls/">there
is no way to delete these accounts either</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201705250">
<!--#set var="DATE" value='<small class="date-tag">2017-05</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The proprietary code that runs pacemakers,
insulin pumps, and other medical devices is <a
href="http://www.bbc.co.uk/news/technology-40042584">
href="https://www.bbc.com/news/technology-40042584"> full of gross
security faults</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201705180">
<!--#set var="DATE" value='<small class="date-tag">2017-05</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Bird and rabbit pets were implemented for Second
Life by a company that tethered their food to a server. <a
href="https://www.rockpapershotgun.com/2017/05/19/second-life-ozimals-pet-rabbits-dying">
href="https://www.rockpapershotgun.com/second-life-ozimals-pet-rabbits-dying">
It shut down the server and the pets more or less died</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201704190">
<!--#set var="DATE" value='<small class="date-tag">2017-04</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Users are suing Bose for <a
href="https://web.archive.org/web/20170423010030/https://www.washingtonpost.com/news/the-switch/wp/2017/04/19/bose-headphones-have-been-spying-on-their-customers-lawsuit-claims/">
distributing a spyware app for its headphones</a>. Specifically,
the app would record the names of the audio files users listen to
along with the headphone's unique serial number.</p>
<p>The suit accuses that this was done without the users' consent.
If the fine print of the app said that users gave consent for this,
would that make it acceptable? No way! It should be flat out <a
href="/philosophy/surveillance-vs-democracy.html"> illegal to design
the app to snoop at all</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201704120">
<!--#set var="DATE" value='<small class="date-tag">2017-04</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Anova sabotaged users' cooking devices
with a downgrade that tethered them to a remote server. <a
href="https://web.archive.org/web/20170415145520/https://consumerist.com/2017/04/12/anova-ticks-off-customers-by-requiring-mandatory-accounts-to-cook-food/">Unless
users create an account on Anova's servers, their cookers won't
function</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201703270">
<!--#set var="DATE" value='<small class="date-tag">2017-03</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>When Miele's Internet of
Stings hospital disinfectant dishwasher is <a
href="https://www.vice.com/en/article/pg9qkv/a-hackable-dishwasher-is-connecting-hospitals-to-the-internet-of-shit">
connected to the Internet, its security is crap</a>.</p>
<p>For example, a cracker can gain access to the dishwasher's
filesystem, infect it with malware, and force the dishwasher to launch
attacks on other devices in the network. Since these dishwashers are
used in hospitals, such attacks could potentially put hundreds of
lives at risk.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201703140">
<!--#set var="DATE" value='<small class="date-tag">2017-03</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>A computerized vibrator <a
href="https://www.theguardian.com/technology/2016/aug/10/vibrator-phone-app-we-vibe-4-plus-bluetooth-hack">
was snooping on its users through the proprietary control app</a>.</p>
<p>The app was reporting the temperature of the vibrator minute by
minute (thus, indirectly, whether it was surrounded by a person's
body), as well as the vibration frequency.</p>
<p>Note the totally inadequate proposed response: a labeling
standard with which manufacturers would make statements about their
products, rather than free software which users could have checked
and changed.</p>
<p>The company that made the vibrator <a
href="https://www.theguardian.com/us-news/2016/sep/14/wevibe-sex-toy-data-collection-chicago-lawsuit">
was sued for collecting lots of personal information about how people
used it</a>.</p>
<p>The company's statement that it was anonymizing the data may be
true, but it doesn't really matter. If it had sold the data to a data
broker, the data broker would have been able to figure out who the
user was.</p>
<p>Following this lawsuit, <a
href="https://www.theguardian.com/technology/2017/mar/14/we-vibe-vibrator-tracking-users-sexual-habits">
the company has been ordered to pay a total of C$4m</a> to its
customers.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201703070">
<!--#set var="DATE" value='<small class="date-tag">2017-03</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The CIA exploited existing vulnerabilities
in “smart” TVs and phones to design a malware that <a
