Nonfree (proprietary) software is very often malware (designed to mistreat the user). Nonfree software is controlled by its developers, which puts them in a position of power over the users; that is the basic injustice. The developers often exercise that power to the detriment of the users they ought to serve.
This page lists clearly established cases of insecurity in proprietary software that has grave consequences or is otherwise noteworthy.
It is incorrect to compare free software with a fictitious idea of proprietary software as perfect, but the press often implicitly does that whenever a security hole in a free program is discovered. The examples below show that proprietary software isn't perfect, and is often quite sloppy.
It would be equally incorrect to compare proprietary software with a fictitious idea of free software as perfect. Every nontrivial program has bugs, and any system, free or proprietary, may have security errors. To err is human, and not culpable. But proprietary software developers frequently disregard gaping holes, or even introduce them deliberately. In any case, they keep users helpless to fix any security problems that arise. Keeping the users helpless is what's culpable about proprietary software.
Crackers found a way to break security on a “smart” TV and use its camera to watch the people who are watching TV.
Many models of Internet-connected cameras have backdoors.
That is a malicious functionality, but in addition it is a gross insecurity since anyone, including malicious crackers, can find those accounts and use them to get into users' cameras.
Conexant HD Audio Driver Package (version 1.0.0.46 and earlier) pre-installed on 28 models of HP laptops logged the user's keystroke to a file in the filesystem. Any process with access to the filesystem or the MapViewOfFile API could gain access to the log. Furthermore, according to modzero the “information-leak via Covert Storage Channel enables malware authors to capture keystrokes without taking the risk of being classified as malicious task by AV heuristics”.
The proprietary code that runs pacemakers, insulin pumps, and other medical devices is full of gross security faults.
Exploits of bugs in Windows, which were developed by the NSA and then leaked by the Shadowbrokers group, are now being used to attack a great number of Windows computers with ransomware.
Intel's CPU backdoor—the Intel Management Engine—had a major security vulnerability for 10 years.
The vulnerability allowed a cracker to access the computer's Intel Active Management Technology (AMT) web interface with an empty password and gave administrative access to access the computer's keyboard, mouse, monitor among other privileges.
It does not help that in newer Intel processors, it is impossible to turn off the Intel Management Engine. Thus, even users who are proactive about their security can do nothing to protect themselves besides using machines that don't come with the backdoor.
Many Android devices can be hijacked through their Wi-Fi chips because of a bug in Broadcom's non-free firmware.
When Miele's Internet of Stings hospital disinfectant dishwasher is connected to the Internet, its security is crap.
For example, a cracker can gain access to the dishwasher's filesystem, infect it with malware, and force the dishwasher to launch attacks on other devices in the network. Since these dishwashers are used in hospitals, such attacks could potentially put hundreds of lives at risk.
WhatsApp has a feature that has been described as a “back door” because it would enable governments to nullify its encryption.
The developers say that it wasn't intended as a back door, and that may well be true. But that leaves the crucial question of whether it functions as one. Because the program is nonfree, we cannot check by studying it.
The “smart” toys My Friend Cayla and i-Que can be remotely controlled with a mobile phone; physical access is not necessary. This would enable crackers to listen in on a child's conversations, and even speak into the toys themselves.
This means a burglar could speak into the toys and ask the child to unlock the front door while Mommy's not looking.
The mobile apps for communicating with a smart but foolish car have very bad security.
This is in addition to the fact that the car contains a cellular modem that tells big brother all the time where it is. If you own such a car, it would be wise to disconnect the modem so as to turn off the tracking.
If you buy a used “smart” car, house, TV, refrigerator, etc., usually the previous owners can still remotely control it.
Samsung phones have a security hole that allows an SMS message to install ransomeware.
4G LTE phone networks are drastically insecure. They can be taken over by third parties and used for man-in-the-middle attacks.
Due to weak security, it is easy to open the doors of 100 million cars built by Volkswagen.
Ransomware has been developed for a thermostat that uses proprietary software.
A flaw in Internet Explorer and Edge allows an attacker to retrieve Microsoft account credentials, if the user is tricked into visiting a malicious link.
