Keep using my phone after security patches stop?
September 20, 2019 1:35 PM Subscribe
My phone gets its last security patch next month and is otherwise perfectly fine. Can I keep using it?
I've always been careful to use a phone with timely patches, but I guess I don't actually know what I'm protecting myself against. When I search google it turns up articles that seem pretty old in smart-phone time.
What risks will I open myself up to if I keep using this phone?
Details you might want to know:
I've always been careful to use a phone with timely patches, but I guess I don't actually know what I'm protecting myself against. When I search google it turns up articles that seem pretty old in smart-phone time.
What risks will I open myself up to if I keep using this phone?
Details you might want to know:
- It's an Android.
- I use it for web browsing and personal email.
- For apps I use much of the Google suite, plus Firefox, Transit, Audible, and Lyft.
- I don't use it for work, but the email accounts on my phone are the ones used for banking and official stuff.
- I'm a middle class person in the US.
- I'm hoping for phone-agnostic answers, but the phone in question is a Nokia 6.
I don't see any custom ROMs listed for any Nokia phones, let alone the Nokia 6 on the Lineage OS download page. My searching shows inconclusive results for whether the official Android ROMs might work, but in any case, the process for loading a custom ROM is pretty technical, and could brick your phone if you're not sure about what you're doing (or even if you are sure, sometimes). That said, it is theoretically an option, if you're comfortable with that. (I have only done this once to downgrade an old nexus tablet and even that relatively straightforward setup was pretty involved.)
As far as whether it's safe to continue using your phone as is, that highly depends on your level of risk tolerance. As vulnerabilities are discovered, your phone will become progressively less secure, and unless you're keeping a close eye on the exact nature of the vulnerabilities known to exist on your phone, it can be very difficult to avoid behaviors that were formerly fine but are now risky on a vulnerable phone. If you're not doing anything sensitive on the phone, and it doesn't sync with accounts you'd rather not have compromised, and you limit the 3rd party apps loaded, some of the risk can be mitigated, but if you want to keep using this as a daily-driver with access to everything, I'd recommend looking into upgrading within a few months at minimum.
posted by Aleyn at 2:32 PM on September 20, 2019 [2 favorites]
As far as whether it's safe to continue using your phone as is, that highly depends on your level of risk tolerance. As vulnerabilities are discovered, your phone will become progressively less secure, and unless you're keeping a close eye on the exact nature of the vulnerabilities known to exist on your phone, it can be very difficult to avoid behaviors that were formerly fine but are now risky on a vulnerable phone. If you're not doing anything sensitive on the phone, and it doesn't sync with accounts you'd rather not have compromised, and you limit the 3rd party apps loaded, some of the risk can be mitigated, but if you want to keep using this as a daily-driver with access to everything, I'd recommend looking into upgrading within a few months at minimum.
posted by Aleyn at 2:32 PM on September 20, 2019 [2 favorites]
I don't know of data as far as your likelihood of being hacked or the dollar value if it happens. I suspect that's hard to study in the past and impossible to predict.
But here is the technical argument for upgrading:
* Access to your phone, such as your email credentials or the ability to ransom your data, has a resale value on the black market.
* Phones can be hacked through means such as sending you a crafted text message, or when you visit a website with malicious ads; it's hard to avoid those risks with typical phone use.
* While all phones are vulnerable (we add bugs as fast as removing them), the cost of exploits for attackers goes down over time. One of the exploits above against a perfectly up to date Android or iOS phone might cost hundreds of thousands or millions of dollars for an attacker, and risk being permanently lost if used. That cost will head toward $0 after it is patched.
So in theory, the longer you keep an unpatched phone around, the more likely it is to be worth someone's time and money to hack it. I expect this economic argument will always be basically sound -- it's more a question of how active the black market will turn out to be next year.
posted by john hadron collider at 2:38 PM on September 20, 2019 [4 favorites]
But here is the technical argument for upgrading:
* Access to your phone, such as your email credentials or the ability to ransom your data, has a resale value on the black market.
* Phones can be hacked through means such as sending you a crafted text message, or when you visit a website with malicious ads; it's hard to avoid those risks with typical phone use.
* While all phones are vulnerable (we add bugs as fast as removing them), the cost of exploits for attackers goes down over time. One of the exploits above against a perfectly up to date Android or iOS phone might cost hundreds of thousands or millions of dollars for an attacker, and risk being permanently lost if used. That cost will head toward $0 after it is patched.