href="https://www.independent.co.uk/life-style/gadgets-and-tech/news/wikileaks-vault-7-android-iphone-cia-phones-handsets-tv-smart-julian-assange-a7616651.html">
href="https://www.independent.co.uk/tech/wikileaks-vault-7-android-iphone-cia-phones-handsets-tv-smart-julian-assange-a7616651.html">
spies through their microphones and cameras while making them appear
to be turned off</a>. Since the spyware sniffs signals, it bypasses
encryption.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201702280">
<!--#set var="DATE" value='<small class="date-tag">2017-02</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>“CloudPets” toys with microphones <a
href="https://www.theguardian.com/technology/2017/feb/28/cloudpets-data-breach-leaks-details-of-500000-children-and-adults">
leak childrens' conversations to the manufacturer</a>. Guess what? <a
href="https://www.vice.com/en/article/pgwean/internet-of-things-teddy-bear-leaked-2-million-parent-and-kids-message-recordings">
Crackers found a way to access the data</a> collected by the
manufacturer's snooping.</p>
<p>That the manufacturer and the FBI could listen to these
conversations was unacceptable by itself.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201702200">
<!--#set var="DATE" value='<small class="date-tag">2017-02</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>If you buy a used “smart”
car, house, TV, refrigerator, etc., usually <a
href="http://boingboing.net/2017/02/20/the-previous-owners-of-used.html">the
href="https://boingboing.net/2017/02/20/the-previous-owners-of-used.html">the
previous owners can still remotely control it</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201702060">
<!--#set var="DATE" value='<small class="date-tag">2017-02</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Vizio “smart” <a
href="https://www.ftc.gov/news-events/blogs/business-blog/2017/02/what-vizio-was-doing-behind-tv-screen">TVs
href="https://www.ftc.gov/business-guidance/blog/2017/02/what-vizio-was-doing-behind-tv-screen">TVs
report everything that is viewed on them, and not just broadcasts and
cable</a>. Even if the image is coming from the user's own computer,
the TV reports what it is. The existence of a way to disable the
surveillance, even if it were not hidden as it was in these TVs,
does not legitimize the surveillance.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201701271">
<!--#set var="DATE" value='<small class="date-tag">2017-01</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>A cracker would be able to <a
href="https://uploadvr.com/hackable-webcam-oculus-sensor-be-aware/">
turn the Oculus Rift sensors into spy cameras</a> after breaking into
the computer they are connected to.</p>
<p><small>(Unfortunately, the article <a
href="/philosophy/words-to-avoid.html#Hacker">improperly refers
to crackers as “hackers”</a>.)</small></p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201612230">
<!--#set var="DATE" value='<small class="date-tag">2016-12</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>VR equipment, measuring every slight motion,
creates the potential for the most intimate
surveillance ever. All it takes to make this potential real <a
href="https://theintercept.com/2016/12/23/virtual-reality-allows-the-most-detailed-intimate-digital-surveillance-yet/">is
software as malicious as many other programs listed in this
page</a>.</p>
<p>You can bet Facebook will implement the maximum possible
surveillance on Oculus Rift devices. The moral is, never trust a VR
system with nonfree software in it.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201612200">
<!--#set var="DATE" value='<small class="date-tag">2016-12</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The developer of Ham Radio Deluxe <a
href="https://www.techdirt.com/articles/20161220/12411836320/company-bricks-users-software-after-he-posts-negative-review.shtml">sabotaged
href="https://www.techdirt.com/2016/12/22/software-company-shows-how-not-to-handle-negative-review/">sabotaged
a customer's installation as punishment for posting a negative
review</a>.</p>
<p>Most proprietary software companies don't use their power so
harshly, but it is an injustice that they all <em>have</em> such
power.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201612060.1">
<!--#set var="DATE" value='<small class="date-tag">2016-12</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The “smart” toys My Friend Cayla and i-Que can be <a
href="https://www.forbrukerradet.no/siste-nytt/connected-toys-violate-consumer-laws">remotely
href="https://www.forbrukerradet.no/siste-nytt/connected-toys-violate-consumer-laws/">remotely
controlled with a mobile phone</a>; physical access is not
necessary. This would enable crackers to listen in on a child's
conversations, and even speak into the toys themselves.</p>
