Hi, I have a pixel 4a that I love and works great (with CalyxOS) I bought it when it came out and I really don’t want a new phone, but…
Security updates from google stopped for the 4a about a year and a bit ago, and for the last year I have been slowly getting more and more anxious while trying to ignore it. I’m still getting the android security updates (software) for another year or so (thanks calyx!) But I’m not getting the firmware security updates anymore.
I’m experienced in the field of cyber security and I feel like I’m in denial because I really really don’t want to buy a new phone.
Please tell me if I really should get a new phone or not…
My threat model would be just an average person but with the added paranoia of knowing too much about privacy and security, and my avoidance of getting a new phone is mostly rooted in zero-waste ideology and the pure hate towards google for forcing me to stop using a great phone that would otherwise probably be usable for another few years.
You must log in or # to comment.
Your system is fully updated from at least the kernel/initramfs and up. Next you’re running a system that has additional security measures.
So this breaks down to: What is firmware and are you aware of any issues in it? If no then there’s no reason to get a new phone.
I’m not aware of any firmware security issues for any Android phone assuming firmware is pbl, sbl, aboot, modem or on-chip and even if there was they would be hard to exploit given your up to date and hardened system, but that’s all theoretical and also apply to any new phone you would purchase.
Thank you 🙏
I’m experienced in the field of cyber security
So… go lookup the CVEs. Go have a look at what the actual threats against the old device are. What’s the method of attack and do you care.
If you decide you’re happy with the device. Then remember to keep going back and seeing if any new attacks against the device exist.
Whatever happens, we’re not protected against 0day attacks (by their very nature).
I guess there is some reason to worry about “unknown” attacks against the device. But like 0day’s, there’s probably unknown attacks against patched devices as well.
Do you have a way to find them? I did look around at some CVE sites but I couldn’t find anything specific to pixel 4a, making me think that maybe I need to look at individual parts within it? Which can be a lot more work and somewhat complicated
Edit: Saw CVE-2024-36971, I guess it’s time 🫠
That CVE is in the Linux kernel, which CalyxOS should be fixing for you, via their security updates.
I think you’ll be fine as long as CalyxOS is supplying your device with Android security updates. As an average user, with no reason to be the subject of targeted attacks, firmware vulnerabilities are not a huge concern (assuming your OS and other software are up to date with security patches).
Of course, if someone hostile gets physical access to your device, firmware becomes more important. Remote exploitation of a firmware vulnerability typically requires first exploiting a software vulnerability (and CalyxOS is updating your OS software). With physical access, one might skip that step by connecting a cable to your phone and interacting with it directly.
I’m experienced in the field of cyber security and I feel like I’m in denial because I really really don’t want to buy a new phone.
Then you know the answer already. Bite the bullet.
Meh, security isn’t one thing, it’s layers.
Everything always has risks. 0-days most notably.
Take a look at the NTLM risk that was just announced - every version of Windows is susceptible to it. Minimizing access to small groups is what has kept smart businesses safe from it. Along with things like isolating primary systems on a VLAN with no direct access, unless authorized by more than one person, and through well-configured, specific mechanisms.
Everywhere I’ve worked has had to run expired OS’s for one thing or another - typically CNC type systems that were built for DOS or maybe XP. Do we stop running those systems just because the OS is no longer supported? No - they either get air-gapped or run on a very isolated VLAN with very strict access controls.
Then there’s the person’s threat model. Who is likely to be after you? Do you run questionable apps or just basic ones? Do you have Google services (it’s a risk in my opinion)? Does your phone have a firewall? Do you block network access for apps that shouldn’t need it? Do you separate apps into user profiles to keep data from leaking across them? Do you use a VPN? Maybe a mesh network to your own systems, with all internet traffic going there, then filtered by that firewall or IPS/IDS?
Lots of ways to skin the cat, but most importantly is to maintain layers. Layering is why MFA is such a big thing right now - it’s another access control layer.
I run a bit wild, I admit it. But my threat model doesn’t include people specifically coming for me, or state-level actors. I do have some data-destruction mechanisms in place, just in case.
Thank you 🥲
