this post was submitted on 05 Jun 2025
36 points (97.4% liked)

Ask Lemmy

32213 readers
1425 users here now

A Fediverse community for open-ended, thought provoking questions

Rules: (interactive)

1) Be nice and; have funDoxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them

2) All posts must end with a '?'This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?

3) No spamPlease do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.

4) NSFW is okay, within reasonJust remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either !asklemmyafterdark@lemmy.world or !asklemmynsfw@lemmynsfw.com. NSFW comments should be restricted to posts tagged [NSFW].

5) This is not a support community.
It is not a place for 'how do I?', type questions. If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email info@lemmy.world. For other questions check our partnered communities list, or use the search function.

6) No US Politics.
Please don't post about current US Politics. If you need to do this, try !politicaldiscussion@lemmy.world or !askusa@discuss.online

Reminder: The terms of service apply here too.

Partnered Communities:

Tech Support

No Stupid Questions

You Should Know

Reddit

Jokes

Ask Ouija

Logo design credit goes to: tubbadu

founded 2 years ago
MODERATORS
Bluetreefrog@lemmy.world
TheSaneWriter@lemm.ee
TheSaneWriter@lemmy.thesanewriter.com
Asudox@lemmy.world
lemmy_bot@lemmy.world
beefbaby182@lemmy.world
ModeratorCan@lemmy.world
neidu3@sh.itjust.works
asudox@lemmy.asudox.dev
candyman337@lemmy.world
candyman337@sh.itjust.works
36
What are the dangers of an out of date phone? (lemmy.world)
submitted 1 day ago by gedaliyah@lemmy.world to c/asklemmy@lemmy.world
14 comments fedilink hide all child comments
 

I found out that my mom is using an older phone that serves her just fine, but last recieved updates in 2021.

Realistically, how dangerous is this? What are the scenarios that could potentially happen with a phone that out of date?

She may be open to something like lineage OS, but I don't want to make her phone less familiar for her, which would be harder to use. She is not very techy but also not fearful of a little tinkering. I don't live near her so she will not have anyone knowledgeable to troubleshoot if the need arises.

I'm not a infosec person at ALL so I genuinely don't know what she is exposed to.

Let me know if I should post this in another community instead.

top 14 comments
sorted by: hot top controversial new old
[–] pinball_wizard@lemmy.zip 5 points 8 hours ago* (last edited 8 hours ago)

The worst case risk is her entire financial net worth.

Criminals target the elderly, and an unpatched phone is a way for them to control a good percentage of what she experiences.

A vulnerable phone can result in an empty bank account.

The most common approach is to get control of an elder's incoming messages, and use it to manipulate their perception of reality to create a crisis - one that can only be solved be spending a sizeable portion of their savings. Then repeat until there's no more money left.

I'm not a fan of Wells Fargo, but they do have some good Guidance on preventing elder financial abuse.

[–] NaibofTabr@infosec.pub 30 points 1 day ago* (last edited 1 day ago) (2 children)

The danger is essentially that anything being done on the phone is not secure.

If all she does with the phone is look at cat pictures and talk to friends and family, there's probably not much critical information there to worry about.

But does she use the phone for banking? tax records? health care? Does she use the phone for multifactor authentication to log in to her bank account &etc?

Anything involving financial or personal information could be used for identity theft and fraud. Even if she doesn't have much money personally, her identity has value on the black market for opening fraudulent credit cards and other accounts. If her phone is no longer getting security updates then her email may be exposed, and basically if you can get into someone's email then you can get into all of their other accounts (through "I forgot my password" links). Also keep in mind that the phone is a tracking device, so if it's not secure then anyone with the time and interest could use it to track her location.

It's worth noting that switching the phone to another OS like Lineage may not solve this problem. Android uses a core security feature of ARM processors called TrustZone to handle cryptographic functions like security keys. This depends on processor microcode that only gets updated by the manufacturer. If the device is no longer supported, then it will probably stop receiving updates. A third-party developer like Lineage won't have the capability to update this code.

The potential threat from this is not usually immediate. Just because a device might be vulnerable doesn't mean that it's worth anyone's time to actually hack it. But frequently what happens is that someone finds a vulnerability that can be exploited and then builds some software that can do the necessary steps automatically, after which any device with that vulnerability is not secure at all.

Deciding how critical all of this is for your mother depends a lot on context. Does she have financial assets that might make her a target? Is she politically active? Is she a member of a sociopolitical group that might be a target? Does she have a social media account with a lot followers? Does she have any close friends or relatives that someone might want to target through her? Does she know anyone who works in security for a large corporation, government or bank? Her own vulnerability might make someone else vulnerable by proximity.

There's no way to eliminate risk completely. The only way to answer the question "how dangerous is this?" is to assess the severity of possible losses and the likelihood of potential threats (threat modeling) and then make judgment calls based on priority.

[–] otp@sh.itjust.works 7 points 22 hours ago (1 children)

How often do older devices get breached, and is there any way to continue using an "older" device safely?

I feel like short security update lifecycles are a form of planned obsolescence.

With a battery upgrade after a few years, I could probably get over 5 years of life out of my phone, easily.