<p>This means a burglar could speak into the toys and ask the child
to unlock the front door while Mommy's not looking.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201609200">
<!--#set var="DATE" value='<small class="date-tag">2016-09</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>HP's firmware downgrade <a
href="https://www.theguardian.com/technology/2016/sep/20/hp-inkjet-printers-unofficial-cartridges-software-update">imposed
DRM on some printers, which now refuse to function with third-party
ink cartridges</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201608080">
<!--#set var="DATE" value='<small class="date-tag">2016-08</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Ransomware <a
href="https://www.pentestpartners.com/security-blog/thermostat-ransomware-a-lesson-in-iot-security/">
has been developed for a thermostat that uses proprietary
software</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201605020">
<!--#set var="DATE" value='<small class="date-tag">2016-05</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Samsung's “Smart Home” has a big security hole; <a
href="http://arstechnica.com/security/2016/05/samsung-smart-home-flaws-lets-hackers-make-keys-to-front-door/">
href="https://arstechnica.com/information-technology/2016/05/samsung-smart-home-flaws-lets-hackers-make-keys-to-front-door/">
unauthorized people can remotely control it</a>.</p>
<p>Samsung claims that this is an “open” platform so the
problem is partly the fault of app developers. That is clearly true
if the apps are proprietary software.</p>
<p>Anything whose name is “Smart” is most likely going
to screw you.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201604110">
<!--#set var="DATE" value='<small class="date-tag">2016-04</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Malware was found on <a
href="http://www.slate.com/blogs/future_tense/2016/04/11/security_cameras_sold_through_amazon_have_malware_according_to_security.html">
security cameras available through Amazon</a>.</p>
<p>A camera that records locally on physical media, and has no network
connection, does not threaten people with surveillance—neither
by watching people through the camera, nor through malware in the
camera.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201604050">
<!--#set var="DATE" value='<small class="date-tag">2016-04</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Revolv is a device that managed “smart home”
operations: switching lights, operate motion sensors, regulating
temperature, etc. Its proprietary software depends on a remote server
to do these tasks. On May 15th, 2016, Google/Alphabet <a
href="https://www.eff.org/deeplinks/2016/04/nest-reminds-customers-ownership-isnt-what-it-used-be">intentionally
broke it by shutting down the server</a>.</p>
<p>If it were free software, users would have the ability to make it
work again, differently, and then have a freedom-respecting home
instead of a “smart” home. Don't let proprietary software
control your devices and turn them into $300 out-of-warranty
bricks. Insist on self-contained computers that run free software!</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201603220">
<!--#set var="DATE" value='<small class="date-tag">2016-03</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Over 70 brands of network-connected surveillance cameras have <a
href="http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html">
href="https://web.archive.org/web/20250117130741/http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html">
security bugs that allow anyone to watch through them</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201601100">
<!--#set var="DATE" value='<small class="date-tag">2016-01</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The <a
href="http://michaelweinberg.org/post/137045828005/free-the-cube">
href="https://michaelweinberg.org/post/137045828005/free-the-cube">
“Cube” 3D printer was designed with DRM</a>: it
won't accept third-party printing materials. It is the Keurig of
printers. Now it is being discontinued, which means that eventually
authorized materials won't be available and the printers may become
unusable.</p>
<p>With a <a
href="http://www.fsf.org/resources/hw/endorsement/aleph-objects">
href="https://www.fsf.org/resources/hw/endorsement/aleph-objects">
printer that gets the Respects Your Freedom</a>, this problem would
not even be a remote possibility.</p>
<p>How pitiful that the author of that article says that there was
“nothing wrong” with designing the device to restrict
users in the first place. This is like putting a “cheat me and
mistreat me” sign on your chest. We should know better: we
should condemn all companies that take advantage of people like him.
