 | |
For the author, he misses an important point that except sometimes (and rare case) for a few core libs and functionality, majority zero-days and zero-clicks are based on new features and their integration into current OS iteration. Software revisions begets new security events. Patching software bugs/loophoples is not like treating cancer - something that has existed always and keeps popping up. It is new software added to old stack and made to gell with it. That 'gluing' process churns up new security issues.If the phone is physically okay and you depend on few core functionalities, then it is perfectly okay to keep using it for majority of (non-critical) tasks. Most bugs in the system & features of old iOS are limited to that old OS anyway - and most likely addressed. If some advanced utility are going to be involved e.g. work communications, some security protocols, I'll perhaps work with a device which still gets critical updates at the least. I have a iPhone 8 which I use just to Facetime my MIL and receive her iMessages (I am on Pixels since 2019). I can't foresee a old patched- often iOS with a older no-frills Facetime version to have a major risks. For these tasks, I don't see it necessary to get a new iphone. | |
| |
> It is new software added to old stack and made to gell with it. That 'gluing' process churns up new security issues.Perhaps I'm misunderstanding you, but this is not really correct. Most vulnerabilities are not regressions. Attention is what makes security issues discoverable, and popularity is what makes exploits valuable serious enough to warrant attention. The more popular software is, the more attention it gets from the security community (both black and white hat). The more popular software is, the higher the impact of an exploit is. The more popular the software is, the more significant the response is. That doesn't mean older software is secure, or that it can't be exploited. It just means nobody is really looking at it. Fairly often, security alerts come up for software that doesn't list older releases because they didn't bother to check their EoL releases not because they're unaffected. Take the Print Spooler vulnerability on Windows, or the ShellShock exploit in bash, or the Apache Log4j 2.x vulnerability. These vulnerabilities are all so old that they essentially work on any version of the affected software, including those that are more than a decade old for which no fix was even planned. Like the ShellShock bug in bash was found to go back to bash 1.03 released in 1989. As long as you have an earlier version of software that was later found to be vulnerable, you should assume that it is unless you've explicitly investigated the vulnerability and found otherwise. | |
| |
I guess the question then are there any attackers bothering to target that old software. We’re not in the era where there were millions of users living on unpatched out outdated versions of Windows XP anymore. Would malicious actors attack an iPhone 8? | |
| |
> Would malicious actors attack an iPhone 8It depends. The iPhone 8 might belong to someone they’re interested in for reasons as mundane as being a control freak and the iPhone belongs to their partner. Or just someone that annoyed them on the internet. Or the attack might woken across all device generations in the same way. Then no specific targeting would be required and the phone owner gets caught in the net like all other unpatched versions, except they never had a chance to fix the issue. | |
| |
Sweet summer child...The military extensively uses older OS versions, which means they are very much targets. The UK's new HMS Queen Elizabeth aircraft carrier uses windows XP. | |
|
| |
It’s interesting how such a wise comment can be completely ruined by your first sentence. | |
| |
Why is that? The phrase and intended meaning (innocent, potentially to the point of being naive) is 200-ish years old.It fits the sentiment perfectly. Developers who exclusively think in terms of commercial internet are prone to thinking that everyone uses up-to-date browsers, and therefore OSs. The world is actually messier than that common misconception. It fits rather well. | |
| |
Whatever alleged origin of that quote is, its present identity has been dominated by the TV show, which isn’t even current anymore and ended so poorly that its cultural cachet has eroded. But mostly it’s condescending as hell and thus marks the user as someone who both trafficks in cliches and enjoys patronizing others. | |
|
| |
Pretty sure it was referenced in Game of Thrones which introduced it to a whole new group of people, typically more online than the origins of the phrase, and popularized it's use on Reddit/Twitter for being a hilarious and original way to condescend people | |
| |
> a hilarious and original wayWell, it was. | |
| |
The military is very good at physical security. | |
| |
