Old phones and security updates

My pixel 6a is coming online this weekend. 

I have my cracked 4a. We have historically used old phones as "kid phones". They want to chat with friends in the house on Wi-Fi, use a kid phone. They are dropped off somewhere and I want to be able to contact them, bring a kid phone. Etc. There is one older pixel being used for that duty now. 

It occurred to me as I shopped for longevity and purchased the 6a that even the 4a and certainly the older one are no longer receiving security updates. 

What are the risks to continuing to use these phones in that capacity? Can a hacker gain access to my Wi-Fi and watch my wife and I log into our bank on our phones and her laptop? What about the kids using a banking app like greenlight?

Help me understand the risks. 

The risks of the OS itself being out of date are usually relatively low compared to the apps being out of date. Typically things you might need to worry about would be Bluetooth vulnerabilities (close range required to exploit) or possibly GSM radio vulnerabilities (cell site simulator required). The biggest risk might be a vulnerability in the original messaging app that could allow hacks via SMS, you might be able to change the default messaging app to work around that.

You could also look into rooting the phone and installing a newer version of a community-run Android distro. LineageOS is available for the pixel 4a:

https://lineageosroms.com/sunfish/

I agree that the more likely scenario is an app issue, but there have been enough exploitable issues in either phone OS that I don't want to use a phone that doesn't get security updates. Plus, I use my Android phone for work, so I'm extra paranoid about that.

Hopping from your phone to your home network is probably a lower risk than malware on the phone trying to snaffle your online banking information. It's possible, but to me that falls into "which state actor did you tick off?" territory. Too much work for Joe Ransomdude to steal all your cryptoz.

What are you running on the phone in question?  If it's just making "dad come pick me up" phone calls and watching the occasional youtube video then even if someone hacks it they can't do much with that.  On the other end of the spectrum, using an online banking app on such a device is very risky.  (Hell, I won't run online banking apps on a brand-new, fully-supported phone).

Regarding the wifi security question, it's possible that someone might be able to use the wifi radio on a hacked phone to look at some of the encrypted packets passing between two other stations on the wifi network, but how much they can do with that depends on what level of WPA is running.  I don't remember the details, but I believe the most secure versions of WPA will negotiate a session key per pair of hosts, known only to those two hosts, so even if someone has the password to join the network that wouldn't let them eavesdrop on the other network traffic not destined to them.

codrus (Forum Supporter) said:

What are you running on the phone in question?  If it's just making "dad come pick me up" phone calls and watching the occasional youtube video then even if someone hacks it they can't do much with that.  On the other end of the spectrum, using an online banking app on such a device is very risky.  (Hell, I won't run online banking apps on a brand-new, fully-supported phone).

Regarding the wifi security question, it's possible that someone might be able to use the wifi radio on a hacked phone to look at some of the encrypted packets passing between two other stations on the wifi network, but how much they can do with that depends on what level of WPA is running.  I don't remember the details, but I believe the most secure versions of WPA will negotiate a session key per pair of hosts, known only to those two hosts, so even if someone has the password to join the network that wouldn't let them eavesdrop on the other network traffic not destined to them.

 

The kids have an app called Greenlight which is a kid version of online banking.

Tunawife and I often do online banking on the same WiFi, so your last scenario is what I meant. If they hack a kids phone, and it is on the same WiFi, can they see us logging into our online banking from another machine? We have security on the router, some form of WPA, and the router itself is fairly modern.

If you were to backdoor a phone and monitor WiFi you'd still need to do an HTTPS MITM to spy on web traffic from other devices (maybe by hacking a router), so I wouldn't worry about that. Unless you're a famous cryptobro no cybercriminal is going to put that kind of effort into getting to your online banking details.

0 risk. Good choice on the 6a. I picked one up for my mom recently. Battery and screen aren't bad to replace either. 

Please explain for me what risks are possible with a phone which is no longer receiving security updates in general, still assuming I'm not either an idiot or a celebrity. 

