I mentioned in my last post that it’s entirely possible for modern IoT devices to include wifi bruteforcing code in their firmware, and use this as a covert channel to communicate back to company servers without showing the user had ever connected the device to the internet. It would not at all surprise me if this were already happening in the wild, as legal recourse is almost never more than a slap on the wrist, and the vast majority of users would have no way of detecting this activity. It wouldn’t even have to be the user’s wifi, it could be their neighbor’s.
This really got me thinking about how reverse engineering and malware analysis skills may actually have to be aimed at legitimate, albeit proprietary software in the coming decade. Just as obfuscation techniques are employed to hide malware, these same obfuscation techniques may become quite attractive to device manufacturers and state-sponsored entities who either control them or who can issue a gag order and slip the code in during the production process. And if you can stitch bits together to execute as an opcode, you wouldn’t find the opcode in a basic disassembly, for one example. At the end of the day, hiding what you are doing is one of the principal goals of malware, and it’s the same for a lot of software that would otherwise love to harvest as much data from the device (and you, and your home) as possible.
When Microsoft released their stupid-ass Recall feature on Windows, there was an immediate uproar from the security community about privacy, and Microsoft backed off just enough to fall out of the news cycle. They released some changes that made things a little more private, but tools were quickly built to exploit the weaknesses, too. They said you could opt out, but over time, researchers began to find little traces here and there that seemed to be paving the way for Recall to be installed and active by default, or for users to lose key functionality.
This is overt encroachment. There’s a lot of money to be made harvesting gobs of data from computers, and if Microsoft inching closer and closer to forcing users to have Recall installed and activated doesn’t tell you everything you need to know about how bad things are going to get, I don’t know what will.
All of this to say, open software is still the future, and it is largely the only way for the world to move forward without descending into an authoritarian hellscape. The EU is in the process of switching to Linux, so there is hope. (Well…at least on the software side of things….) If they can build open products that mimic what Microsoft does, that might even open the door for US entities to do the same. But while closed software persists, a massive amount of talent will need to be funneled into keeping these companies in check. They are going to get sneakier and sneakier in order to log everything you do, because there is just too much money at play not to.
(Speaking of, I did find out how to remove the built-in microphone from a Switch 2, but whether that bricks the device or causes it to function poorly is not yet known. They are all out of stock anyway, and I’m not yet sure I want to spend the money, but hopefully someone will experiment with this in the coming months and post the results on YouTube)