Indeed, it is the acceptance of their unjust practice that teaches
people to be doormats.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201512140">
<!--#set var="DATE" value='<small class="date-tag">2015-12</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Philips “smart” lightbulbs had initially been
designed to interact with other companies' smart light bulbs, but <a
href="https://www.techdirt.com/articles/20151214/07452133070/lightbulb-drm-philips-locks-purchasers-out-third-party-bulbs-with-firmware-update.shtml">
href="https://www.techdirt.com/2015/12/14/lightbulb-drm-philips-locks-purchasers-out-third-party-bulbs-with-firmware-update/">
later the company updated the firmware to disallow
interoperability</a>.</p>
<p>If a product is “smart”, and you didn't build it,
it is cleverly serving its manufacturer <em>against you</em>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201512074">
<!--#set var="DATE" value='<small class="date-tag">2015-12</small>'
--><!--#echo encoding="none" var="DATE" -->
<p><a
href="http://www.itworld.com/article/2705284/backdoor-found-in-d-link-router-firmware-code.html">
href="https://www.computerworld.com/article/2705284/backdoor-found-in-d-link-router-firmware-code.html">
Some D-Link routers</a> have a back door for changing settings in a
dlink of an eye.</p>
<p><a href="http://sekurak.pl/tp-link-httptftp-backdoor/"> href="https://sekurak.pl/tp-link-httptftp-backdoor/"> The TP-Link
router has a back door</a>.</p>
<p><a href="https://github.com/elvanderb/TCP-32764">Many href="https://gothub.projectsegfau.lt/elvanderb/TCP-32764/">Many models of
routers have back doors</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201511250">
<!--#set var="DATE" value='<small class="date-tag">2015-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The Nest Cam “smart” camera is <a
href="http://www.bbc.com/news/technology-34922712">always
href="https://www.bbc.com/news/technology-34922712">always watching</a>,
even when the “owner” switches it “off.”</p>
<p>A “smart” device means the manufacturer is using it
to outsmart you.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201511198">
<!--#set var="DATE" value='<small class="date-tag">2015-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>ARRIS cable modem has a <a
href="https://w00tsec.blogspot.de/2015/11/arris-cable-modem-has-backdoor-in.html?m=1">
back door in the back door</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201511130">
<!--#set var="DATE" value='<small class="date-tag">2015-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Some web and TV advertisements play inaudible
sounds to be picked up by proprietary malware running
on other devices in range so as to determine that they
are nearby. Once your Internet devices are paired with
your TV, advertisers can correlate ads with Web activity, and other <a
href="http://arstechnica.com/tech-policy/2015/11/beware-of-ads-that-use-inaudible-sound-to-link-your-phone-tv-tablet-and-pc/">
href="https://arstechnica.com/tech-policy/2015/11/beware-of-ads-that-use-inaudible-sound-to-link-your-phone-tv-tablet-and-pc/">
cross-device tracking</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201511060">
<!--#set var="DATE" value='<small class="date-tag">2015-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Vizio goes a step further than other TV
manufacturers in spying on their users: their <a
href="https://www.propublica.org/article/own-a-vizio-smart-tv-its-watching-you">
“smart” TVs analyze your viewing habits in detail and
link them your IP address</a> so that advertisers can track you
across devices.</p>
<p>It is possible to turn this off, but having it enabled by default
is an injustice already.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201511020">
<!--#set var="DATE" value='<small class="date-tag">2015-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Tivo's alliance with Viacom adds 2.3 million households
to the 600 millions social media profiles the company
already monitors. Tivo customers are unaware they're
being watched by advertisers. By combining TV viewing
information with online social media participation, Tivo can now <a
href="http://www.reuters.com/article/viacom-tivo-idUSL1N12U1VV20151102">
href="https://www.reuters.com/article/viacom-tivo-idUSL1N12U1VV20151102/">
correlate TV advertisement with online purchases</a>, exposing all
users to new combined surveillance by default.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201510210">
<!--#set var="DATE" value='<small class="date-tag">2015-10</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>FitBit fitness trackers have a <a
href="http://www.tripwire.com/state-of-security/latest-security-news/10-second-hack-delivers-first-ever-malware-to-fitness-trackers/">
href="https://www.tripwire.com/state-of-security/latest-security-news/10-second-hack-delivers-first-ever-malware-to-fitness-trackers/">
Bluetooth vulnerability</a> that allows attackers to send malware
to the devices, which can subsequently spread to computers and other
FitBit trackers that interact with them.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201510200">