I really don't understand. 

In reply to tuna55 :

No security updates to the OS would bring largely very uncommon risks that the average Joe would never be exposed to, with the possible exception of an SMS/MMS/RCS app exploit (rarely happens, wasn't able to find any for Android). If you can keep all your apps up to date (ideally with a 3rd-party SMS/MMS/RCS app, I just switched to this one after doing a search and remembering how fed up I was getting with the crappy stock app) it should be nothing to worry about.

If apps also weren't getting updates, that would probably lead to the phone getting loaded with malware within a month or two.

Once the phone gets exploited in any way, anything is possible, phone malware is relatively rare but when it exists it's usually either low-harm adware or extremely harmful info-stealers that try to grab any credentials that are stored on or entered through the phone.

GameboyRMH said:

In reply to tuna55 :


If apps also weren't getting updates, that would probably lead to the phone getting loaded with malware within a month or two.

That does not happen. The risk is so low, that I don't think its accurate to say. 

Going a different direction, is there any OS other than Android or IOS available or coming into the market?  I'm not really a fan of Google or Apple from a corporate level.  I while back I had heard of some Linux deals but the didn't seem too well developed.

Mobile OSes out of the big 2 are supported on very few devices, right now there's Sailfish OS (what I'll probably run on my next phone and probably should've put on my current one if I'd done more research), Ubuntu Touch and PostmarketOS. The big 2 have all the corporate backing and benefit from network effects so the other options will always be also-rans biting at the fringes.

Back when the N900 came out there was a nice GNU/Linux-based mobile OS called Maemo (later Meego) that I enjoyed. But then they payed Steve Elop a jillion dollars to scrap that and run Nokia clean into the ground while employees could only watch the trainwreck unfold.

In reply to GameboyRMH :

That sounds familiar... I loved my old Palm Pre+ that ran WebOS.  Then HP bought Palm and killed it off.

lnlogauge said:

GameboyRMH said:

In reply to tuna55 :


If apps also weren't getting updates, that would probably lead to the phone getting loaded with malware within a month or two.

That does not happen. The risk is so low, that I don't think its accurate to say. 

It looks like 0.25% of Android phones worldwide are infected with malware from this study:

https://www.prescouter.com/2014/04/malware-infection-rate-for-android-devices-measured-by-researchers/

This one found they're collectively carrying more infections than Windows PCs (not too surprising since Windows security is much improved these days and it now comes with a very good antimalware system):

https://www.pandasecurity.com/en/mediacenter/mobile-security/android-more-infected-than-ios/

Also keep in mind that most phones are probably thrown out long before app updates are impossible, especially in the first world, and most phones have automatic app updates enabled. If you were to run a phone with an OS of any age and no app updates, that would be very unusual and you would be putting yourself into the riskiest user demographic, exploits targeting browsers and messaging apps do regularly make the rounds. Just recently there was the webp vulnerability affecting browsers on all platforms.

In reply to GameboyRMH

also the article you posted.
 

A group of academic researchers from the US says that less than 0.0009 per cent of smartphones in the US is infected by malware.

And that's malware in general, not even malware from outdated apps or OS. So a percentage of .0009 per cent.  Telling him it's going to happen in one or two months is wrong. 

I was hoping this would be an opportunity for me to rant at the kids on my lawn about my 1st gen iPad no longer being useable due to the OS no longer being supported.

But here I see the forum genuinely leveraging their collective knowledge to help a fellow member. I have nothing to add except a hearty nod of approval to those willing to help out.

Carry on...

For me? I wouldn't use a phone not getting OS updates. I can see others accepting the risks, but I wouldn't for myself. 

A lot of this question is about the future risk, which is pretty unknowable. You can look backwards at prior issues to get a feel for how severe the patched issues are and how often the come up by looking here: 

https://source.android.com/docs/security/bulletin/pixel

You don't have to go back far to find a critical RCE.