A close relative has an iPhone 8, so, absolutely, I believe there are probably millions of them in the wild and they'd be child's play to compromise.If you are in the business of compromising, why would you not? | |
| |
an iphone 8 can run ios 16, last updated Sept 21, 2023, less than a month ago https://en.wikipedia.org/wiki/IOS_version_history & https://en.wikipedia.org/wiki/IPhone_8I don't think Apple's patching every major security flaw on current - 1, but right at this moment, they're still able to run n - 1, which would probably put them roughly on par with the average on smartphone security, so I don't think it would be especially any more child's play than compromising an average phone, all things being equal (all things being equal, some people update, some don't; the iphone 8 on the latest iOS 16 is probably better than a later model lagged 3 years on updates) Although it's all downhill from here. | |
| |
I run an iPhone8. As of now, it's running iOS 16.7 (20H19).I know it won't install iOS 17. So I figure I have about 12 months more of reasonable security updates. At this point, I'll likely get an iPhone SE 3rd generation to replace it. | |
| |
My work phone is an an iPhone 8. Employer provided. Most likely to be replaced pretty soon. | |
| |
If your an activist, journalist, politician or CEO, yes you could be targeted specifically. | |
| |
But 99.99% don't belong to this category, and don't really need same level of caution. | |
| |
Except that iMessage is a perpetual source of security concerns. Once that becomes unsupported, you’ll likely have exploitable code, where the exploit is publicly and widely known (but patched on newer versions). | |
| |
iMessage is a "perpetual source of security concerns" because it is a remotely triggerable target. That's it.If everyone is using message service X, then we'll start seeing more attacks on X. The exploits we've seen over the last few years haven't been in iMessage the app, they've been in a host of different things. The most recent security brouhaha was apparently in the webp library[1] that also effected chrome, webkit, Firefox, every electron app, and I assume every app on android, iOS, macOS, that uses system image decoders, etc. But if you want a specific target then you aren't going to use something like a random webpage or phishing email if you have something that you can guarantee will go to only one device that you know is exploitable, and you can guarantee how it will be handled - i.e. the builtin system messaging apps. [1] and even here the attack didn't happen from iMessage | |
| |
I don't know if you're specifically referring to X, the artist formerly known as Twitter, but regardless, no; iMessage runs with unique privileges and capabilities that are not available to ordinary messaging services. | |
| |
Like the other comment pointed out, I understood 'X' to mean a stand in for iMessage. It didn't occur to me that we were referring to FKA Twitter | |
| |
X is a common variable/placeholder like A, N or foo. Nobody is using it to refer to x.com unless it is a thread about Musk/Twitter | |
| |
Sorry I forgot the most recent musk idiocy. X was a stand in for any other functionally always on and receiving service, messaging platforms are the primary example.I'm actually now curious whether the various awful web notification standards allow images? | |
|
| |
The obvious workaround is to just disable iMessage and use an alternative messaging app that stays up to date on the App Store. | |
| |
That probably wont help. If the vulnerability is in the PNG renderer, then Signal is also vulnerable as they also show you a preview. | |
| |
If the vulnerability is within the PNG renderer, then wouldn't all text messaging (not just iMessage) be effected?As I recall, the disclosures of major vulnerabilities in iMessage don't say that regular SMS messaging is effected. | |
| |
I think all the reports just say "iMessage" and don't specifically note sms vs iMessage specifically. It's entirely possible that there a carrier side restrictions on allowed image formats, and of course these attackers don't want people to see their exploits and definitionally using sms would allow just that.But also, in answer to the question: yes, every messaging app on Mac or iOS that could display webp was susceptible to this exploit. If they use ImageIO then the OS update fixes them, if they use their own copy of libwebp they are exploitable until they ship an updated version. | |
| |
For the recent WebP exploit, IIRC no preview render was even required to trigger it; simply receiving the message was sufficient. The exploit was triggered by a code path in Blastdoor that headlessly rendered the malicious WebP that was embedded within a Passkit attachment.(But I can't find a source for this atm. I remember reading it somewhere, but maybe I'm confusing it with a previous Blastdoor exploit.) | |
| |