[–] NaibofTabr@infosec.pub 5 points 18 hours ago* (last edited 17 hours ago) (1 children)

How often do older devices get breached

A meaningful answer would require specificity about "older" (5, 10, 20+ years?) and would have to be broken down into manufacturer / major software / use case / target market groups. Also... would you include breach reports for software in the statistics? For instance, if an Adobe app was breached and leaked user account data, but it only affected devices running an older version of Android, is that an Adobe breach or an Android breach, or both?

and is there any way to continue using an “older” device safely

Basically, once a device stops receiving security updates from the manufacturer it should be considered untrustworthy. The only caveat to this would be if you knew the hardware (CPU/APU/GPU, storage, RAM, and especially NICs and TPMs), knew the firmware for all of it, knew the software running on top of it, knew that it had been audited, knew that there weren't any major unpatched vulnerabilities for any of it, and probably limited its use to known/trusted networks. That's a lot of work and some of it is probably impossible due to proprietary hardware & firmware.

But you'd also have to weigh all of that against your threat model like I described above. The question is always "How much effort would someone put in to hack me?" There is never zero risk, even with a brand new, fully up to date device. Security is always a game of "I don't have to outrun the bear, I just have to outrun you."

I feel like short security update lifecycles are a form of planned obsolescence.

There's some truth in this, but also recognize that every CPU model has its own specific microcode, every discrete device will have its own firmware and driver, and every mainboard will have its own specific firmware that makes all of those devices work together. Every version of every phone model ever produced has some amount of device code that is specific to that version and model. Keeping on top of updating every one of them would be a monumental task. Testing every update for every device before deploying the update would probably be functionally impossible.

All of that is a big part of why Apple controls the hardware of their devices so tightly. It allows them to standardize things and limit the amount of code they have to write, and in general Apple supports their devices with security updates much longer than other mobile device manufacturers. Their support range seems to be about 7 years.

Don't get me wrong, I'm not personally an Apple user. I prefer the broader freedom of choice in hardware and software in the Android market, but I understand that there's a tradeoff due to the lack of standardization. Apple's approach has benefits - there is a degree of safety in the walled garden that is not possible outside of it.

What really needs to happen is that buyers need to demand end-of-life information and support commitments from the manufacturers. For instance, the Fairphone 5 has guaranteed security updates until 2031, eight years after the launch date. That way you can make an informed decision before you buy.

[–] otp@sh.itjust.works 1 points 9 hours ago

Thank you for this detailed response!

I have a Pixel, which has 5 years of security updates. That would probably get me up to the point where I'd want to change the battery. But I'm not convinced a newer phone would have anything for me other than better security updates, so it'd be hard to justify the price.

There's also the fact that new phones can still have security vulnerabilities.

Since my phone is a flagship phone, I feel comfortable that if there are unpatched security issues discovered, they'd be caught by the public pretty quickly and I could make decisions from there...I just have to hope I'm not a "patient zero", lol

I may have to get a "burner phone" for any sketchier activities to be safe, though...lmao

Is that a relatively reasonable course of action?

[–] HubertManne@piefed.social 6 points 1 day ago

This. It depends on what is being done with it. I have an up to date smartphone for work purposes but I hate smartphones and use it for minimal purposes.

[–] Cheradenine@sh.itjust.works 13 points 1 day ago* (last edited 1 day ago)

If it is not getting updates then it isn't getting vendor security patches, it will still get Google Play Services and Android System Webview patches assuming those are enabled.

I wouldn't use any kind of banking or payment apps, so anything linked to an account from which money can be directly debited. That can be a lot of things from EBay to highway toll collection to paying for coffee.

I'm not trying to fear monger but it's time mom got a new phone. Use this one for streaming in the kitchen, or give it to a niece. Locked down of course.

Edit: that's if it's Android, if it's iOS it will not get any patches once it's end of life.

[–] tal@lemmy.today 7 points 1 day ago

Let me know if I should post this in another community instead.

I'd guess that !android@lemmy.world or !cybersecurity@infosec.pub is probably going to be more-targeted.

[–] RodgeGrabTheCat@sh.itjust.works 5 points 1 day ago (1 children)

With an out of date phone it will be easier to bypass it's security. Normally, cops and hackers have to use a series of exploits to bypass an Android's security. With a phone not receiving security updates this gets easier.

Installing LineageOS will not fix the security problem because Lineage requires the bootloader to be unlocked. With a locked bootloader, the phone checks to see if the OS has be altered, this is called "verified boot".

This video from TheHatedOne explains verified boot around the 10 minute mark https://invidious.nerdvpn.de/watch?v=WkQ_OCzuLNg

[–] arirr@lemmy.kde.social 2 points 1 day ago (1 children)

It comes down to threat model. Random malware will be stopped more often by a newer build of LineageOS that has updated platform security patches. An unlocked bootloader is usually a concern only if a hacker gets physical access to your device and modifies the system partition. If an attacker has a remote exploit that can root your phone, you're screwed either way.

[–] RodgeGrabTheCat@sh.itjust.works 2 points 23 hours ago (1 children)

The link I posted, at the 10 minute mark explains the dangers of an unlocked bootloader. It's an interview with one of the devs of GrapheneOS who know far more than either of us.

[–] arirr@lemmy.kde.social 1 points 5 hours ago

Maybe I'll take a look later, but as far as I know, there haven't been any malware found in the wild that can be 1 done remotely and 2 are stopped by a locked bootloader. Even if there is, is that riskier than running a few YEARS of security patches out of date.

[–] BCsven@lemmy.ca 2 points 1 day ago (1 children)

Lineage is good, but may not have updates for the particlar phone, but it may be newer than 2021. If she can afford a new phone at some point, get a Pixel, flash GrapheneOS on it, it can be setup to access all the google stuff if you like; main feature is 5 years of updates are guaranteed.

[–] RodgeGrabTheCat@sh.itjust.works 2 points 23 hours ago

7 years for the newer models.