Pixels before 6 series should not longer be maintained at all

grayway2

Google Pixels running GrapheneOS from 4 and 5 series should not longer get android security bulletins at all and be totally abandoned from the team. It gives a false feeling that the device is still secure while it's not and doesn't help people to get ride of them.

Google Pixels like the 6a are very affordable now so the cost is no longer an excuse.

It's time to move forward and focus on what is worth to be focus.

dlfantoma

grayway2 Are there any concrete examples of usable exploits for the older ones?

DeletedUser203

The last 20 GrapheneOS releases back to 2025012700, I could not be bothered to go back any further, are all Pixel6 and above.
Seems the 4 and 5 are not maintained but I agree any time spent on them could be time spent on the official supported devices.

grayway2

DeletedUser203 they are not maintained in the sense that GrapheneOS devs don't add new features but they still add AOSP patches to reduce harm. But even by doing this, the devices are missing very important security update from vendor (who do not support them, Pixel 5a last vendor security update in November) so they are not secure.

And yes, the time they spend on this can be used on current devices and improvements.

grayway2

dlfantoma CVE-2024-53150 and CVE-2024-53197

https://cybersecuritynews.com/cisa-warns-of-linux-usb-audio-driver-out-of-bounds-vulnerability/

CVE-2024-53150 : could be used as an AFU attack to get profiles credentials (was used by cellebrite)

Pixel 5a and lower are probably vulnerable.

de0u

dlfantoma Are there any concrete examples of usable exploits for the older ones?

At any given time it is likely that there are many vulnerabilities in EOL devices that are not announced and tracked. My impression is that Google does not publicly track vulnerabilities for EOL devices. So "absence of evidence is not evidence of absence" for EOL devices.

Meanwhile, a disclosure for in-support devices, like the one linked above, acts as a guide for people who want to break into EOL devices. Every 4-series and 5-series Pixel is less safe today than yesterday. Edit: Plus, probably, lots and lots of EOL Samsung, Sony, etc., devices.

de0u

grayway2 Thanks for the report! Fortunately many GrapheneOS users were protected by the standard USB-C port settings.