> For the recent WebP exploit, IIRC no preview render was even required to trigger it; simply receiving the message was sufficient.It was triggered because the system shows a preview of the image by default. Devices that had Lockdown Mode enabled no longer show preview images, so were not effected. >Lockdown Mode is an extreme protection feature for iPhone. Its protections include safer wireless connectivity defaults, media handling, media sharing defaults, sandboxing, and network security optimizations. https://support.apple.com/guide/iphone/use-lockdown-mode-iph... > On September 7, 2023, Apple released emergency security updates to fix a buffer overflow vulnerability (CVE-2023-41064) impacting macOS, iOS, iPadOS, and watchOS products that was used in a zero-click exploitation chain by the NSO Group. Shortly after, on September 11, 2023, Google released an update to fix a buffer overflow vulnerability (CVE-2023-4863) in Google Chrome, which was reported by Apple’s Security Engineering and Architecture (SEAR) and Citizen Lab. Both vulnerabilities were nearly identical and listed as actively exploited, leading to confusion across the security community. Note: Citizen Lab urges all at-risk users to enable Lockdown mode as this has been confirmed by Apple’s Security Engineering and Architecture team that Lockdown Mode blocks this particular attack. https://arcticwolf.com/resources/blog/cve-2023-4863/ | |
| |
The attack was apparently via PassKit - a separate process entirely, because messages is explicitly hardened (the whole "blastdoor" (tm) thing is to deal with that). I'm not sure what the actual passkit APIs look like but in principle any app that would take an attacker provided image and send that to whatever process handles those passkit things would get the second order part of the attack. But of course some attacker trying to, for example, extract the messages from Signal or suchlike could start from code execution in the signal process. | |
| |
> I have a iPhone 8 which I use just to Facetime my MIL and receive her iMessagesYou have an iPhone just to communicate with your MIL? you're surely the DIL or SIL of the year! | |
|
| |
I’m amazed how well my wife’s old 8 plus has held up.Was one of the reasons I switched. | |
| |
It depends.For me, I consider any phone which holds very important access to data critical to my life (my email, texts, signed in apps which can spend my money, etc) to be unsafe to use once there's an update available for supported iPhones where the CVE it fixes is severe enough to allow remote access through normal use of the phone. I just bought a new iPhone SE 3rd gen partly because of the above as I see it coming soon, but also because the battery in my iPhone 8 was getting very sad. Paying for a battery replacement for a potentially-no-longer-officially-supported phone was not going to be a wise investment for me. My school-aged daughter still has her iPhone 8 and it's as up to date as can be with latest iOS 16 update. But she isn't signed into any email app and doesn't have any banking ability on her phone. Sure, if it gets compromised it could be a vector into my home network or be used to spy on her or impersonate her, all of those would be bad, but it's less bad than if my phone was compromised. These risks are low enough currently that we're not pressed to get her a new phone, yet, but probably will later this year if Apple doesn't issue any further updates to iOS 16. | |
| |
That seems a pretty good summary. I wouldn't use a phone as my daily driver with banking apps etc. if it were out of support, but as a spare phone or something to be used primarily for specific purposes like a GPS? Sure.Per another comment, a badly swollen battery is a physical safety issue and that point, the battery should either be replaced or the phone recycled. In general, I also agree with the article that buying older refurb models isn't clearly good economy. There are advantages to have a not too old backup phone around. Indeed, I'm using my old iPhone X at the moment after my newer phone broke. | |
| |
The refurb market seems like a crap shoot still. I tried to buy an "excellent" rated refurb iPhone SE from backmarket.com 2 weeks ago but returned it for a refund because the physical quality of the phone was VERY clearly NOT excellent (maybe I would rate it "fair" at best).I've personally had good luck buying refurb phones direct from Apple. The discount isn't as good as 3rd parties, but they've all arrived with 0 defects and new batteries. I even got to exercise the warranty on a directly purchased from Apple refurb phone once, it was easy at an Apple store (about 30 minute drive from my house). | |
| |
Manufacturers in general seem to be a safer source for refurb gear even if you're not going to get a "killer deal." However, I still personally tend to question the economy of buying something that has two or three years shorter support life out of the gate--unless you routinely trade-in anyway and then you have to run the numbers on the trade-in value. | |
| |
