Well, this was an awkward way to realise my phone hasn't been receiving security updates for years. Apparently Google quietly dropped support for it? The phone is otherwise in excellent condition. Any recommendations for a good third party OS that still supports Pixel 2?
I've been a (happy) Lineage OS user since 2013, and Pixel 2 is still supported by them, so you can check them out. But note that the security updates provided by Lineage OS only pertain to the Android part, not the modem part. This isn't something that a third party OS vendor can fix, as the modem/firmware updates are supplied by the device vendor. And even those are reliant on their suppliers, so ultimately unless they have the negotion power of a multi trillion dollar company (not every vendor has that), they don't have the power to support devices for a long time either (see Fairphone's struggles with qualcomm for example).
For Lineage OS, they maintain the kernels released by the vendors and backport patches to them. But this often means that the backports only address the publicized CVEs and might gloss over a lot of changes between kernel versions that might not have had famous bugfixes. A lot of patches don't end up in a kernel, and often while the version number reads of that of a modern kernel, only a small percentage of the patches in that kernel release was applied compared to the upstream kernel. For this it's important to note that the kernel doesn't have a clean separation between "bugfix" and "CVE fix" for patches, this is already a problem that their officially maintained LTS versions have.
From the security point of view you are definitely better off than staying on something that's unpatched, but I have to mirror what parker_mountain is saying. It's way _way_ better to just get an iPhone as that also gives you modem security updates for half a decade. I am really unhappy about the lack of freedom these devices give me, but I have switched to an SE one year ago. It's just such an incredibly good TCO for really good security.
I am always diverged in my personal opinion about open source and the problems that come with it.
LineageOS has improved a lot over the years, and Android 12 (10+ with GSI images) finally has a working OTA update workflow.
But honestly, the "Android is not Android" problem is hard to communicate and endusers have so many pitfalls.
If you tell them "oh yeah I actually use RethinkDNS as an adblocker, combined with Fennec via F-Droid and its uBlock Origin extension that only somewhat works on mobile due to their messy UI" then you lost already 99% of users that will never figure out how to flash their device with the custom ROM, let alone understand what you just said.
It's so sad that you also have to tell them "but use only one of maybe 10 devices, all other Android devices are either totally outdated with their kernel or cannot be supported anymore"... and when I read your comment I kind of have to agree with your point.
iPhones have zero maintenance. It's a golden cage but it's a well built one, and most users just don't want to spend days and weeks learning how to maintain their smartphone.
No but if their Pixel 2 is no longer receiving security updates then figuring out a replacement plan (even if you don’t plan to do it yet) seems like a good idea.
With a cursory search I found CVE-2021-0316. This one's just for bluetooth, but it's an RCE with no user interaction discovered in 2021. Pixel 2 had its last security patch in November 2020.
Yes, it exists, but is it actively exploitable? A cursory search turns up no working exploit code. Given modern exploit mitigations many theoretical vulnerabilities turn out to be nothing-burgers, as far as I can see there's certainly no worm running around popping phones with it.
For sure, if you're paranoid or a high-value target, update, buy a new phone. But normal users don't need to care unless there's actually something on the line.
Not sure what to say about encouraging users to throw caution to the wind. We got to this point of such good exploit mitigation because it's good for everyone for these devices to be secured.
A bit silly to link a page about malware that Play Protect prevents, largely local privescs that are being detected by the OS or Google Play beforehand.
An average user installing apps from Play Store has nothing to worry about for those. That's kind of the point.
It's great for these devices to be patched - I'd love it if Google would take more control over the ecosystem to be able to patch this sort of thing, but it's much worse for users to just throw out otherwise working devices with limited-to-no real-world security issues.
Google Play Protect has limited capabilities to protect against in-the-wild exploits of the kind Maddie described. It knows about certain packaged implementations, which means that it can offer some defense from off-the-shelf uses of an exploit, but it definitely does not reduce the risk to anywhere near zero. The only correct way to mitigate against exploits like this is a patch, end of story.