“Deleted” WhatsApp messages are not entirely deleted. They can be recovered in various ways.
A vulnerability in Apple's Image I/O API allowed an attacker to execute malacious code from any application which uses this API to render a certain kind of image file.
A bug in a proprietary ASN.1 library, used in cell phone towers as well as cell phones and routers, allows taking control of those systems.
Antivirus programs have so many errors that they may make security worse.
GNU/Linux does not need antivirus software.
Over 70 brands of network-connected surveillance cameras have security bugs that allow anyone to watch through them.
Samsung's “Smart Home” has a big security hole; unauthorized people can remotely control it.
Samsung claims that this is an “open” platform so the problem is partly the fault of app developers. That is clearly true if the apps are proprietary software.
Anything whose name is “Smart” is most likely going to screw you.
The Nissan Leaf has a built-in cell phone modem which allows effectively anyone to access its computers remotely and make changes in various settings.
That's easy to do because the system has no authentication when accessed through the modem. However, even if it asked for authentication, you couldn't be confident that Nissan has no access. The software in the car is proprietary, which means it demands blind faith from its users.
Even if no one connects to the car remotely, the cell phone modem enables the phone company to track the car's movements all the time; it is possible to physically remove the cell phone modem though.
Malware found on security cameras available through Amazon.
A camera that records locally on physical media, and has no network connection, does not threaten people with surveillance—neither by watching people through the camera, nor through malware in the camera.
A bug in the iThings Messages app allowed a malicious web site to extract all the user's messaging history.
Many proprietary payment apps transmit personal data in an insecure way. However, the worse aspect of these apps is that payment is not anonymous.
FitBit fitness trackers have a Bluetooth vulnerability that allows attackers to send malware to the devices, which can subsequently spread to computers and other FitBit trackers that interact with them.
“Self-encrypting” disk drives do the encryption with proprietary firmware so you can't trust it. Western Digital's “My Passport” drives have a back door.
Mac OS X had an intentional local back door for 4 years, which could be exploited by attackers to gain root privileges.
Security researchers discovered a vulnerability in diagnostic dongles used for vehicle tracking and insurance that let them take remote control of a car or lorry using an SMS.
Crackers were able to
take remote control of the Jeep
“connected car”.
They could track the car, start or stop the engine, and
activate or deactivate the brakes, and more.
I expect that Chrysler and the NSA can do this too.
If I ever own a car, and it contains a portable phone, I will deactivate that.
Hospira infusion pumps, which are used to administer drugs to a patient, were rated “least secure IP device I've ever seen” by a security researcher.
Depending on what drug is being infused, the insecurity could open the door to murder.
Due to bad security in a drug pump, crackers could use it to kill patients.
The NSA can tap data in smart phones, including iPhones, Android, and BlackBerry. While there is not much detail here, it seems that this does not operate via the universal back door that we know nearly all portable phones have. It may involve exploiting various bugs. There are lots of bugs in the phones' radio software.
“Smart homes” turn out to be stupidly vulnerable to intrusion.
The insecurity of WhatsApp makes eavesdropping a snap.
It is possible to take control of some car computers through malware in music files. Also by radio. Here is more information.
It is possible to kill people by taking control of medical implants by radio. Here is more information. And here.
Lots of hospital equipment has lousy security, and it can be fatal.
An app to prevent “identity theft” (access to personal data) by storing users' data on a special server was deactivated by its developer which had discovered a security flaw.
That developer seems to be conscientious about protecting personal data from third parties in general, but it can't protect that data from the state. Quite the contrary: confiding your data to someone else's server, if not first encrypted by you with free software, undermines your rights.
Some flash memories have modifiable software, which makes them vulnerable to viruses.
We don't call this a “back door” because it is normal that you can install a new system in a computer given physical access to it. However, memory sticks and cards should not be modifiable in this way.
Replaceable nonfree software in disk drives can be written by a nonfree program. This makes any system vulnerable to persistent attacks that normal forensics won't detect.
Many smartphone apps use insecure authentication methods when storing your personal data on remote servers. This leaves personal information like email addresses, passwords, and health information vulnerable. Because many of these apps are proprietary it makes it hard to impossible to know which apps are at risk.