Proprietary Back Doors
Nonfree (proprietary) software is very often malware (designed to mistreat the user). Nonfree software is controlled by its developers, which puts them in a position of power over the users; that is the basic injustice. The developers and manufacturers often exercise that power to the detriment of the users they ought to serve.
This typically takes the form of malicious functionalities.
Some malicious functionalities are mediated by back doors. Here are examples of programs that contain one or several of those, classified according to what the back door is known to have the power to do. Back doors that allow full control over the programs which contain them are said to be “universal.”
If you know of an example that ought to be in this page but isn't here, please write to <webmasters@gnu.org> to inform us. Please include the URL of a trustworthy reference or two to serve as specific substantiation.
Back-door functionalities
Spying
-
2020-08
Google Nest is taking over ADT. Google sent out a software update to its speaker devices using their back door that listens for things like smoke alarms and then notifies your phone that an alarm is happening. This means the devices now listen for more than just their wake words. Google says the software update was sent out prematurely and on accident and Google was planning on disclosing this new feature and offering it to customers who pay for it.
-
2017-06
Many models of Internet-connected cameras contain a glaring back door—they have login accounts with hard-coded passwords, which can't be changed, and there is no way to delete these accounts either.
Since these accounts with hard-coded passwords are impossible to delete, this problem is not merely an insecurity; it amounts to a back door that can be used by the manufacturer (and government) to spy on users.
-
2017-01
WhatsApp has a feature that has been described as a “back door” because it would enable governments to nullify its encryption.
The developers say that it wasn't intended as a back door, and that may well be true. But that leaves the crucial question of whether it functions as one. Because the program is nonfree, we cannot check by studying it.
-
2015-12
Microsoft has backdoored its disk encryption.
-
2014-09
Apple can, and regularly does, remotely extract some data from iPhones for the state.
This may have improved with iOS 8 security improvements; but not as much as Apple claims.
Altering user's data or settings
-
2022-07
BMW is now luring British customers into paying for the built-in heated-seat feature of their new cars on a subscription basis. People also have the option to buy the feature when they are paying for the car, but those who bought a used car have to pay BMW extra money to remotely enable the heated seats. This is probably done by BMW accessing a back door in the car software.
-
2021-09
Some Xiaomi phones have a malfeature to bleep out phrases that express political views the Chinese government does not like. In phones sold in Europe, Xiaomi leaves this deactivated by default, but has a back door to activate the censorship.
This is the natural result of having nonfree software in a device that can communicate with the company that made it.
-
2019-05
BlizzCon 2019 imposed a requirement to run a proprietary phone app to be allowed into the event.
This app is a spyware that can snoop on a lot of sensitive data, including user's location and contact list, and has near-complete control over the phone.
-
2018-09
Android has a back door for remotely changing “user” settings.
The article suggests it might be a universal back door, but this isn't clear.
-
2016-07
The Dropbox app for Macintosh takes control of user interface items after luring the user into entering an admin password.
-
2016-04
A pregnancy test controller application not only can spy on many sorts of data in the phone, and in server accounts, it can alter them too.
-
2015-12
Some D-Link routers have a back door for changing settings in a dlink of an eye.
-
2015-11
Google has long had a back door to remotely unlock an Android device, unless its disk is encrypted (possible since Android 5.0 Lollipop, but still not quite the default).
-
2015-11
Caterpillar vehicles come with a back door to shutoff the engine remotely.
-
2015-09
Modern gratis game cr…apps collect a wide range of data about their users and their users' friends and associates.
Even nastier, they do it through ad networks that merge the data collected by various cr…apps and sites made by different companies.
They use this data to manipulate people to buy things, and hunt for “whales” who can be led to spend a lot of money. They also use a back door to manipulate the game play for specific players.
While the article describes gratis games, games that cost money can use the same tactics.
-
2014-03
Samsung Galaxy devices running proprietary Android versions come with a back door that provides remote access to the files stored on the device.
-
2012-10
The Amazon Kindle-Swindle has a back door that has been used to remotely erase books. One of the books erased was 1984, by George Orwell.
Amazon responded to criticism by saying it would delete books only following orders from the state. However, that policy didn't last. In 2012 it wiped a user's Kindle-Swindle and deleted her account, then offered her kafkaesque “explanations.”
Do other ebook readers have back doors in their nonfree software? We don't know, and we have no way to find out. There is no reason to assume that they don't.
-
2010-11
The iPhone has a back door for remote wipe. It's not always enabled, but users are led into enabling it without understanding.
Installing, deleting or disabling programs
-
2024-01
UHD Blu-ray disks are loaded with malware of the worst kinds, including the AACS DRM. Playing them on a PC requires the Intel Management Engine, which has back doors and cannot be disabled. Every Blu-ray drive also has a back door in its firmware, which allows the AACS-enforcing organization to “revoke” the ability to play any AACS-restricted disk.