GPU bugs are particularly concerning because they have significant power (the GPU can often map all of physical memory if convinced to do so) and widely exposed (lots of things need graphics). Turning one of these into a full chain can often require zero bugs if the buggy API is callable from JavaScript, or one to escape the VM and poke the driver.
Um, no? Most of the RCE's I'm seeing are at the OS level and would require upgrading to a newer Android OS version that older devices won't have support for.
To fully patch, yes, but the point is that Play Protect is detecting them before installation before they can be exploited, ie: on submission to Play Store or on installation on devices.
Yes, this is still a risk - if you tend to install random apks from the internet and disable Play Protect or run across an undetected modification of the relevant exploit code. But most users don't do that.
Gotcha. Still, it's a lot of RCE's coming out per month to depend on blackbox machine learning for something people use every day for their personal/business needs.
I would like to see stats on what percentage of android phones were exploited in the wild for malicious purposes (ie. excluding cases where the user deliberately is jailbreaking them).
Personally I have never seen any friends or relatives get malware on their phone that gets outside the app sandbox (ie. Uninstalling the bad app seems to solve the issue). Compare that to MS Windows where it seems common for regular users to have malware infested systems.
Generally the fraction is fairly low, because the bar for a full chain these days is pretty high. That said, it is important to not be lulled into a false sense of security because you don't seem like an attractive target. A chain worth $50k dollars can be a good purchase if you think you can bring in a million dollars home with it.
I guess, but it sure is nice that on Apple hardware you generally don’t need to worry about doing this calculus because they deliver updates in a timely manner to even five year old devices.
It bums me out that them doing this hasn’t been effective in shaming everyone else into following suit.
According to Wikipedia the Pixel 2 received security updates for less than 3 years. None of their devices got more than 3 years 3 months of updates. That should be illegal honestly, couldn't be more clear that they don't care about sustainability.
Qualcomm's lack of support for older chipsets has been blamed for the short lifecycles of these phones. Pixel 6 and 7, which don't use Qualcomm SoCs, both get at least 5 years of security updates.
I still remember when phones did not receive any updates, and the few lucky models required developer tools to manually upload the firmware updates, which most of those few selected models only got one in their lifetime.
Not sure if you’re referring here to the BlackBerry era or right back to side-sliders and razr flips, but either way, both the stakes and the attack surface were way lower back when there were no apps and phones really were just for calling and texting.
I wonder if Apple views the "iPod" branding as being more associated with gaming and consumption and therefore less important from a security standpoint. I don't think I necessarily would agree with such a stance when the exact same hardware can carry sensitive stuff like a password manager, banking and medical apps, and so-on. But I imagine their telemetry showed that that overwhelmingly wasn't the case, so it was easy not to prioritize it.
No, it's more that Apple has always released iPod with older chips, and in this case it also decided to discontinue that product line, which meant that they dropped software support for it relatively soon.
This may be a special case: "With the release [of iOS 16], Apple dropped support for iPhone and iPod Touch models with A9 and A10 Fusion chips (the iPhone 6S/6S Plus, the 1st gen iPhone SE, the iPhone 7/7 Plus and the 7th gen iPod Touch) due to hardware limitations and Chinese government's border stringent in response of COVID-19 pandemic." https://en.wikipedia.org/wiki/IOS_version_history#iOS_16_/_i...
Every flagship iPhone since 2011 has gotten at least five years of both OS updates and security updates, with some newer devices (including the $399 iPhone SE) getting as many as seven years.
Even after official support completely ends, Apple tends to go back and issue patches for active exploits. The nine year old iPhone 5s just got another security update a couple of months ago.
> The iPod Touch Gen 7 lasted just under 3 years from release.
It was released May 2019, and it just received its latest security update (15.7.3) January 23, 2023. Presumably that is not the last security update for iOS 15.
Well, I use a web browser on the phone. Chrome et al. are still receiving updates for my phone, but I'm guessing they use some system components that are not receiving updates? So my main worry is something like an ad network loading an exploit. You don't need to be a high value target to get caught in an extremely wide net like that.
