Vulnerabilities of EOL Pixels

Tiktaka

Hello everyone, I was curious about the EOL Pixel devices (those without any security updates).

I couldn't find any info online to better understand the vulnerabilities and safety.

For example, if I have Pixel 3 that's always offline, is it safe to use or can the offline mode be hacked?

What if I use only one profile online, and other profiles are being used offline (airplane mode) and encrypted with a password can they somehow be hacked from the other separate online profile?

Are they even safe to turn on?

What if someone has physical access to my Pixel 3, can he bypass the encryption of the password? Would you recommend deleting the profiles and everything sensitive?

userofgos

Tiktaka For example, if I have Pixel 3 that's always offline, is it safe to use or can the offline mode be hacked?

You can no longer install GrapheneOS on Pixel 3, even if you could and even if you used it offline, it is not a secure device.

Tiktaka What if someone has physical access to my Pixel 3, can he bypass the encryption of the password? Would you recommend deleting the profiles and everything sensitive?

It will not protect you from the plethora of vulnerabilities that have been discovered since it was deemed end of life.

userofgos

Tiktaka https://discuss.grapheneos.org/d/14344-cellebrite-premium-july-2024-documentation

de0u

Tiktaka For example, if I have Pixel 3 that's always offline, is it safe to use or can the offline mode be hacked?

If no radios are ever turned on (not cellular, not Wi-Fi, not Bluetooth, not NFC) and nothing is ever plugged into the USB-C port, that is probably fairly safe, though it is possible for there to be vulnerabilities in wireless charging.

Tiktaka What if I use only one profile online, and other profiles are being used offline (airplane mode) and encrypted with a password can they somehow be hacked from the other separate online profile?

At this point it is fairly plausible that vulnerabilities exist that could be chained to extract data from the other profiles.

At this point using a Pixel 3 is actually unsafe.

If it is possible to judge some combinations of hardware and software as actually unsafe, the Pixel 3 is one of them.

gristle-cause

de0u and nothing is ever plugged into the USB-C port

Highlighting this point. Most discussion has focused on remote adversaries using radio. But an EOL device will be physically insecure too. If the device ever leaves your sole physical custody, I wouldn't trust it to keep your data secure

Tiktaka What if someone has physical access to my Pixel 3, can he bypass the encryption of the password

Basically, yes. Probably. I sure wouldn't trust it. Cyber security is a cat and mouse game. Stronger protections are developed, more robust exploitation tools are build, so on and so forth. An EOL device no longer receives security updates; it doesn't have the latest protections, exploitation tools have had years to find a vulnerability

userofgos

https://xcancel.com/GrapheneOS/status/1952038934587887965#m

Cellebrite hasn't been able to bypass secure element throttling on the iPhone 12 or later or Pixel 6 or later. They didn't ever bypass it on the Pixel 2 or Pixel 2 XL but they did for the Pixel 3 through Pixel 5a and iPhones older than the iPhone 12 so a PIN can be bypassed.

https://xcancel.com/GrapheneOS/status/1947408034172485880#m

They eventually figured out how to exploit the secure element used for the Pixel 3 through Pixel 5a, which was 10 devices in total with far more usage than the Pixel 2 and Pixel 2 XL. Likely just didn't make economic sense for Cellebrite with the 2 / 2 XL as it did for Titan M1.

Tiktaka

I gave Pixel 3 as an example. If I have Pixel 6, 7, 8, the question is the same. When they reach EOL, does it mean I should erase everything and never use it?

userofgos

Tiktaka When they reach EOL, does it mean I should erase everything and never use it?

https://grapheneos.org/faq#legacy-devices

GrapheneOS aims to provide reasonably private and secure devices. It cannot do that once device support code like firmware, kernel and vendor code is no longer actively maintained. Even if the community was prepared to take over maintenance of the open source code and to replace the rest, firmware would present a major issue, and the community has never been active or interested enough in device support to consider attempting this. Unlike many other platforms, GrapheneOS has a much higher minimum standard than simply having devices fully functional, as they also need to provide the expected level of security. It would start to become realistic to provide substantially longer device support once GrapheneOS controls the hardware and firmware via custom hardware manufactured for it. Until then, the lifetime of devices will remain based on manufacturer support. It's also important to keep in mind that phone vendors claiming to provide longer support often aren't actually doing it and some never even ship firmware updates when the hardware is still supported by the vendors...

GrapheneOS also has high standards for the privacy and security properties of the hardware and firmware, and these standards are regularly advancing. The rapid pace of improvement has been slowing down, but each hardware generation still brings major improvements. Over time, the older hardware starts to become a substantial liability and holds back the project. It becomes complex to simply make statements about the security of the project when exceptions for old devices need to be listed out. Our current standards for security based on current generation devices are only applied to new devices rather than ones which used to meet previous standards. Devices remain supported until end-of-life despite no longer meeting our current standards.

What are your security standards? What is your threat model? What information are you keeping on EOL devices? Are you willing to accept the security risks with using EOL devices?

These questions must be taken into account, and the list of questions could go on. I personally wouldn't keep anything personal/private on EOL devices. I might consider EOL devices for an ofline music player, but that will be the extent of it.

https://xcancel.com/GrapheneOS/status/1827525749286322355#m

We need to get people off legacy devices without proper security patches and we need to start doing more than we already do to push people to get fully supported devices. This is more important to us than getting more users and donations from pretending EOL devices are fine.

This GrapheneOS project's stance is not using EOL devices at all, no exceptions.

thure

Tiktaka

It will depend on your thread model. If you might be targeted and rely on data security it would be advised to delete everything on decides without recent security updates.

Andorid

Tiktaka
I have an EOL 4a, I use it as a media player in my local wifi. I dont have any personal data on it, no contacts, no sim card, airplane mode with wifi enabled.

On EOL devices, it seems Vanadium still gets updated, thus web use may be ok, but, nothing serious, no online banking or paying on EOL devices.

To me, this is a reasonable thing the way i use it, Im still as cautious, as Ive always been. I dont expect a breach on my device and even if it occured, theres no data to steal. Your mileage may vary.

DeletedUser639

My opinion, when a device, a Pixel reaches EOL, no matter how shiny or scratch free it is, it has now become a liability and I will mechanically shred it. By then I should have purchased its replacement in any case...

neel

DeletedUser639 I still have my Pixel 3. It's a cute little device in a great condition.

It's turned on once every two months, running an Android 14 build of LineageOS.

I didn't even want to daily drive it five years ago, so why would I daily drive it today? I don't even still have my Pixel 3's "replacement", the OnePlus 8.

Tiktaka

gristle-cause

Then it means if my Pixel 7 is stolen and the thief waits until it becomes EOL, he could decrypt my phone. That also means I need options as duress or factory reset from remote

de0u

Andorid In theory some vulnerabilities in the Wi-Fi stack could be exploited by somebody with a cantenna up to a mile away. Then the damage would depend on the extent to which the local network is internally firewalled (which it often is not).

Bluetooth vulnerabilities can be exploited at a distance using a "Bluetooth rifle".