> the economy of buying something that has two or three years shorter support lifeUnfortunately there are no other options in that form factor. The closest would be the iphone 13 mini, which has an even earlier release date than iphone SE 3rd gen. | |
| |
Are you also comfortable with camera and mic being enabled and streaming to remote servers? Old iPhones don't even have the theoretical protection of a "hardware" LED to show when those are enabled. | |
| |
ios 16 is unable to know when it used mic on older devices? | |
| |
> I consider any [old] phone which holds very important access to data critical to my life ... to be unsafeTrue. And a good reminder (nudge) to change my old devices to a separate iCloud account. Thanks. | |
| |
A lot of remote vulnerabilities are in iMessage which she’d use heavily I imagine. Other messengers aren’t necessarily safer.You should get her a new phone. The risk for her isn’t banking, it’s getting spied on by some creep. IMO that could be a lot worse than getting your online banking hacked… | |
| |
Maybe you've already done this, put her device on a guest network to isolate it from others in your home. | |
| |
Not sure if it's worse on iPhone (because successfully targeting one specific model means a huge user base to hit), but I've been consistently surprised with how old Android devices survive usage long after updates have expired without large-scale compromise.It shouldn't work. Based on historical precedent from PC's, all of these phones should be full with the most blatant, obvious, ad-injecting/ransomwaring/account-stealing malware that simply cannot be ignored. And yet, in practice, most users are using ancient Android devices just fine. Obviously you can't do that if you expect to be specifically targeted (either by governments or criminals), but the baffling fact is that an average user can apparently get away with it in practice. | |
| |
Cybersecurity is akin to home security. Most people will get a alarm at most, and otherwise have a house which is totally unprepared to defend them against a special forces hit squad. Few people here have seriously considered how they will stop a gang of a dozen bloodthirsty criminals from kidnapping them and forcing them to reveal their credentials even if they're thought about post-quantum cryptography. Yet this all works out because they can easily hide in the crowd, there are plenty of other societal institutions which generally deter home invaders.The problem with cybersecurity is with companies that horde a great number of people's personal information or who have a great amount of privileged access and then decide to care about security. | |
| |
There was an article here just the other day talking about how a mass of older android devices spanning many different sectors (phones, TVs, chromebooks, etc) had been found to have malware that was installed between the refurb/shipping and delivery to retailers. These older devices also wound up in schools. So it absolutely is happening. | |
| |
Security is the reason I get mad about bank apps detecting custom ROMs on Android. Support is usually shorter, but LineageOS can keep OS and software securities rolling past the manufacturers date. There aren’t custom ROMs in the Apple sphere tho since it’s all proprietary. | |
| |
> but LineageOS can keep OS and software securities rolling past the manufacturers date.It's unfortunately a false sense of security because you don't get security updates for any proprietary blobs that are needed for your phone. This includes baseband and SoC updates. In security, the chain is only as strong as it's weakest link. | |
| |
It's also a false sense of security because community roms are maintained by a small group of (often) entirely anonymous people with nearly zero repercussions if they put something in that they shouldn't. | |
| |
Implying manufacturers aren’t putting stuff in their ROMs they shouldn’t? At least these custom ROMs are built & maintained in the open. | |
| |
No, I think the implication is that if a major manufacturer lets something Bad™ slip in, they can be held liable. xXFoneBoi93 could slip in a root kit and the custom ROM they contribute to probably wouldn’t be held accountable in any meaningful way.That’s how I read it at least | |
| |
Held liable, as in getting a fine that's 0.3℅ of their yearly revenue ? | |
| |
Well sure, that’s a completely different discussion though. | |
| |
LineageOS probably isn’t a great example. It uses black box firmware blobs that don’t receive updates and essentially just makes the latest Android work with those.It’s certainly better than just running an old Android on an unsupported device, but there are still large parts of the system that can be subject to critical vulnerabilities that can never be patched. | |
| |
Compared to many alternatives, it is better. The devices with longer support don’t have the basic features I need like a headphone jack & too many thing require a mobile device to function anymore, like Signal which doesn’t work without an Android/iOS primary device. | |
