I have an old Android TV box and an old Android smartphone (Android 10 and 12 respectively, though I don’t know when their security updates stopped) and I was planning to use them for trivial purposes.
I see people using outdated devices every day,realistically, nobody replaces their old device unless they care about technology or security.
So I wonder, what’s the actual likelihood of an old Android device being compromised?
Is it really that dangerous to connect them to the internet?
Mostly should be fine for everyday non sensitive task if web browser still being updated + common sense not to run pirated apks + adblocking. I wouldn’t run critical service like a pw manager or banking apps on it but thats just me. I also got an old phone running android 11 myself, still does the job for general web browsing, light gaming and as a dedicated alarm clock.
Keep in mind that for devices that are a couple years old with no updates we’re talking about hundreds of unpatched CVEs.
If these are connected to your standard LAN environment they might be a way for a hacker to get into your local network easily. At the very least connect them to a separate LAN.
“hundreds for couple years” is a massive exaggeration tbh.
For the most part if you’re using a Custom OS (aka. ROM) that still provides Android security updates, you are less vulnerable than using outdated Android software. Now of course the concern with hardware shall be valid especially if targetted or otherwise.
With that said the last one great point.
As I just said, harm reduction or not, treat the device as public, regardless of circumstances.
I’ll just agree to disagree, our concern should not be about how many CVEs were fixed but rather not fixed.
and How many of those Pixel security update are related to the Android operating system rather than the system itself?
See what I mean, exaggeration, end of story.
yep still stand by tens, but depending on how old and if all of those are hardware then makes sense. But otherwise if most are related to the operating system then yeah.
with that said I hope we can all agree that regardless of how many Unpatched CVEs or not (hundreds, thousands, tens), it is still very risky to use a vulnerable device.
Cries in ISP Provided Android Box stuck on Android 12
I wish to throw it but can’t do that because I don’t have full control of my house’s networking/equipment unfortunately.
Also that’s harsh considering it could be reused, just not sensitive things.
I spent years of my life trying to provide security to these old devices, it requires an absurd amount of effort and doesn’t even solve it.
I don’t see anyone currently doing that at the scale I did for EOL devices.
My policy on the matter has shifted to just eliminating them instead.
I am wholly aware however that this is sadly not possible due to a litany of reasons.
Still against E-waste so I would still go for repurpose, just again for these devices if forced to use it or something, treat is as public devices, period.
Sell it even to a new owner, whatever. I don’t want anyone advising to throw perfectly working hardware away whenever you like it or not and you can disagree but you’re the ones causing the e-waste kind of problem if you do and I’ll keep saying it even if it means facing scrutiny.
hence defined as public device, because basically whatever way is hacked, they could access the data on it or otherwise what you said.
But I still cannot emphasize enough: