For example somebody can send a GIF image via iMessage on iOS 14.7 and take over the phone. No click required. https://www.hackread.com/nso-zero-click-imessage-exploit-hac...

https://en.wikipedia.org/wiki/Pegasus_(spyware) used this among other exploits. "Once installed, Pegasus has been reported to be able to run arbitrary code, extract contacts, call logs, messages, photos, web browsing history, settings, as well as gather information from apps including but not limited to communications apps iMessage, Gmail, Viber, Facebook, WhatsApp, Telegram, and Skype."

Is this stuff actually happening in the wild, though? To random, unimportant people?

The iOS security hole was probably fixed before the version was abandoned on old devices, and Pegasus is probably mostly used in targeted attacks.

Right?

Let’s assume Pegasus is the furthest upstream (first to hack). Once it is fixed, security researchers (or hackers) can learn what the exploit was and how to use it. How long before it ends up in something like metasploit?

If you're only safe if someone's bot doesn't choose you, you're not safe.

GrapheneOS.org CalyxOS.org

Reponsible nations should forbid to sell a phone without providing at least 7 years of updates. How that, we are living in free world? Obviously under environmental legislation, avoiding a lot of completely avoidable electronic waste. Some people break their phones much earlier, but far from all do.

Wouldn't that hinder technical progress? It might slightly slow down it. But looking at the current bloat of nonsense that a current Android phone contains, that would not be a bad thing. If you need more than 2GB of RAM for a phone to run smoothly it's just bad engineering.

To answer your question: This SailfishOS phone runs a 3.10 kernel. It was built only 2 months ago, but I would not bet my head it is really well-patched throughout. The browser is based on Firefox ESR 78. So although formally still maintained I'd not be surprised it contained unpatched known vulnerabilities. Nothing has happened to me ever, but I don't use this phone to do really sensitive stuff.

For a mainline Android phone the risk might be higher. What were the last big drive-by attacks not requiring user interaction?

Why 7 years? Where does that number come from?

Apple usually provides software updates for their devices for about 5 years, for instance, which seems reasonable, since that's a common depreciation period as well.

You'd probably also be hard-pressed to find a significant number of people who own 7-year old phones. That's not to say those don't exist, just that they're probably not numerous enough to justify making this a generally applicable law.

7 was just a figure. 5 would already be a significant improvement where many vendors don't even offer 3 years after the devices were sold last.

I am fully aware that 7 year old phones are not common. My point is that the current rate of obsolescence is not sunstainable from an ecological standpoint, so this has to change.

App dev here. We haven't seen an Android phone older than 2017 (so yeah, 5 years too). And we're catering for a poor country that doesn't change phones often.

How many installs though? I still power on my old Nexus 6p occasionally.

> Many phones only get software updates for a small number of years, often three years or less.

True on Android. iPhone lifespan is longer at 5+ years.

For instance IOS 16 will not support handsets older than 2017, but IOS 15 will continue with security updates for some time after that (presumably 2-3 years). So somewhere around 8 years total device lifespan in terms of security support.

True.

Although I do wonder how thorough those late iOS updates really are. IIRC, Android updates various system technologies through the play store, so e.g. Chrome and web views will stay updated far longer than the rest of the OS, whereas iOS updates just stop when they stop.

Still, as far as longevity is concerned, iOS is still miles ahead of Android.

I believe they are just backported critical security updates. Although iOS 13 also got the COVID-tracker backported (which required the new GUI and possibly more sophisticated anonymizing code).

IIRC, iOS 13 (the last iOS on the last generation to age out) still gets critical security updates.

Nobody is really answering your question.

I suspect the people who could answer it aren't on HN, and probably don't have the technical ability or the vendor support to root cause the thousands of dollars of fraudulent transactions on their credit card. Banks likely just reverse the transaction and report it to the feds. Maybe there's a bunch of loans in a victim's name which they won't find out about until they go to buy a house in 5 years time. How would anyone even tie that back to an old phone?

Unfortunately, having your identity stolen isn't as simple as a notification which pops up saying "This literally just happened. Should have updated to Android 12".

In my case it's almost irrelevant because I don't have anything of real importance on my phone. I have an Android phone that does not have my gmail account on it. It does not have any enabled payment mechanism. It does not have access to sensitive documents. It has a few contacts on it, but that information is basically public anyway. I do not use it for 2FA. I do not have a password manager on it. It's just a throwaway device that is convenient for accessing the outside world without any identity built into the phone.

I realize that this means I forego many of the advantages of having a personal device, but that was a conscious choice I made a long time ago.

Apple issues security patches for previous versions of iOS as well, so you should be covered for the duration of usage of the phone (unless you use it for a very long time, say 8+ years?).

Never underestimate the maliciousness of bored teenagers.

For a time, Bluetooth vulnerabilities left unaddressed could be exploited by anybody with the training and sophistication enough to download a "prank" app from the Play store. Said app provided full access to the victim phone's filesystem.

Un-updated phones are unlocked doors, but with the internet the whole world walks through your neighborhood every night and knows you're on vacation (no risk associated with breaking in).

Edit: the flip side is that probably half your neighbors have their doors unlocked too.

Would be more accurate to say un-updated phones are unlocked doors you know are unlocked. Up to date? Slow update cycles measured in weeks suggest for some portion of some number of cycles they're also unlocked.

Worse is how some fraction of updates are very bad news, thus people who care about this delay until there's enough confirmation an update won't do something nasty to something they depend on, which can go all the way to basic phone and SMS usage.

I didn't update my iPhone for months and it completely bricked itself. Can't confirm they're related, but a barely 3 year old phone bricking itself so soon was odd.

Basically one morning all networks (Bluetooth, WiFi, LTE, 5G) all stopped working and I couldn't use them, a message saying I have to update the phone to use networks. Pretty genius to prevent me from downloading the update I need, but I tried to update through iTunes and it didn't fix anything.

I call BS on this. Mostly because:

- " a barely 3 year old phone bricking itself"

- " all networks (Bluetooth, WiFi, LTE, 5G)"

are incompatible. The oldest iPhone that supports 5G (iPhone 12) isn't 3 years old yet.

It's possible that you have some kind of crash or error (those happen), but Apple support should definitely fix it.

I would totally believe, given how cell providers lie about what 5G is and how they've been shutting down networks, that the "5G" broke because your carrier decommissioned the 3G towers they list as 5G.

planned upsolescence