I have an old Android TV box and an old Android smartphone (Android 10 and 12 respectively, though I don’t know when their security updates stopped) and I was planning to use them for trivial purposes.
I see people using outdated devices every day,realistically, nobody replaces their old device unless they care about technology or security.
So I wonder, what’s the actual likelihood of an old Android device being compromised?
Is it really that dangerous to connect them to the internet?
Mostly should be fine for everyday non sensitive task if web browser still being updated + common sense not to run pirated apks + adblocking. I wouldn’t run critical service like a pw manager or banking apps on it but thats just me. I also got an old phone running android 11 myself, still does the job for general web browsing, light gaming and as a dedicated alarm clock.
Keep in mind that for devices that are a couple years old with no updates we’re talking about hundreds of unpatched CVEs.
If these are connected to your standard LAN environment they might be a way for a hacker to get into your local network easily. At the very least connect them to a separate LAN.
agreed with @baery, more or less that, just treat it as a public device not a private device you can store sensitive data on it.
“hundreds for couple years” is a massive exaggeration tbh.
For the most part if you’re using a Custom OS (aka. ROM) that still provides Android security updates, you are less vulnerable than using outdated Android software. Now of course the concern with hardware shall be valid especially if targetted or otherwise.
With that said the last one great point.
As I just said, harm reduction or not, treat the device as public, regardless of circumstances.
It absolutely is NOT an exaggeration. Go look up any monthly Pixel security update and count the fixed CVEs.
I’ll just agree to disagree, our concern should not be about how many CVEs were fixed but rather not fixed.
and How many of those Pixel security update are related to the Android operating system rather than the system itself?
See what I mean, exaggeration, end of story.
And you can never predict how a crafty hacker might exploit one of these.
then say as it is, “Tens”
not “Hundreds”
yep still stand by tens, but depending on how old and if all of those are hardware then makes sense. But otherwise if most are related to the operating system then yeah.
with that said I hope we can all agree that regardless of how many Unpatched CVEs or not (hundreds, thousands, tens), it is still very risky to use a vulnerable device.
In fact I’ve been trying to convince a Pixel 4a to change their device: Pixel 4a EOL / Alternative OS - Get Advice - Techlore Forum
since it’s old and is vulnerable for a daily driver
and if I was to do it, harm reduction or better: treat is as a public device is all.
nah, the number is likely actually higher
there are like 10-20 in each Chromium update
20-60 in each monthly ASB+PSB
and 20-100 a week in Linux (there were 146 last week alone)
I’ll just stand on the last statement I said.
@SpunkyEatsYou
please retire and recycle that hardware asap.
Cries in ISP Provided Android Box stuck on Android 12
I wish to throw it but can’t do that because I don’t have full control of my house’s networking/equipment unfortunately.
Also that’s harsh considering it could be reused, just not sensitive things.
I spent years of my life trying to provide security to these old devices, it requires an absurd amount of effort and doesn’t even solve it.
I don’t see anyone currently doing that at the scale I did for EOL devices.
My policy on the matter has shifted to just eliminating them instead.
I am wholly aware however that this is sadly not possible due to a litany of reasons.
then say as it is, “Tens”
not “Hundreds”
That’s for the month of June only, multiply those CVEs for 24 months and you’ll have the hundreds Valynor was talking about.
Still against E-waste so I would still go for repurpose, just again for these devices if forced to use it or something, treat is as public devices, period.
Sell it even to a new owner, whatever. I don’t want anyone advising to throw perfectly working hardware away whenever you like it or not and you can disagree but you’re the ones causing the e-waste kind of problem if you do and I’ll keep saying it even if it means facing scrutiny.
as @Valynor mentioned, they become a huge vector against other devices on the network or the greater Internet
see how many recent botnets are composed of eg. insecure IP cameras
hence defined as public device, because basically whatever way is hacked, they could access the data on it or otherwise what you said.
But I still cannot emphasize enough:
This sunk cost fallacy?
Sounds like you have a liability at home. Don’t do mental gymnastics to justify it.
Rip and tear it out and replace until you are secure.