this post was submitted on 24 May 2024
95 points (72.5% liked)
Technology
59495 readers
3041 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
If a rootkit is hiding at the hardware level, it may not matter what operating system or web browser you're using on your phone. A rootkit at this low level could potentially evade detection by the OS and modify files or memory without the operating system's knowledge. It may also be able to disrupt secure boot processes and monitor radio transmissions like Bluetooth, WiFi, and NFC.
Once an exploit is found that works on a particular device model, and attackers know the device manufacturer will never release firmware updates again, they could start searching for any users of that phone model. A rootkit installed this way may remain on the phone permanently since firmware updates are no longer being provided. The phone user may be unaware their device has been compromised.
LineageOS does not employ a dedicated security engineer for each phone model. Maintainers with LineageOS typically take the latest firmware from the original device manufacturer and import it into their build process. But if the latest firmware release from the manufacturer is already three years old, it's possible there may now be several undiscovered vulnerabilities in that outdated code.
So for the average users that only want to go on with their lives and not buy brand new phones every 2-3 years (or don't live in places where fairphone and pixel phones are available) what would be the solution?
If a person is not some POI, don't you think that wouldn't be better to flash something that at least includes some relatively up to date security patches?
And how those rootkits are being loaded to phones with outdated firmware? Bundled with the last OS that was flashed or remotely by exploiting security flaws? Not a dev, but curious about it.
It's generally best to get a phone that receives software updates and security patches for more than 2-3 years. This is because vulnerabilities can be discovered in older hardware that cannot be fully fixed with a software update alone. While updating the OS helps with security at that level, flaws in the underlying hardware may still exist. Additionally, threats can come from various sources like malicious apps, texts, USB devices, or physical access, not just online attacks. Choosing a manufacturer that supports phones longer can help reduce these risks over the life of the device.
See first paragraph again, not everybody is as affluent as you're, look at the problem from the other perspective
will take control of the phone from the inside out, nothing will withstand that
Pegasus will use 0day, nothing to do about that
Once somebody have physical access because you're some POI and not an average Joe, not much you can do
See first paragraph, parenthesis content. Also phones are made with short lifespan on purpose, this gives steady inflow of money for the manufacturers, only few will give you what you want
There is no blanket advice for which device to use. You will have to look it up yourself. But if you're using a phone beyond its supported time, then you are vulnerable.
Nothing can withstand a 0-day attack, but it's on your manufacturer to prevent a 1460-day attack.
See above statement.
You can be a random person walking in a busy metro area and happen to get in range of someone who is scanning for a particular device to use a side-channel attack on. You don't have to be a POI.
The manufacturers are still responsible for patching their devices. Once they stop doing that, you should know that device can't be trusted with your privacy and security. This is the minimum baseline standard. If you are trying to extend the life of a device by yourself, and use it as a daily driver, you have decided that your data is free for anyone to have.
I guess if you're broadcasting all the beacons your phone can be pawned even if you miss the last month OS update on your latest, greatest, shiny toy. This is just inevitable.
You can always go the iPhone route and have Apple support your device for over six years. And you don't have to buy a phone for a very long time.