| |
My Librem 5 with a lifetime support has all that. Signal can run with Waydroid. | |
| |
By coincidence I had to get an old device running last night because current device is broken. I was able to flash 2023-09-05 Android security updates atop a 2014 phone whose last firmware update was 2016-09-01. Is the device not safe? To some extent yes, but I was able to keep an old emergency device running with security patches from last month which is better than having to buy a new temporary device or being stuck on the matching official 2016 ROM. | |
| |
> And with iOS 17 to be released in just a few months, Apple will be drooping the iPhone 8, iPhone X, and iPhone XS from the compatibility list.This is false, iPhone XS is supported on iOS 17. | |
| |
Yeah. I came here to post this. It’s funny that the article lists the XR as compatible when the XS and XR were released at the same time (A12 bionic SoC). | |
| |
I typically belong to the bucket of users who have a working iPhone that does not support the latest major iOS release (iPhone 7), but still get Apple's security updates.The author states that security updates on earlier iOS versions give a false sense of security. Is that true? What is Apple's incentive to maintain old iOS versions, but only partially? | |
| |
Apple does not backport all security fixes and they never have, and what they do backport they do on a delayed schedule. It's not clear whether they have an actual policy that determines what gets backported or whether it's just a judgment call, but the consequence is that indeed on any Apple device the most secure OS is the current OS.They will however backport fixes for particularly egregious security issues quite far. For example, iOS 12 got a fix for a web-based remote code execution attack in the beginning of this year, despite at that point being over 4 years old and 4 major releases older than the current iOS. | |
| |
They will backport fixes for SOME issues for SOME phones. The further back you go, the more likely you will be ignored. I do have some sympathy for Apple on the difficulty of supporting old phones etc, but let's be realistic, too:1. They leave you with a strong impression that all phones and all iOS versions are kept safe by dribbling out a few fixes from time to time for older devices. That's probably worse than on Android, because you think it's safe, but it's not. 2. The whole point of getting your hardware and software from the same place was precisely because then you knew they had a limited number of things they had to support, so it'd work better. If they have too many things to support, then maybe that argument starts to fall apart. | |
| |
I can't agree at all.At least Apple patch some issues on older unsupported devices.It is likely they have some reasons for choosing what to patch and when. e.g risk assessment, knowledge of what exploits are occurring etc. They have teams constantly working at this.Android on the other hand has a lot of devices with no patches at all. Pot luck and pray that Google saves the negligent manufacturers via play store patching. If someone has to choose between the two (using an outdated phone), it's sensible to stick with Apple. I myself use android and still recognize what Apple does right. | |
| |
> The author states that security updates on earlier iOS versions give a false sense of security.The author links to this article which provides more detail: https://www.intego.com/mac-security-blog/apples-poor-patchin... I wouldn't take everything that's written in a random tech article for granted. Fear inducing titles generate more clicks. As soon as you do something in this world, there's a risk. Even if you do nothing, there's a risk. Nobody will be able to be completely safe using any device under the sun. And if a tech company tries to make you believe otherwise, run. | |
| |
> What is Apple's incentive to maintain old iOS versions, but only partially?Um...how about encouraging those who can to purchase a $Nice $New $Apple $Product, while not suffering too much bad PR over the security holes in old-but-still-perfectly-functional hardware? | |
| |
Physically unsafe? Security unsafe?And 'use' in what sense? Day to day main device with security credentials, financial/banking apps, etc? Connecting to corporate/VPN resources? For professional and important personal use, I probably wouldn't use anything not 'officially supported'. When my banking apps won't install/update, that's probably the time. But I just re-used an old wiped iphone 5s a few weeks ago to browse some news sites. No issues, other than it felt less snappy than current devices. But it's not tied to any other part of my life at this point (apple id, bank, medical, etc). | |
| |
