It should be noted that some security vulnerabilities, such as firmware blobs and binary blob drivers, can't be fixed by LineageOS. Certain Broadcom WiFi chipsets had RCE vulnerabilities in them, for instance, and these devices also run an entirely separate Linux install on the modem chip that rarely receives updates, if ever.

While LineageOS can easily extend a phone's lifetime by several years, it's not a real replacement for manufacturer support. I think GrapheneOS's take makes sense, especially for a security-oriented ROM.

Mmm, for this reason it's worthwhile keeping an eye out for firmware-level issues in case the device is outside the OEM supported range. Eg: CVE-2020-11292[1] which affected Qualcomm chips.

[1] https://www.bleepingcomputer.com/news/security/qualcomm-vuln...

That's still a local privilege escalation type of vulnerability, isn't it?

Do you know what the attack vector is for exploiting an outdated phone? Asking because I really do not want to get rid of my Pixel 5 in one month.

In at least one instance, Google's Project Zero found an RCE vulnerability that could be triggered by just being nearby.

More common exploits target things like the GPU drivers. They require code execution on the device (i.e., an app you've downloaded) but they can be an easy path to root access for attackers targeting specific devices.

Realistically, people use phones long beyond their official software support lifetime. Plenty of unhacked phones going around still running Android 8. Android's fragmentation makes it hard to write a one-size-fits-all exploit chain like on you can on iOS.

Just make sure to only run apps from sources you trust and to update your browser, and I'm sure you should be fine for another few years.

If you want to, you can run ROMs like LineageOS. They won't fix the binary blobs, but they'll patch the open source version of Android and keep you up to date in that regard. My phone stopped receiving updates after an Android 11 update and now it's running last week's Android 13 build, patching a whole bunch of Android runtime vulnerabilities. Many phones in use today are vulnerable to a zero-click Bluetooth exploit that would be fixed by installing LineageOS or something similar to that. The newer Android version also provides me with all of the privacy improvements that have been made in Android 12 and 13. I'm hopeful that it'll run Android 14 as well, though depending on a volunteer project isn't a guarantee of course.

In theory my phone could probably be hacked quite easily though the outdated GPU drivers, but in practice I don't think I'm at that great a risk unless I try to start pirating games or something.