<!--#set var="DATE" value='<small class="date-tag">2015-10</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>“Self-encrypting” disk drives
do the encryption with proprietary firmware so you
can't trust it. Western Digital's “My Passport” drives <a
href="https://www.vice.com/en/article/mgbmma/some-popular-self-encrypting-hard-drives-have-really-bad-encryption">
have a back door</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201507240">
<!--#set var="DATE" value='<small class="date-tag">2015-07</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Vizio “smart” TVs recognize and <a
href="http://www.engadget.com/2015/07/24/vizio-ipo-inscape-acr/">track
href="https://www.engadget.com/2015-07-24-vizio-ipo-inscape-acr.html">track
what people are watching</a>, even if it isn't a TV channel.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201506080">
<!--#set var="DATE" value='<small class="date-tag">2015-06</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Due to bad security in a drug pump, crackers could use it to <a
href="http://www.wired.com/2015/06/hackers-can-send-fatal-doses-hospital-drug-pumps/">
href="https://www.wired.com/2015/06/hackers-can-send-fatal-doses-hospital-drug-pumps/">
kill patients</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201505290">
<!--#set var="DATE" value='<small class="date-tag">2015-05</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Verizon cable TV <a
href="http://arstechnica.com/business/2015/05/verizon-fios-reps-know-what-tv-channels-you-watch/">
href="https://arstechnica.com/information-technology/2015/05/verizon-fios-reps-know-what-tv-channels-you-watch/">
snoops on what programs people watch, and even what they wanted to
record</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201505050">
<!--#set var="DATE" value='<small class="date-tag">2015-05</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Hospira infusion pumps, which are used
to administer drugs to a patient, were rated “<a
href="https://securityledger.com/2015/05/researcher-drug-pump-the-least-secure-ip-device-ive-ever-seen/">least
secure IP device I've ever seen</a>” by a security
researcher.</p>
<p>Depending on what drug is being infused, the insecurity could open
the door to murder.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201504300">
<!--#set var="DATE" value='<small class="date-tag">2015-04</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Vizio <a
href="http://boingboing.net/2015/04/30/telescreen-watch-vizio-adds-s.html">
href="https://boingboing.net/2015/04/30/telescreen-watch-vizio-adds-s.html">
used a firmware “upgrade” to make its TVs snoop on what
users watch</a>. The TVs did not do that when first sold.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201502180">
<!--#set var="DATE" value='<small class="date-tag">2015-02</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Barbie <a
href="http://www.mirror.co.uk/news/technology-science/technology/wi-fi-spy-barbie-records-childrens-5177673">is
href="https://www.mirror.co.uk/news/technology-science/technology/wi-fi-spy-barbie-records-childrens-5177673">is
going to spy on children and adults</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201502090">
<!--#set var="DATE" value='<small class="date-tag">2015-02</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The Samsung “Smart” TV <a
href="https://www.consumerreports.org/cro/news/2015/02/who-s-the-third-party-that-samsung-and-lg-smart-tvs-are-sharing-your-voice-data-with/index.htm">
transmits users' voice on the internet to another company, Nuance</a>.
Nuance can save it and would then have to give it to the US or some
other government.</p>
<p>Speech recognition is not to be trusted unless it is done by free
software in your own computer.</p>
<p>In its privacy policy, Samsung explicitly confirms that <a
href="http://theweek.com/speedreads/538379/samsung-warns-customers-not-discuss-personal-information-front-smart-tvs">voice
href="https://theweek.com/speedreads/538379/samsung-warns-customers-not-discuss-personal-information-front-smart-tvs">voice
data containing sensitive information will be transmitted to third
parties</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201411090">
<!--#set var="DATE" value='<small class="date-tag">2014-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The Amazon “Smart” TV is <a
href="http://www.theguardian.com/technology/shortcuts/2014/nov/09/amazon-echo-smart-tv-watching-listening-surveillance">
href="https://www.theguardian.com/technology/shortcuts/2014/nov/09/amazon-echo-smart-tv-watching-listening-surveillance">
snooping all the time</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201409290">
<!--#set var="DATE" value='<small class="date-tag">2014-09</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>More or less all “smart” TVs <a
href="http://www.myce.com/news/reseachers-all-smart-tvs-spy-on-you-sony-monitors-all-channel-switches-72851/">spy
href="https://myce.wiki/news/reseachers-all-smart-tvs-spy-on-you-sony-monitors-all-channel-switches-72851/">spy
on their users</a>.</p>
<p>The report was as of 2014, but we don't expect this has got
better.</p>
<p>This shows that laws requiring products to get users' formal
consent before collecting personal data are totally inadequate.
