Ask Lemmy
A Fediverse community for open-ended, thought provoking questions
Rules: (interactive)
1) Be nice and; have fun
Doxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them
2) All posts must end with a '?'
This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?
3) No spam
Please do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.
4) NSFW is okay, within reason
Just remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either [email protected] or [email protected].
NSFW comments should be restricted to posts tagged [NSFW].
5) This is not a support community.
It is not a place for 'how do I?', type questions.
If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email [email protected]. For other questions check our partnered communities list, or use the search function.
6) No US Politics.
Please don't post about current US Politics. If you need to do this, try [email protected] or [email protected]
Reminder: The terms of service apply here too.
Partnered Communities:
Logo design credit goes to: tubbadu
view the rest of the comments
How often do older devices get breached, and is there any way to continue using an "older" device safely?
I feel like short security update lifecycles are a form of planned obsolescence.
With a battery upgrade after a few years, I could probably get over 5 years of life out of my phone, easily.
A meaningful answer would require specificity about "older" (5, 10, 20+ years?) and would have to be broken down into manufacturer / major software / use case / target market groups. Also... would you include breach reports for software in the statistics? For instance, if an Adobe app was breached and leaked user account data, but it only affected devices running an older version of Android, is that an Adobe breach or an Android breach, or both?
Basically, once a device stops receiving security updates from the manufacturer it should be considered untrustworthy. The only caveat to this would be if you knew the hardware (CPU/APU/GPU, storage, RAM, and especially NICs and TPMs), knew the firmware for all of it, knew the software running on top of it, knew that it had been audited, knew that there weren't any major unpatched vulnerabilities for any of it, and probably limited its use to known/trusted networks. That's a lot of work and some of it is probably impossible due to proprietary hardware & firmware.
But you'd also have to weigh all of that against your threat model like I described above. The question is always "How much effort would someone put in to hack me?" There is never zero risk, even with a brand new, fully up to date device. Security is always a game of "I don't have to outrun the bear, I just have to outrun you."
There's some truth in this, but also recognize that every CPU model has its own specific microcode, every discrete device will have its own firmware and driver, and every mainboard will have its own specific firmware that makes all of those devices work together. Every version of every phone model ever produced has some amount of device code that is specific to that version and model. Keeping on top of updating every one of them would be a monumental task. Testing every update for every device before deploying the update would probably be functionally impossible.
All of that is a big part of why Apple controls the hardware of their devices so tightly. It allows them to standardize things and limit the amount of code they have to write, and in general Apple supports their devices with security updates much longer than other mobile device manufacturers. Their support range seems to be about 7 years.
Don't get me wrong, I'm not personally an Apple user. I prefer the broader freedom of choice in hardware and software in the Android market, but I understand that there's a tradeoff due to the lack of standardization. Apple's approach has benefits - there is a degree of safety in the walled garden that is not possible outside of it.
What really needs to happen is that buyers need to demand end-of-life information and support commitments from the manufacturers. For instance, the Fairphone 5 has guaranteed security updates until 2031, eight years after the launch date. That way you can make an informed decision before you buy.
Thank you for this detailed response!
I have a Pixel, which has 5 years of security updates. That would probably get me up to the point where I'd want to change the battery. But I'm not convinced a newer phone would have anything for me other than better security updates, so it'd be hard to justify the price.
There's also the fact that new phones can still have security vulnerabilities.
Since my phone is a flagship phone, I feel comfortable that if there are unpatched security issues discovered, they'd be caught by the public pretty quickly and I could make decisions from there...I just have to hope I'm not a "patient zero", lol
I may have to get a "burner phone" for any sketchier activities to be safe, though...lmao
Is that a relatively reasonable course of action?