Hi, I have a pixel 4a that I love and works great (with CalyxOS) I bought it when it came out and I really don’t want a new phone, but…
Security updates from google stopped for the 4a about a year and a bit ago, and for the last year I have been slowly getting more and more anxious while trying to ignore it. I’m still getting the android security updates (software) for another year or so (thanks calyx!) But I’m not getting the firmware security updates anymore.
I’m experienced in the field of cyber security and I feel like I’m in denial because I really really don’t want to buy a new phone.
Please tell me if I really should get a new phone or not…
My threat model would be just an average person but with the added paranoia of knowing too much about privacy and security, and my avoidance of getting a new phone is mostly rooted in zero-waste ideology and the pure hate towards google for forcing me to stop using a great phone that would otherwise probably be usable for another few years.
So… go lookup the CVEs. Go have a look at what the actual threats against the old device are. What’s the method of attack and do you care.
If you decide you’re happy with the device. Then remember to keep going back and seeing if any new attacks against the device exist.
Whatever happens, we’re not protected against 0day attacks (by their very nature).
I guess there is some reason to worry about “unknown” attacks against the device. But like 0day’s, there’s probably unknown attacks against patched devices as well.
Do you have a way to find them? I did look around at some CVE sites but I couldn’t find anything specific to pixel 4a, making me think that maybe I need to look at individual parts within it? Which can be a lot more work and somewhat complicated
Edit: Saw CVE-2024-36971, I guess it’s time 🫠
That CVE is in the Linux kernel, which CalyxOS should be fixing for you, via their security updates.