Ask HN: Real-world danger of not updating phone?
Phones that can't get software updates are more at risk of becoming targets for malware. Many phones only get software updates for a small number of years, often three years or less. Usually they get only a short time of firmware updates, a somewhat longer time of first-party bugfixes, then merely app fixes and possibly third-party ROM fixes.
Yet modern phone hardware is often still plenty fast enough for everyday use when the updates dry up.
Hence my question: what is the actual real-world danger of not updating your phone? Did anything ever happen to you or your phone because it wasn't updated?
25 comments
[ 0.26 ms ] story [ 65.2 ms ] threadhttps://en.wikipedia.org/wiki/Pegasus_(spyware) used this among other exploits. "Once installed, Pegasus has been reported to be able to run arbitrary code, extract contacts, call logs, messages, photos, web browsing history, settings, as well as gather information from apps including but not limited to communications apps iMessage, Gmail, Viber, Facebook, WhatsApp, Telegram, and Skype."
The iOS security hole was probably fixed before the version was abandoned on old devices, and Pegasus is probably mostly used in targeted attacks.
Right?
GrapheneOS.org CalyxOS.org
True on Android. iPhone lifespan is longer at 5+ years.
For instance IOS 16 will not support handsets older than 2017, but IOS 15 will continue with security updates for some time after that (presumably 2-3 years). So somewhere around 8 years total device lifespan in terms of security support.
Although I do wonder how thorough those late iOS updates really are. IIRC, Android updates various system technologies through the play store, so e.g. Chrome and web views will stay updated far longer than the rest of the OS, whereas iOS updates just stop when they stop.
Still, as far as longevity is concerned, iOS is still miles ahead of Android.
Edit: the flip side is that probably half your neighbors have their doors unlocked too.
Worse is how some fraction of updates are very bad news, thus people who care about this delay until there's enough confirmation an update won't do something nasty to something they depend on, which can go all the way to basic phone and SMS usage.
Basically one morning all networks (Bluetooth, WiFi, LTE, 5G) all stopped working and I couldn't use them, a message saying I have to update the phone to use networks. Pretty genius to prevent me from downloading the update I need, but I tried to update through iTunes and it didn't fix anything.
- " a barely 3 year old phone bricking itself"
- " all networks (Bluetooth, WiFi, LTE, 5G)"
are incompatible. The oldest iPhone that supports 5G (iPhone 12) isn't 3 years old yet.
It's possible that you have some kind of crash or error (those happen), but Apple support should definitely fix it.
I would totally believe, given how cell providers lie about what 5G is and how they've been shutting down networks, that the "5G" broke because your carrier decommissioned the 3G towers they list as 5G.
Wouldn't that hinder technical progress? It might slightly slow down it. But looking at the current bloat of nonsense that a current Android phone contains, that would not be a bad thing. If you need more than 2GB of RAM for a phone to run smoothly it's just bad engineering.
To answer your question: This SailfishOS phone runs a 3.10 kernel. It was built only 2 months ago, but I would not bet my head it is really well-patched throughout. The browser is based on Firefox ESR 78. So although formally still maintained I'd not be surprised it contained unpatched known vulnerabilities. Nothing has happened to me ever, but I don't use this phone to do really sensitive stuff.
For a mainline Android phone the risk might be higher. What were the last big drive-by attacks not requiring user interaction?
Apple usually provides software updates for their devices for about 5 years, for instance, which seems reasonable, since that's a common depreciation period as well.
You'd probably also be hard-pressed to find a significant number of people who own 7-year old phones. That's not to say those don't exist, just that they're probably not numerous enough to justify making this a generally applicable law.
I am fully aware that 7 year old phones are not common. My point is that the current rate of obsolescence is not sunstainable from an ecological standpoint, so this has to change.
For a time, Bluetooth vulnerabilities left unaddressed could be exploited by anybody with the training and sophistication enough to download a "prank" app from the Play store. Said app provided full access to the victim phone's filesystem.
I suspect the people who could answer it aren't on HN, and probably don't have the technical ability or the vendor support to root cause the thousands of dollars of fraudulent transactions on their credit card. Banks likely just reverse the transaction and report it to the feds. Maybe there's a bunch of loans in a victim's name which they won't find out about until they go to buy a house in 5 years time. How would anyone even tie that back to an old phone?
Unfortunately, having your identity stolen isn't as simple as a notification which pops up saying "This literally just happened. Should have updated to Android 12".
I realize that this means I forego many of the advantages of having a personal device, but that was a conscious choice I made a long time ago.