>today’s nation-state attacker’s vulnerability could become part of tomorrow’s everyday cybercriminal’s arsenalWhile theoretically true, I can't find recent examples of this happening with zero-click exploits on iOS or Android. Without evidence of this being a common infection vector it's not, in my opinion, enough reason to encourage people to get rid of a working phone just because the security backports might be a bit lacking. The more important security reason to keep up with the latest OS version is the sandboxing improvements that iOS and Android make with each update. If you assume the device will be compromised with a malicious app at some point, you want to have more protections against the malware stealing data from other apps. This is (for now) a bigger deal on Android, where malware routinely makes it into the official app store and malicious APKs are floating around all over the place. But it's worth considering on iOS too, especially if you run a lot of apps from companies that hate privacy or if iOS later allows some form of sideloading. | |
| |
> While theoretically true, I can't find recent examples of this happening with zero-click exploits on iOS or Android.Mostly iOS. And how would you even know? There have been some large cryptocurrency thefts recently. | |
|
| |
> I can't find recent examples of this happeningBefore or after a public exploit is posted alongside CVE+patch? | |
| |
I’m mostly talking about after, but it would be even more interesting if there are examples of high value mobile exploits being used as 0-days by more common cybercriminals as opposed to government backed spyware firms. | |
| |
Advanced cybercrimals occasionally do this on Android at least. | |
| |
Any iOS device backup, including older ones, can be scanned for IOCs (Indicators of Compromise) for patched CVEs. If you own a macOS device, your iOS device can be hardened via the free Apple Configurator app for local MDM policy, e.g. disable AirDrop, whitelist WiFi without auto-join, disallow USB devices when locked. If the device is compromised, it can be restored after backup, erase, DFU and iOS reinstall.Mobile Verification Toolkit, https://docs.mvt.re/en/latest/ios/methodology/ Forensic howto, https://www.amnesty.org/en/latest/research/2021/07/forensic-... IOCs: https://github.com/citizenlab/malware-indicators IOC tools and sources: https://github.com/sroberts/awesome-iocs Device Firmware Upgrade (DFU), https://www.theiphonewiki.com/wiki/DFU_Mode For small business, Apple offers MDM for $3/device/month, https://www.apple.com/newsroom/2022/03/apple-business-essent... . It's unfortunate that iOS MDM solutions are not allowed to scan device filesystems for public IOCs. As mitigation for old and new devices alike, frequently rebooting an iOS device will remove a large class of non-persistent malware. If battery life or performance are suddenly reduced, and can be restored to normal by an iOS reboot, a potential cause is non-persistent malware. Use the "Force Restart" key sequence, https://support.apple.com/guide/iphone/force-restart-iphone-... Is there an iOS VPN solution which can (opt-in) monitor network or DNS traffic for threats or connections to known C&C servers? | |
| |
A savvy attacker is going to make sure they don’t leave traces on the device that they exploited it. | |
| |
This thread is about vulnerability of older iOS versions to attacks which have been patched in newer iOS versions. Many such attacks have been found by Citizen Lab forensic investigations of political targets. The repo above contains 5 years of IOCs (traces) + forensic reports. Some IOCs can be used with MVT: Mobile Verification Toolkit (MVT) is a tool to facilitate the consensual forensic analysis of Android and iOS devices, for the purpose of identifying traces of compromise. It has been developed and released by the Amnesty International Security Lab in July 2021 in the context of the Pegasus Project along with a technical forensic methodology. It continues to be maintained by Amnesty International and other contributors.
> they don’t leave traces on the device that they exploitedSome very expensive zero-day attacks, patched by Apple, DID leave traces/IOCs. Some older iOS devices (e.g. iPhone 7) can be jailbroken with checkra1n due to an unpatchable bootrom bug, i.e. they are better for forensic analysis than a newer device. | |
| |
Those were the ones that were found. If you were developing exploits today, why would you leave traces that an open source tool can detect? | |
| |
A recent one was found by Citizen Lab and patched by Apple in Sept 2023. IOCs are separate from the OSS tool. It takes time to work backwards from spyware to an IOC definition. IOC doesn't exist at the time of exploit development. Researchers choose when to make an IOC publicly available. | |
| |
I understand how an IOC works. If they make them public then they are available to exploit developers, who can change their implants to erase them. | |
| |
Security cats and mice are in constant motion.Static artifacts (exploits, patches, IOCs, C&C servers) still have value. New cats/mice with old devices can learn from years of historical public artifacts. | |
| |