-
2023-02
Microsoft is remotely disabling Internet Explorer, forcibly redirecting users to Microsoft Edge.
Imposing such change is malicious, and the fact that the redirection is from one unjust program (IE) to another unjust program (Edge) does not excuse it.
-
2023-01
Microsoft released an “update” that installs a surveillance program on users' computers to gather data on some installed programs for Microsoft's benefit. The update is rolling out automatically, and the program runs “one time silently.”
-
2022-10
Xiaomi provides a tool to unlock the bootloader of Xiaomi smartphones and tablets, but this requires creating an account on the company's servers, i.e. providing your phone number. This is the price you have to pay for “legally” running a free software operating system on Xiaomi devices. But the manufacturer retains control of the unlocked device through a backdoor in the bootloader—the same backdoor that was remotely used to unlock it.
-
2022-08
Tesla sells an add-on software feature that drivers are not allowed to use.
This practice depends on a back door, which is unjust in itself. Asking users to buy something years in advance to avoid having to pay an even higher price later is manipulative.
-
2021-10
Adobe has licensed its Flash Player to China's Zhong Cheng Network who is offering the program bundled with spyware and a back door that can remotely deactivate it.
Adobe is responsible for this since they gave Zhong Cheng Network permission to do this. This injustice involves “misuse” of the DMCA, but “proper,” intended use of the DMCA is a much bigger injustice. There is a series of errors related to DMCA.
-
2021-08
Recent Samsung TVs have a back door with which Samsung can brick them remotely.
-
2021-06
Google automatically installed an app on many proprietary Android phones. The app might or might not do malicious things but the power Google has over proprietary Android phones is dangerous.
-
2020-12
Adobe Flash Player has a universal back door which lets Adobe control the software and, for example, disable it whenever it wants. Adobe will block Flash content from running in Flash Player beginning January 12, 2021, which indicates that they have access to every Flash Player through a back door.
The back door won't be dangerous in the future, as it'll disable a proprietary program and make users delete the software, but it was an injustice for many years. Users should have deleted Flash Player even before its end of life.
-
2020-07
BMW is trying to lock certain features of its cars, and force people to pay to use part of the car they already bought. This is done through forced update of the car software via a radio-operated back door.
-
2019-08
A very popular app found in the Google Play store contained a module that was designed to secretly install malware on the user's computer. The app developers regularly used it to make the computer download and execute any code they wanted.
This is a concrete example of what users are exposed to when they run nonfree apps. They can never be completely sure that a nonfree app is safe.
-
2019-07
Apple appears to say that there is a back door in MacOS for automatically updating some (all?) apps.
The specific change described in the article was not malicious—it protected users from surveillance by third parties—but that is a separate question.
-
2018-11
Corel Paintshop Pro has a back door that can make it cease to function.
The article is full of confusions, errors and biases that we have an obligation to expose, given that we are making a link to them.
- Getting a patent does not “enable” a company to do any particular thing in its products. What it does enable the company to do is sue other companies if they do some particular thing in their products.
- A company's policies about when to attack users through a back door are beside the point. Inserting the back door is wrong in the first place, and using the back door is always wrong too. No software developer should have that power over users.
- “Piracy” means attacking ships. Using that word to refer to sharing copies is a smear; please don't smear sharing.
The idea of “protecting our IP” is total confusion. The term “IP” itself is a bogus generalization about things that have nothing in common.
In addition, to speak of “protecting” that bogus generalization is a separate absurdity. It's like calling the cops because neighbors' kids are playing on your front yard, and saying that you're “protecting the boundary line”. The kids can't do harm to the boundary line, not even with a jackhammer, because it is an abstraction and can't be affected by physical action.
-
2018-04
Some “Smart” TVs automatically load downgrades that install a surveillance app.
We link to the article for the facts it presents. It is too bad that the article finishes by advocating the moral weakness of surrendering to Netflix. The Netflix app is malware too.
-
2015-11
Baidu's proprietary Android library, Moplus, has a back door that can “upload files” as well as forcibly install apps.
It is used by 14,000 Android applications.
-
2011-12
In addition to its universal back door, Windows 8 has a back door for remotely deleting apps.
You might well decide to let a security service that you trust remotely deactivate programs that it considers malicious. But there is no excuse for deleting the programs, and you should have the right to decide whom (if anyone) to trust in this way.
-
2011-03
In Android, Google has a back door to remotely delete apps. (It was in a program called GTalkService, which seems since then to have been merged into Google Play.)
Google can also forcibly and remotely install apps through GTalkService. This is not equivalent to a universal back door, but permits various dirty tricks.