(Yes, I know: get a better ad blocker, etc. — I'd rather have fewer weak links, though, and a lack of basic OS updates is a pretty big weak link.)
A phone (or any kind of internet-connected computer) that's been completely unsupported for years will presumably be low-hanging fruit for even the cheapest and crustiest of exploit kits.
That is, to put nicely, forced-obsolescence FUD. They want to scare you away with words like "unsupported" so they can keep you on their leash.
With the state of software development today, I'd be more worried about how many other holes they've added in the process of fixing something or introducing unwanted new "features"[1].
Here's some interesting statistics to look at and compare...
It ignores a whole lot more than that. For instance, are we seriously going to pretend that the threat landscape in the Windows 98 and XP eras was anything like what it is today?
Well, I'm not. If he wants to daily drive Windows 98 because it had fewer documented RCE vulns, godspeed to him---and he probably will be more secure, just by virtue of good ol' security through obscurity---but that is not a reasonable solution for 99.999howevermanyninesyouwant% of computer users today.
The threat was arguably exponentially worse during the XP era - Windows boxes with a huge default attack surface were directly connected with public facing IPs to a 32-bit IP space that could be trivially brute-forced by worms. There's a reason we haven't seen anything as bad as Blaster in the past decade: NAT.
The rate of finding exploits and what the definition of a vulnerability is really what has changed - now the definition of is much broader while at the same time, exploitability has dropped off due to mitigation in modern operating systems, compilers and CPUs. Overall, we get far more exploits, but far less of significance.
Yes, it was not my intention to imply that those old operating systems were fundamentally more secure in some way. You're getting at it here: the space has broadened, and asserting that old software is more secure than new software based solely on documented RCE counts is laughable.
Most code that interacts with the internet is updated via other mechanisms. For example, web browsers are kept up to date via Play Store: Firefox for Android, Chrome and even the embedded WebView are all updated there.
How was this quiet? This is usually published by Google and other web sites when security updates have needed on the Pixel Phones.
Given you're a HN user I assume you are fairly tech savvy and knew when you bought your phone it was only going to get security and system updates for 3 years.
I guess I haven't had any time to actively care about this stuff for the last 2.5 years (new parent). So when my phone tells me "Your device is up to date" with the reality in small text further down the page, apparently I am able to miss this.
Sure, I have to take some responsibility for poor digital hygiene or whatever, but I don't think that negates Google's awful management of this. I shouldn't _have_ to be vigilant/proactive to stay safe in something as basic as this.
Aside: Google spams me with all kinds of noise in notifications these days; couldn't they at very least put something in there saying "by the way, your device is now EOL; buy a new one"? Ockham's razor suggests to me that a _lot_ of people are running unsupported devices still, and Google doesn't want the collective backlash of putting that uncomfortable reality in people's faces.
I think it's "quiet" in the sense that they don't send a push notification to affected phones when they're about to go EOL, so you don't know it happens unless you go out of your way to check.
Or put the EOL in the final OS update for that phone, with a permanent status icon / notification warning that the device is EOL. It's not like they decide at their morning stand-up, "hey, Pixel 2 has been out for a while; anyone object to killing it off today?" There's plenty of time to roll that sort of thing out, however it works under the hood.
You could try to put Graphene on your phone. There is a version for your phone, but they are not updating it anymore. However I think that it is a good option for a more secure, private, operating system.
https://grapheneos.org/faq#device-support
I hate to say it, but get an iPhone SE. 5 years of updates /from when the device was last sold in stores/. If you sideload any Android apps, you'll have to wait in a cold until the latest pixels are patched, and then get one of the a-models.
> Pixel 6 and later phones will get updates for at least 5 years from when the device first became available on the Google Store in the US.
That's not really the same thing as "updates for at least 5 years". The date the device first went on sale in the US isn't particularly relevant. They'll still sell it to you long after that, and then end support not long after it's out of warranty. That's what happened to mine.
The lessons I'm learning here (if I'm running a first party OS) are:
- Check very carefully how long different vendors actually support their devices. Google is pretty rubbish on this front, it turns out.