And what happens if a user declines consent? Probably the TV will
say, “Without your consent to tracking, the TV will not
work.”</p>
<p>Proper laws would say that TVs are not allowed to report what the
user watches—no exceptions!</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201407170">
<!--#set var="DATE" value='<small class="date-tag">2014-07</small>'
--><!--#echo encoding="none" var="DATE" -->
<p id="nest-thermometers">Nest thermometers send <a
href="http://bgr.com/2014/07/17/google-nest-jailbreak-hack">a
href="https://bgr.com/general/google-nest-jailbreak-hack/">a lot of
data about the user</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201405200.1">
<!--#set var="DATE" value='<small class="date-tag">2014-05</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>LG <a
href="http://www.techdirt.com/articles/20140511/17430627199/lg-will-take-smart-out-your-smart-tv-if-you-dont-agree-to-share-your-viewing-search-data-with-third-parties.shtml">
href="https://www.techdirt.com/2014/05/20/lg-will-take-smart-out-your-smart-tv-if-you-dont-agree-to-share-your-viewing-search-data-with-third-parties/">
disabled network features</a> on <em>previously purchased</em>
“smart” TVs, unless the purchasers agreed to let LG begin
to snoop on them and distribute their personal data.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201405200">
<!--#set var="DATE" value='<small class="date-tag">2014-05</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Spyware in LG “smart” TVs <a
href="http://doctorbeet.blogspot.co.uk/2013/11/lg-smart-tvs-logging-usb-filenames-and.html">
reports what the user watches, and the switch to turn this off has
no effect</a>. (The fact that the transmission reports a 404 error
really means nothing; the server could save that data anyway.)</p>
<p>Even worse, it <a
href="https://rrrrambles.wordpress.com/2013/11/21/lg-tv-logging-filenames-from-network-folders/">
snoops on other devices on the user's local network</a>.</p>
<p>LG later said it had installed a patch to stop this, but any
product could spy this way.</p>
<p>Meanwhile, LG TVs <a
href="https://www.techdirt.com/2014/05/20/lg-will-take-smart-out-your-smart-tv-if-you-dont-agree-to-share-your-viewing-search-data-with-third-parties/">
do lots of spying anyway</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201404250">
<!--#set var="DATE" value='<small class="date-tag">2014-04</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Lots of <a
href="http://www.wired.com/2014/04/hospital-equipment-vulnerable/">
href="https://www.wired.com/2014/04/hospital-equipment-vulnerable/">
hospital equipment has lousy security</a>, and it can be fatal.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201312290">
<!--#set var="DATE" value='<small class="date-tag">2013-12</small>'
--><!--#echo encoding="none" var="DATE" -->
<p><a href="http://www.bunniestudios.com/blog/?p=3554"> href="https://www.bunniestudios.com/blog/?p=3554"> Some flash
memories have modifiable software</a>, which makes them vulnerable
to viruses.</p>
<p>We don't call this a “back door” because it is normal
that you can install a new system in a computer, given physical access
to it. However, memory sticks and cards should not be modifiable in
this way.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201312040">
<!--#set var="DATE" value='<small class="date-tag">2013-12</small>'
--><!--#echo encoding="none" var="DATE" -->
<p><a
href="http://arstechnica.com/security/2013/12/credit-card-fraud-comes-of-age-with-first-known-point-of-sale-botnet/">
href="https://arstechnica.com/information-technology/2013/12/credit-card-fraud-comes-of-age-with-first-known-point-of-sale-botnet/">
Point-of-sale terminals running Windows were taken over</a> and
turned into a botnet for the purpose of collecting customers' credit
card numbers.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201311210">
<!--#set var="DATE" value='<small class="date-tag">2013-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Spyware in LG “smart” TVs <a
href="http://doctorbeet.blogspot.co.uk/2013/11/lg-smart-tvs-logging-usb-filenames-and.html">
href="https://doctorbeet.blogspot.com/2013/11/lg-smart-tvs-logging-usb-filenames-and.html">
reports what the user watches, and the switch to turn this off has
no effect</a>. (The fact that the transmission reports a 404 error