Although Google's exercise of this power has not been malicious so far, the point is that nobody should have such power, which could also be used maliciously. You might well decide to let a security service remotely deactivate programs that it considers malicious. But there is no excuse for allowing it to delete the programs, and you should have the right to decide who (if anyone) to trust in this way.
-
2008-08
The iPhone has a back door that allows Apple to remotely delete apps which Apple considers “inappropriate”. Jobs said it's OK for Apple to have this power because of course we can trust Apple.
Full control
-
2023-05
HP delivers printers with a universal back door, and recently used it to sabotage them by remotely installing malware. The malware makes the printer refuse to function with non-HP ink cartrides, and even with old HP cartridges which HP now declares to have “expired.” HP calls the back door “dynamic security,” and has the gall to claim that this “security” protects users from malware.
If you own an HP printer that can still use non-HP cartridges, we urge you to disconnect it from the internet. This will ensure that HP doesn't sabotage it by “updating” its software.
Note how the author of the Guardian article credulously repeats HP's assertion that the “dynamic security” feature protects users against malware, not recognizing that the article demonstrates it does the opposite.
-
2021-11
NordicTrack, a company that sells exercise machines with ability to show videos limits what people can watch, and recently disabled a feature that was originally functional. This happened through automatic update and probably involved a universal back door.
-
2021-06
Peloton company which produces treadmills recently locked people out of basic features of people's treadmills by a software update. The company now asks people for a membership/subscription for what people already paid for.
The software used in the treadmill is proprietary and probably includes back doors to force software updates. It teaches the lesson that if a product talks to external networks, you must expect it to take in new malware.
Please note that the company behind this product said they are working to reverse the changes so people will no longer need subscription to use the locked feature.
Apparently public anger made the company back down. If we want that to be our safety, we need to build up the anger against malicious features (and the proprietary software that is their entry path) to the point that even the most powerful companies don't dare.
-
2021-02
Microsoft is forcibly removing the Flash player from computers running Windows 10, using a universal backdoor in Windows.
The fact that Flash has been disabled by Adobe is no excuse for this abuse of power. The nature of proprietary software, such as Microsoft Windows, gives the developers power to impose their decisions on users. Free software on the other hand empowers users to make their own decisions.
-
2020-11
Some Wavelink and JetStream wifi routers have universal back doors that enable unauthenticated users to remotely control not only the routers, but also any devices connected to the network. There is evidence that this vulnerability is actively exploited.
If you consider buying a router, we encourage you to get one that runs on free software. Any attempts at introducing malicious functionalities in it (e.g., through a firmware update) will be detected by the community, and soon corrected.
If unfortunately you own a router that runs on proprietary software, don't panic! You may be able to replace its firmware with a free operating system such as libreCMC. If you don't know how, you can get help from a nearby GNU/Linux user group.
-
2020-11
A new app published by Google lets banks and creditors deactivate people's Android devices if they fail to make payments. If someone's device gets deactivated, it will be limited to basic functionality, such as emergency calling and access to settings.
-
2020-07
BMW will remotely enable and disable functionality in cars through a universal back door.
-
2020-04
The Google Play Terms of Service insist that the user of Android accept the presence of universal back doors in apps released by Google.
This does not tell us whether any of Google's apps currently contains a universal back door, but that is a secondary question. In moral terms, demanding that people accept in advance certain bad treatment is equivalent to actually doing it. Whatever condemnation the latter deserves, the former deserves the same.
-
2020-01
Android phones subsidized by the US government come with preinstalled adware and a back door for forcing installation of apps.
The adware is in a modified version of an essential system configuration app. The back door is a surreptitious addition to a program whose stated purpose is to be a universal back door for firmware.
In other words, a program whose raison d'être is malicious has a secret secondary malicious purpose. All this is in addition to the malware of Android itself.
-
2019-10
The Chinese Communist Party's “Study the Great Nation” app was found to contain a back-door allowing developers to run any code they wish in the users' phone, as “superusers.”
Note: The Washington Post version of the article (partly obfuscated, but readable after copy-pasting in a text editor) includes a clarification saying that the tests were only performed on the Android version of the app, and that, according to Apple, “this kind of ‘superuser’ surveillance could not be conducted on Apple's operating system.”
-
2019-08
ChromeBooks are programmed for obsolescence: ChromeOS has a universal back door that is used for updates and ceases to operate at a predefined date. From then on, there appears to be no support whatsoever for the computer.
In other words, when you stop getting screwed by the back door, you start getting screwed by the obsolescence.
-
2019-02
The FordPass Connect feature of some Ford vehicles has near-complete access to the internal car network. It is constantly connected to the cellular phone network and sends Ford a lot of data, including car location. This feature operates even when the ignition key is removed, and users report that they can't disable it.