- Always buy the latest model when buying a new phone, even if it doesn't have anything I need, or I'll just have to "upgrade" twice as frequently instead.
And yet Google used Exynos for those designs. Somehow Samsung must have told project zero that they didn't need to release a fix - a project run by their customer for this SoC. But promptly after disclosure a fix appears. I guess it's good that they'll come out for five years, but it's probably worth a little bit of doubt on our part whether Samsung will actually deliver on that promise.
Oh my god is that why Apple has yet to put modems in their laptops? I could totally see Apple unable to compromise on support for a Qualcomm modem for something like 8 years.
Apple's designed Qualcomm out of next-generation iPhones (again) [1], only this time they've acquired the Intel/Infineon modem design team instead of buying the parts. So if Apple were to make a Macbook with a modem next year, it'd be their own.
Honestly, I think it's because they believe anyone with a macbook should have an iphone - their easy and transparent tethering works embarrassingly well.
Maybe, but they were looking for a phone that'll last a long time, and I hope my answer makes them reconsider. The Android OS-updates situation is seriously dire, and it seems very difficult for Google to fix.
but.. their old phone is still operating fine, it isn't even affected by the Samsung modem exploit, and best-of-all the pixel 2 is well supported by many third-party Android roms.
Parent literally has one of the best supported older phones available for third party OS installation (which, incidentally, is what parent was asking about..)
so, in the interest of e-waste/recycling/keeping old things going I hope they reconsider the value of their already-owned hardware and how it may still continue to serve them.
fwiw, third-party android roms are only part of the story. And, in an article about the baseband being compromised, I would hope people would take that into consideration.
>so, in the interest of e-waste/recycling/keeping old things going I hope they reconsider the value of their already-owned hardware and how it may still continue to serve them.
In the interest of security, both theirs and the people they communicate with, I hope they consider upgrading their device to something that has a very long lifespan of active security updates.
Thanks. I don't mind that you didn't address my question directly, because this is all relevant food for thought.
Every year I'm more disappointed by Google on pretty much every front. They really do seem to have jumped the shark.
If I do decide to upgrade...
Unfortunately I can't stand iOS. No kidding, I'd rather have a Nokia 5110. I've tried repeatedly, thinking "I'm just not used to it", but there's too much about the design philosophy that I find actively obnoxious. Strangely, I don't have this problem with macOS.
Maybe I can find another Android vendor with a better support policy, or if none of them are any good then just suck it up and buy the very newest of whatever to at least push the planned death of my device back a couple more years.
I'm getting a bit sick of this treadmill. I don't buy the defence some people offer that it's too much work to support the older devices. Having a security-only backports release series for old devices would be _trivial_ compared to the enormous piles of money Google sets on fire for shits and giggles on a daily basis. It's planned obsolescence, plain and simple.
> Unfortunately I can't stand iOS. No kidding, I'd rather have a Nokia 5110. I've tried repeatedly, thinking "I'm just not used to it", but there's too much about the design philosophy that I find actively obnoxious. Strangely, I don't have this problem with macOS.
That's how i feel with iOS and macOS, the whole design philosophy and UX feel alien to me, and makes me hate every actual issue I encounter even more.
> I'm getting a bit sick of this treadmill. I don't buy the defence some people offer that it's too much work to support the older devices. Having a security-only backports release series for old devices would be _trivial_ compared to the enormous piles of money Google sets on fire for shits and giggles on a daily basis. It's planned obsolescence, plain and simple.
From what I've understood, it's mostly the hardware components' vendors' fault - Qualcomm and co that provide the SoC and modem. It's their firmware which isn't kept up to date by the manufacturer (because it isn't easy to do so), thus phone lifecycle is inherently limites. There have been massive recent advances in that area though, with on one hand more vendors (MediaTek, Samsung) that could maybe be forced to compete and thus have to differentiate from one another, but also big changes to Android and the way updates are done, to keep firmware/driver/kernel updates as simple as possible to develop and roll out. We can see the effects with multiple Android vendors (e.g. Google, Samsung) now supporting phones for much longer.
So hopefully soon things will improve.
