Nonfree (proprietary) software is very often malware (designed to mistreat the user). Nonfree software is controlled by its developers, which puts them in a position of power over the users; that is the basic injustice. The developers often exercise that power to the detriment of the users they ought to serve.
This page lists clearly established cases of insecurity in proprietary software that has grave consequences or is otherwise noteworthy.
It would be incorrect to compare proprietary software with a fictitious idea of free software as perfect. Every nontrivial program has bugs, and any system, free or proprietary, may have security holes. That in itself is not culpable. But proprietary software developers frequently disregard gaping holes, or even introduce them deliberately, and the users are helpless to fix them.
4G LTE phone networks are drastically insecure. They can be taken over by third parties and used for man-in-the-middle attacks.
Due to weak security, it is easy to open the doors of 100 million cars built by Volkswagen.
Ransomware has been developed for a thermostat that uses proprietary software.
A flaw in Internet Explorer and Edge allows an attacker to retrieve Microsoft account credentials, if the user is tricked into visiting a malicious link.
“Deleted” WhatsApp messages are not entirely deleted. They can be recovered in various ways.
A vulnerability in Apple's Image I/O API allowed an attacker to execute malacious code from any application which uses this API to render a certain kind of image file.
A bug in a proprietary ASN.1 library, used in cell phone towers as well as cell phones and routers, allows taking control of those systems.
Antivirus programs have so many errors that they may make security worse.
GNU/Linux does not need antivirus software.
Over 70 brands of network-connected surveillance cameras have security bugs that allow anyone to watch through them.
Samsung's “Smart Home” has a big security hole; unauthorized people can remotely control it.
Samsung claims that this is an “open” platform so the problem is partly the fault of app developers. That is clearly true if the apps are proprietary software.
Anything whose name is “Smart” is most likely going to screw you.
The Nissan Leaf has a built-in cell phone modem which allows effectively anyone to access its computers remotely and make changes in various settings.
That's easy to do because the system has no authentication when accessed through the modem. However, even if it asked for authentication, you couldn't be confident that Nissan has no access. The software in the car is proprietary, which means it demands blind faith from its users.
Even if no one connects to the car remotely, the cell phone modem enables the phone company to track the car's movements all the time; it is possible to physically remove the cell phone modem though.
Malware found on security cameras available through Amazon.
A camera that records locally on physical media, and has no network connection, does not threaten people with surveillance—neither by watching people through the camera, nor through malware in the camera.
A bug in the iThings Messages app allowed a malicious web site to extract all the user's messaging history.
Many proprietary payment apps transmit personal data in an insecure way. However, the worse aspect of these apps is that payment is not anonymous.
FitBit fitness trackers have a Bluetooth vulnerability that allows attackers to send malware to the devices, which can subsequently spread to computers and other FitBit trackers that interact with them.
“Self-encrypting” disk drives do the encryption with proprietary firmware so you can't trust it. Western Digital's “My Passport” drives have a back door.
Mac OS X had an intentional local back door for 4 years, which could be exploited by attackers to gain root privileges.
Security researchers discovered a vulnerability in diagnostic dongles used for vehicle tracking and insurance that let them take remote control of a car or lorry using an SMS.
Crackers were able to
take remote control of the Jeep
“connected car”.
They could track the car, start or stop the engine, and
activate or deactivate the brakes, and more.
I expect that Chrysler and the NSA can do this too.
If I ever own a car, and it contains a portable phone, I will deactivate that.
Hospira infusion pumps, which are used to administer drugs to a patient, were rated “least secure IP device I've ever seen” by a security researcher.
Depending on what drug is being infused, the insecurity could open the door to murder.
Due to bad security in a drug pump, crackers could use it to kill patients.
The NSA can tap data in smart phones, including iPhones, Android, and BlackBerry. While there is not much detail here, it seems that this does not operate via the universal back door that we know nearly all portable phones have. It may involve exploiting various bugs. There are lots of bugs in the phones' radio software.
“Smart homes” turn out to be stupidly vulnerable to intrusion.
The insecurity of WhatsApp makes eavesdropping a snap.
It is possible to take control of some car computers through malware in music files. Also by radio. Here is more information.
It is possible to kill people by taking control of medical implants by radio. Here is more information. And here.
Lots of hospital equipment has lousy security, and it can be fatal.
An app to prevent “identity theft” (access to personal data) by storing users' data on a special server was deactivated by its developer which had discovered a security flaw.
That developer seems to be conscientious about protecting personal data from third parties in general, but it can't protect that data from the state. Quite the contrary: confiding your data to someone else's server, if not first encrypted by you with free software, undermines your rights.
Some flash memories have modifiable software, which makes them vulnerable to viruses.
We don't call this a “back door” because it is normal that you can install a new system in a computer given physical access to it. However, memory sticks and cards should not be modifiable in this way.
Replaceable nonfree software in disk drives can be written by a nonfree program. This makes any system vulnerable to persistent attacks that normal forensics won't detect.
Many smartphone apps use insecure authentication methods when storing your personal data on remote servers. This leaves personal information like email addresses, passwords, and health information vulnerable. Because many of these apps are proprietary it makes it hard to impossible to know which apps are at risk.