Real-world danger of not updating phone?

For example somebody can send a GIF image via iMessage on iOS 14.7 and take over the phone. No click required. https://www.hackread.com/nso-zero-click-imessage-exploit-hac...

https://en.wikipedia.org/wiki/Pegasus_(spyware) used this among other exploits. "Once installed, Pegasus has been reported to be able to run arbitrary code, extract contacts, call logs, messages, photos, web browsing history, settings, as well as gather information from apps including but not limited to communications apps iMessage, Gmail, Viber, Facebook, WhatsApp, Telegram, and Skype."

Reponsible nations should forbid to sell a phone without providing at least 7 years of updates. How that, we are living in free world? Obviously under environmental legislation, avoiding a lot of completely avoidable electronic waste. Some people break their phones much earlier, but far from all do.

Wouldn't that hinder technical progress? It might slightly slow down it. But looking at the current bloat of nonsense that a current Android phone contains, that would not be a bad thing. If you need more than 2GB of RAM for a phone to run smoothly it's just bad engineering.

To answer your question: This SailfishOS phone runs a 3.10 kernel. It was built only 2 months ago, but I would not bet my head it is really well-patched throughout. The browser is based on Firefox ESR 78. So although formally still maintained I'd not be surprised it contained unpatched known vulnerabilities. Nothing has happened to me ever, but I don't use this phone to do really sensitive stuff.

For a mainline Android phone the risk might be higher. What were the last big drive-by attacks not requiring user interaction?

> Many phones only get software updates for a small number of years, often three years or less.

True on Android. iPhone lifespan is longer at 5+ years.

For instance IOS 16 will not support handsets older than 2017, but IOS 15 will continue with security updates for some time after that (presumably 2-3 years). So somewhere around 8 years total device lifespan in terms of security support.

Nobody is really answering your question.

I suspect the people who could answer it aren't on HN, and probably don't have the technical ability or the vendor support to root cause the thousands of dollars of fraudulent transactions on their credit card. Banks likely just reverse the transaction and report it to the feds. Maybe there's a bunch of loans in a victim's name which they won't find out about until they go to buy a house in 5 years time. How would anyone even tie that back to an old phone?

Unfortunately, having your identity stolen isn't as simple as a notification which pops up saying "This literally just happened. Should have updated to Android 12".

In my case it's almost irrelevant because I don't have anything of real importance on my phone. I have an Android phone that does not have my gmail account on it. It does not have any enabled payment mechanism. It does not have access to sensitive documents. It has a few contacts on it, but that information is basically public anyway. I do not use it for 2FA. I do not have a password manager on it. It's just a throwaway device that is convenient for accessing the outside world without any identity built into the phone.

I realize that this means I forego many of the advantages of having a personal device, but that was a conscious choice I made a long time ago.

Apple issues security patches for previous versions of iOS as well, so you should be covered for the duration of usage of the phone (unless you use it for a very long time, say 8+ years?).

Never underestimate the maliciousness of bored teenagers.

For a time, Bluetooth vulnerabilities left unaddressed could be exploited by anybody with the training and sophistication enough to download a "prank" app from the Play store. Said app provided full access to the victim phone's filesystem.

Un-updated phones are unlocked doors, but with the internet the whole world walks through your neighborhood every night and knows you're on vacation (no risk associated with breaking in).

Edit: the flip side is that probably half your neighbors have their doors unlocked too.

I didn't update my iPhone for months and it completely bricked itself. Can't confirm they're related, but a barely 3 year old phone bricking itself so soon was odd.

Basically one morning all networks (Bluetooth, WiFi, LTE, 5G) all stopped working and I couldn't use them, a message saying I have to update the phone to use networks. Pretty genius to prevent me from downloading the update I need, but I tried to update through iTunes and it didn't fix anything.