Don't know man, I like my iPhone XS and see no reason to "upgrade"; I'd pay more for a new iPhone than I did for my first car. | |
| |
The only reason I buy nicer phones is for the camera. My kids are getting older and I'm not taking 100 photos a day anymore so when my iPhone 12 Pro is retired I'll likely get whatever iPhone SE is current and call it a day. Hopefully by then they'll have FaceID and a full coverage screen like every other iPhone. But hopefully no dynamic island. I can't stand that gimmick.My folks both have an SE (a 2 and a 3), and the photos are much better than you'd expect for a $400 phone. I've used them and they're plenty fast, it's really only the tiny screen that would give me pause. If ~$400 can get you 5-6 years out of a phone that's a steal. | |
| |
The camera is the thing that had me wanting the updates for a number of years, the year to year improvements were significant for all phones, but I feel we've had 5+ years of the high end phone cameras being basically "good enough" and so now that the year to year improvements just aren't worth it.I'm sure that's not true for professional photographers, but I assume that they use real cameras when the photo quality actually matters anyway? | |
| |
Yes. Unmaintained proprietary OS software is a manifestation of the paperclip maximizer. Maybe we'll soon be able to pave the whole planet with "unsupported" hardware (which actually works perfectly fine). | |
| |
Cargo-culting CVE bros tell me I need to throw it away if it hasn't been updated in a week.After all, the sole purpose of every piece of hardware is to apply patches to it. | |
| |
> Cargo-culting CVE brosWhat does this even mean? I feel like you're cargo-culting the term "cargo-culting". | |
| |
Those who have been totally brainwashed by the corporate-paranoia establishment and can't think for themselves. | |
|
| |
The question was: When does an old iPhone become unsafe to use?What are you answering "Yes." to here? | |
|
| |
Well, "unsupported pavement" to be accurate. | |
| |
> When does an old iPhone become unsafe to use?When the Battery inside it becomes a spicy pillow shaped IED. | |
| |
I feel like millions of dollars of R&D should mean it’s no longer Improvised ;) | |
| |
Arguably Galaxy Note 7 was a case of Accidentally Explosive Device with millions of dollars of R&D. | |
| |
I get that you're joking, but from the headline i assumed that they did mean physically unsafe - we all know lithium batteries have not 100% ideal failure modes, and I'm sure there are people on HN who remember the swelling laptop debacle of a few years (a decade?) back.Disappointed that the article is actually about security, and then makes a bunch of trivially falsifiable claims, but then also it says the best time to buy an iPhone is when they're brand new and just released to maximize update range. I'm really just not sure what the point of the article actually is? Yes a just released phone is going to be getting updates further in the future than one released a year ago, but that's true for literally everything iOS, android, hell, I can't get a replacement for the bowl in my rice cooker but I can for the next model. | |
| |
Quite true...though "thermal runaway fire hazard" would be the correct descriptive. (Outside of old car batteries building up hydrogen gas, "explode" is a miserably over-hyped word for dangerous non-electrical battery failures.)OTOH - if (say) you're keeping an old phone for "emergency use only", then it's unsafe when the battery or electronics get too flaky to be relied upon for that. | |
| |
Is there a time limit? I'm still using the original iPod touch as a white noise machine. | |
| |
Some cells never get puffy. Not sure why. | |
| |
I don’t agree with the article’s suggestion to get a current iPhone SE if you’re on a budget.Apple charges $429 for it at minimum, and that to me is a ripoff considering that you can go all the way back to the iPhone 13 and get the same SoC with a much better overall phone rather than having a decade-old design. If you just want an iPhone that is supported by Apple, the best value option is probably to go with a used iPhone 12 (under $300) or a 13, for about the same price as the SE. Even if your 12/13 has an older battery, the SE has poor battery life to begin with. iOS 17 is supported on phones going back to the XS, which is 2 years older than the 12. So if you buy a 12 now and sell it in 2 years, you’d expect to lose a bit less than $100 on those transactions. Basically you’d spend $50 a year to have a supported phone assuming that Apple never lengthens their support window further (which I think is unlikely now that they are starting a trend of the non-Pro iPhone using the previous lithography with two model years in a row using the same processor). But also, a whole bunch of cheap MVNO cellular carriers will just give you an old but supported iPhone for free (e.g., Metro by T-Mobile gives you an iPhone 11 for free at present). Presumably you could just shop phone carriers every couple of years and find one that’s willing to kick a less-old iPhone your way for nothing. On the high end, you can always find a US postpaid phone company willing to essentially subsidize phone depreciation with their trade-in deals. If you are in a large family and/or have high usage requirements like tethering, postpaid with bill credits is the way to go. You basically get a free iPhone Pro device every 3 years. | |