really means nothing; the server could save that data anyway.)</p>
<p>Even worse, it <a
href="http://rambles.renney.me/2013/11/lg-tv-logging-filenames-from-network-folders/">
href="https://rrrrambles.wordpress.com/2013/11/21/lg-tv-logging-filenames-from-network-folders/">
snoops on other devices on the user's local network</a>.</p>
<p>LG later said it had installed a patch to stop this, but any
product could spy this way.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201310070">
<!--#set var="DATE" value='<small class="date-tag">2013-10</small>'
--><!--#echo encoding="none" var="DATE" -->
<p id="bluray"><a
href="http://web.archive.org/web/20131007102857/http://www.nclnet.org/technology/73-digital-rights-management/124-whos-driving-the-copyright-laws-consumers-insist-on-the-right-to-back-it-up">
href="https://web.archive.org/web/20131007102857/http://www.nclnet.org/technology/73-digital-rights-management/124-whos-driving-the-copyright-laws-consumers-insist-on-the-right-to-back-it-up">
DVDs and Bluray Blu-ray disks have DRM</a>.</p>
<p>That page uses spin terms that favor DRM, including <a
href="/philosophy/words-to-avoid.html#DigitalRightsManagement">
digital “rights” management</a> and <a
href="/philosophy/words-to-avoid.html#Protection">“protect”</a>,
and it claims that “artists” (rather than companies)
are primarily responsible for putting digital restrictions management
into these disks. Nonetheless, it is a reference for the facts.</p>
<p>Every Bluray Blu-ray disk (with few, rare exceptions) has DRM—so
don't use Bluray Blu-ray disks!</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201309050">
<!--#set var="DATE" value='<small class="date-tag">2013-09</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The FTC punished a company for making webcams with <a
href="http://www.nytimes.com/2013/09/05/technology/ftc-says-webcams-flaw-put-users-lives-on-display.html">
href="https://www.nytimes.com/2013/09/05/technology/ftc-says-webcams-flaw-put-users-lives-on-display.html">
bad security so that it was easy for anyone to watch through
them</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201308060">
<!--#set var="DATE" value='<small class="date-tag">2013-08</small>'
--><!--#echo encoding="none" var="DATE" -->
<p><a href="http://spritesmods.com/?art=hddhack&page=6">
Replaceable nonfree software in disk drives can be written by a
nonfree program</a>. This makes any system vulnerable to persistent
attacks that normal forensics won't detect.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201307270">
<!--#set var="DATE" value='<small class="date-tag">2013-07</small>'
--><!--#echo encoding="none" var="DATE" -->
<p> It is possible to <a
href="http://siliconangle.com/blog/2013/07/27/famed-hacker-barnaby-jack-dies-days-before-scheduled-black-hat-appearance/">
href="https://siliconangle.com/2013/07/27/famed-hacker-barnaby-jack-dies-days-before-scheduled-black-hat-appearance/">
kill people by taking control of medical
implants by radio</a>. More information in <a
href="http://www.bbc.co.uk/news/technology-17631838">BBC
href="https://www.bbc.com/news/technology-17631838">BBC
News</a> and <a
href="https://ioactive.com/broken-hearts-how-plausible-was-the-homeland-pacemaker-hack/">
IOActive Labs Research blog</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201307260">
<!--#set var="DATE" value='<small class="date-tag">2013-07</small>'
--><!--#echo encoding="none" var="DATE" -->
<p><a
href="http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/">
href="https://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/">
“Smart homes”</a> turn out to be stupidly vulnerable to
intrusion.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201307114">
<!--#set var="DATE" value='<small class="date-tag">2013-07</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>HP “storage appliances” that
use the proprietary “Left Hand”
operating system have back doors that give HP <a
href="https://insights.dice.com/2013/07/11/hp-keeps-installing-secret-backdoors-in-enterprise-storage/">
remote login access</a> to them. HP claims that this does not
give HP access to the customer's data, but if the back door allows
installation of software changes, a change could be installed that
would give access to the customer's data.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201212290">