So in theory, the longer you keep an unpatched phone around, the more likely it is to be worth someone's time and money to hack it. I expect this economic argument will always be basically sound -- it's more a question of how active the black market will turn out to be next year.
posted by john hadron collider at 2:38 PM on September 20, 2019 [4 favorites]
Here's an example in the news of a security exploit that only required the user to visit a website. Granted this is a more extreme case since there was most likely a nation-state behind the attacks.
I totally understand the feeling that it seems wasteful to purchase a new $300 plus (or even $600 plus !!!) phone when your current phone seems more than adequate for your daily needs, minus the security drawbacks. One possible happy medium may be to create a "dummy" Google Account to use solely on your Android phone and to never online bank on your phone nor check your email on your "real" accounts. Basically don't do anything sensitive on this phone. If you need to check your real email for work or other important use you could use your Android phone as a hotspot to connect a laptop/tablet that still receives security updates. This is not a perfect solution but will probably greatly reduce your security risks.
It was kind of fun to experiment with putting a custom ROM on my Android phone but I found things like call quality and picture quality severely lacking. YMV. My particular Android phone wasn't supported by LineageOS so I had to use a custom ROM put together by like one dude in his spare time. I wasn't sure how thoroughly this super tiny open source software project was vetted so I didn't use my Custom ROM phone for sensitive info either.
Personally my solution was to buy a $69 iPhone SE on swappa.com. The SE will probably stop receiving security updates next year when iOS 14 comes out in September 2020. At that time I'll probably get the rumored new low cost iPhone or another inexpensive used iPhone.
posted by mundo at 7:54 PM on September 20, 2019
I totally understand the feeling that it seems wasteful to purchase a new $300 plus (or even $600 plus !!!) phone when your current phone seems more than adequate for your daily needs, minus the security drawbacks. One possible happy medium may be to create a "dummy" Google Account to use solely on your Android phone and to never online bank on your phone nor check your email on your "real" accounts. Basically don't do anything sensitive on this phone. If you need to check your real email for work or other important use you could use your Android phone as a hotspot to connect a laptop/tablet that still receives security updates. This is not a perfect solution but will probably greatly reduce your security risks.
It was kind of fun to experiment with putting a custom ROM on my Android phone but I found things like call quality and picture quality severely lacking. YMV. My particular Android phone wasn't supported by LineageOS so I had to use a custom ROM put together by like one dude in his spare time. I wasn't sure how thoroughly this super tiny open source software project was vetted so I didn't use my Custom ROM phone for sensitive info either.
Personally my solution was to buy a $69 iPhone SE on swappa.com. The SE will probably stop receiving security updates next year when iOS 14 comes out in September 2020. At that time I'll probably get the rumored new low cost iPhone or another inexpensive used iPhone.
posted by mundo at 7:54 PM on September 20, 2019
Since you're in the US, it will require some messing about (though no more than installing LineageOS), but HMD have said that the Nokia 6 will be getting quarterly updates for an extra year in most markets. You should be able to download and apply them manually if you so desire.
Also, device updates in general have become somewhat less critical in the past few years as Google has shifted more and more of the security-relevant (in the sense of being open to exploitation without physical access to the device) into components that are updated through the Play Store, not tied to the device firmware. Most Android OEMs continue to supply very few firmware updates at very irregular intervals, after all. Personally, I'd keep using the 6 for a while longer, but make sure I kept the cash on hand to replace it in short order should some exploitable kernel bug turn up. I would not take that calculated risk if I were a publicly known personality or had reason to believe I was at risk of being specifically targeted.
posted by wierdo at 1:53 AM on September 22, 2019
Also, device updates in general have become somewhat less critical in the past few years as Google has shifted more and more of the security-relevant (in the sense of being open to exploitation without physical access to the device) into components that are updated through the Play Store, not tied to the device firmware. Most Android OEMs continue to supply very few firmware updates at very irregular intervals, after all. Personally, I'd keep using the 6 for a while longer, but make sure I kept the cash on hand to replace it in short order should some exploitable kernel bug turn up. I would not take that calculated risk if I were a publicly known personality or had reason to believe I was at risk of being specifically targeted.
posted by wierdo at 1:53 AM on September 22, 2019
This thread is closed to new comments.
One possible alternative is to get a custom Android build running on it, which could extend its life. I haven't used custom ROMs, but I imagine that users might work to keep their old phones running longer. Here's a list of custom ROMs for Nexus 6, updated May 2, 2019 from Get Droid Tips. I can't vouch for either the site or their list, but it could be something worth considering.
Considering that you use your phone for banking and official stuff, I would personally be more comfortable with official software, but again I haven't looked into custom ROMs and their respective safety at all. It could be that custom builds are more responsive to bug reports, making them safer platforms.
posted by filthy light thief at 1:46 PM on September 20, 2019 [3 favorites]