| |
You can get a prepaid carrier locked iPhone SE 3rd gen (w/ an A15) for $150, in which you can get unlocked after a year (or 60 days, depending) | |
| |
What if you simply want the 4.7" form factor? | |
| |
I still like the size and shape of my 4S. It was easy to use the whole screen with one hand. If they offered it again I'd buy it in a second. | |
| |
Fine, replace what I said with the 12 or 13 mini. They’re both better phones than the SE. | |
| |
The iPhone 12 Mini could be an option. | |
| |
The 12 Mini does not have the same ergonomic factors. The screen is larger, and there are UI elements (further) out of reach of one-thumbed users. | |
| |
While I admire those who stick to the first-gen 2016 iPhone SE, of which the 12 Mini is its successor, I stand by the iPhone 6, the first larger phone of its kind. Everything else is a phablet, imo | |
| |
The 12 mini is not a successor to the original SE in neither concept nor positioning.The idea of the original SE was to reuse an old form factor and old production line to make a bottom tier low cost phone with newer internals. The iPhone 12 mini was a new design that made no compromises compared to its larger iPhone 12 cousin. Exact same hardware, camera, screen tech, etc, just a smaller size battery. I strongly disagree that “everything else is a phablet.” After shrinking some bezels the current iPhone lineup is very similar size to the iPhone 6/6S/7/8. The iPhone 15 is 5.81 x 2.82 x 0.31 inches The iPhone 6S is 5.44 x 2.64 x 0.28 in I realize that fractions of an inch make a big difference on mobile devices but that’s still not a whole lot of change. Under 10mm of additional height and under 6mm of extra width. | |
| |
Alright fair regarding the minimal bezel post-iPhone X design not actually being phablet-sized. But also I want Touch ID, and no notch, so there you have it.> The 12 mini is not a successor to the original SE in neither concept nor positioning. They’re the most similar in terms of size. | |
| |
The article is suspiciously lacking in actual concrete examples. I'm not an expert here, but I can't actually think of a single historical example of a hack that was targeted at "normal people" and also relied on unpatched vulnerabilities in old iPhones. Those sort of attacks happen all the time for desktops/routers/etc resulting in worms and botnets, but my suspicion is that the number of old iPhones mostly makes them not worth developing and deploying exploits for, much like how Linux has less malware than Windows.If anyone has a counterexample (software virus, for iPhone, reliant on vulnerabilities that were patched in the latest iOS at the time the exploit was in use, ideally not by a nation state) I'd definitely be interested to hear about it. | |
| |
Ironic that this site shows only a blank page asking me to "Enable JavaScript and cookies to continue", when the former is how 99% of browser exploits can work (and even those rare few which don't fundamentally require it will normally be wrapped in JS just for obfuscation.) | |
| |
Until I or my loved ones start getting targeted by exploits I've got better things to do with my money than buy a new phone every couple years, and will continue to enjoy my iphone 6. | |
| |
Exactly. Family of iPhone 6-8 here too running ios 14.7.1-16.7. Spent $100 on a new battery. | |
| |
Core functionality should work forever as long as it powers up. | |
| |
You mean, technically it can access the Internet, but when you go online, you can be easily owned and join a botnet? | |
| |
When the Mossad targets you | |
| |
> When does an old iPhone become unsafe to use?As soon as the new model is released ;) | |
| |
Apple provides security updates for not only the latest IOS, several past versions (and the phones which cant upgrade from them) still get updates with security fixes | |
| |
The author addresses this and claims that it isn't good enough because they sometimes don't back-port fixes or don't back-port them fast enough. | |
| |
Thought this was going to be about old unreplacable batteries eventually catching fire. | |
| |
The 2013 iPhone 5S received an OS update, 12.5.7, in January 2023!Yes, yes, I know that the article discusses how older OS versions don't necessarily get all of the security fixes as the current ones but, still, that's impressive. | |
| |
TLDR when Apple stops releasing updates to fix security issues | |
| |
> When does an old iPhone become unsafe to use?Let me fix the question: "When does a phone become unsafe to use?" The answer is "immediately". | |