<!--#set var="DATE" value='<small class="date-tag">2012-12</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The Cisco TNP IP phones are <a
href="http://boingboing.net/2012/12/29/your-cisco-phone-is-listening.html">
href="https://boingboing.net/2012/12/29/your-cisco-phone-is-listening.html">
spying devices</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201212180">
<!--#set var="DATE" value='<small class="date-tag">2012-12</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Samsung “Smart” TVs have <a
href="https://wiki.samygo.tv/index.php?title=SamyGO_for_DUMMIES#What_are_Restricted_Firmwares.3F">
turned Linux into the base for a tyrant system</a> so as to impose
DRM. What enables Samsung to do this is that Linux is released
under GNU GPL version 2, <a
href="/licenses/rms-why-gplv3.html">not version 3</a>, together with
a weak interpretation of GPL version 2.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201212170">
<!--#set var="DATE" value='<small class="date-tag">2012-12</small>'
--><!--#echo encoding="none" var="DATE" -->
<p id="break-security-smarttv"><a
href="http://www.dailymail.co.uk/sciencetech/article-2249303/Hackers-penetrate-home-Crack-Samsungs-Smart-TV-allows-attacker-seize-control-microphone-cameras.html">
Crackers found a way to break security on a “smart” TV</a>
and use its camera to watch the people who are watching TV.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in malware-appliances.html. -->
<li id="M201210020">
<!--#set var="DATE" value='<small class="date-tag">2012-10</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Some LG TVs <a
href="https://web.archive.org/web/20190917164647/http://openlgtv.org.ru/wiki/index.php/Achievements">
are tyrants</a>.</p>
</li>
</ul>
</div>
</div>
<!--#include virtual="/proprietary/proprietary-menu.html" -->
<!--#include virtual="/server/footer.html" -->
<div id="footer" role="contentinfo">
<div class="unprintable">
<p>Please send general FSF & GNU inquiries to
<a href="mailto:gnu@gnu.org"><gnu@gnu.org></a>.
There are also <a href="/contact/">other ways to contact</a>
the FSF. Broken links and other corrections or suggestions can be sent
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>.</p>
<p><!-- TRANSLATORS: Ignore the original text in this paragraph,
replace it with the translation of these two:
We work hard and do our best to provide accurate, good quality
translations. However, we are not exempt from imperfection.
Please send your comments and general suggestions in this regard
to <a href="mailto:web-translators@gnu.org">
<web-translators@gnu.org></a>.</p>
<p>For information on coordinating and contributing translations of
our web pages, see <a
href="/server/standards/README.translations.html">Translations
README</a>. -->
Please see the <a
href="/server/standards/README.translations.html">Translations
README</a> for information on coordinating and contributing translations
of this article.</p>
</div>
<!-- Regarding copyright, in general, standalone pages (as opposed to
files generated as part of manuals) on the GNU web server should
be under CC BY-ND 4.0. Please do NOT change or remove this
without talking with the webmasters or licensing team first.
Please make sure the copyright date is consistent with the
document. For web pages, it is ok to list just the latest year the
document was modified, or published.
If you wish to list earlier years, that is ok too.
Either "2001, 2002, 2003" or "2001-2003" are ok for specifying
years, as long as each year in the range is in fact a copyrightable
year, i.e., a year in which the document was published (including
being publicly visible on the web or in a revision control system).
There is more detail about copyright years in the GNU Maintainers
Information document, www.gnu.org/prep/maintain. -->
<p>Copyright © 2016-2021 2016-2025 Free Software Foundation, Inc.</p>
<p>This page is licensed under a <a rel="license"
href="http://creativecommons.org/licenses/by/4.0/">Creative
Commons Attribution 4.0 International License</a>.</p>
<!--#include virtual="/server/bottom-notes.html" -->
<p class="unprintable">Updated:
<!-- timestamp start -->
$Date: 2025/05/04 20:06:19 $
<!-- timestamp end -->
</p>
</div>
</div><!-- for class="inner", starts in the banner include -->
</body>
</html>