If you own one of these cars, have you succeeded in breaking the connectivity by disconnecting the cellular modem, or wrapping the antenna in aluminum foil?
-
2018-12
New GM cars offer the feature of a universal back door.
Every nonfree program offers the user zero security against its developer. With this malfeature, GM has explicitly made things even worse.
-
2017-11
The Furby Connect has a universal back door. If the product as shipped doesn't act as a listening device, remote changes to the code could surely convert it into one.
-
2017-11
Sony has brought back its robotic pet Aibo, this time with a universal back door, and tethered to a server that requires a subscription.
-
2017-09
Tesla used software to limit the part of the battery that was available to customers in some cars, and a universal back door in the software to temporarily increase this limit.
While remotely allowing car “owners” to use the whole battery capacity did not do them any harm, the same back door would permit Tesla (perhaps under the command of some government) to remotely order the car to use none of its battery. Or perhaps to drive its passenger to a torture prison.
-
2017-02
Vizio “smart” TVs have a universal back door.
-
2016-09
Xiaomi phones come with a universal back door in the application processor, for Xiaomi's use.
This is separate from the universal back door in the modem processor that the local phone company can use.
-
2016-08
Microsoft Windows has a universal back door through which any change whatsoever can be imposed on the users.
This was reported in 2007 for XP and Vista, and it seems that Microsoft used the same method to push the Windows 10 downgrade to computers running Windows 7 and 8.
In Windows 10, the universal back door is no longer hidden; all “upgrades” will be forcibly and immediately imposed.
-
2016-06
The Amazon Echo appears to have a universal back door, since it installs “updates” automatically.
We have found nothing explicitly documenting the lack of any way to disable remote changes to the software, so we are not completely sure there isn't one, but this seems pretty clear.
-
2014-12
A Chinese version of Android has a universal back door. Nearly all models of mobile phones have a universal back door in the modem chip. So why did Coolpad bother to introduce another? Because this one is controlled by Coolpad.
-
2013-11
Some applications come with MyFreeProxy, which is a universal back door that can download programs and run them.
-
2012-07
In addition to its book eraser, the Kindle-Swindle has a universal back door.
-
2006-12
Almost every phone's communication processor has a universal back door which is often used to make a phone transmit all conversations it hears. See Malware in Mobile Devices for more info.
Other or undefined
-
2024-09
Kia cars were built with a back door that enabled the company's server to locate them and take control of them. The car's owner had access to these controls through the Kia server. This in itself is not objectionable. However, that Kia itself had such control is Orwellian, and ought to be illegal. The icing on the Orwellian cake is that the server had a security fault which allowed absolutely anyone to activate those controls for any Kia car.
Many people will be outraged at that security bug, but this was presumably an accident. The fact that Kia had such control over cars after selling them to customers is what outrages us, and that must have been intentional on Kia's part.
-
2023-12
A back door in Apple devices, present and abused from at least 2019 until 2023, allowed crackers to have full control over them by sending iMessage texts that installed malware without any action on the user's part. Infections, among other things, gave the intruders access to owners' microphone recordings, photos, location and other personal data.
-
2017-11
Intel's intentional “management engine” back door has unintended back doors too.
-
2016-09
A Capcom's Street Fighter V update installed a driver that could be used as a back door by any application installed on a Windows computer, but was immediately rolled back in response to public outcry.
-
2015-11
Dell computers, shipped with Windows, had a bogus root certificate that allowed anyone (not just Dell) to remotely authorize any software to run on the computer.
-
2015-11
ARRIS cable modem has a back door in the back door.
-
2015-10
“Self-encrypting” disk drives do the encryption with proprietary firmware so you can't trust it. Western Digital's “My Passport” drives have a back door.
-
2015-04
Mac OS X had an intentional local back door for 4 years, which could be exploited by attackers to gain root privileges.
-
2013-09
Here is a big problem whose details are still secret: The FBI asks lots of companies to put back doors in proprietary programs. We don't know of specific cases where this was done, but every proprietary program for encryption is a possibility.
-
2013-08
The German government veers away from Windows 8 computers with TPM 2.0 (original article in German), due to potential back door capabilities of the TPM 2.0 chip.
-
2013-07
Here is a suspicion that we can't prove, but is worth thinking about: Writable microcode for Intel and AMD microprocessors may be a vehicle for the NSA to invade computers, with the help of Microsoft, say respected security experts.
-
2013-07
HP “storage appliances” that use the proprietary “Left Hand” operating system have back doors that give HP remote login access to them. HP claims that this does not give HP access to the customer's data, but if the back door allows installation of software changes, a change could be installed that would give access to the customer's data.
The EFF has other examples of the use of back doors.