In the market for a second-hand phone? Check it's still supported by the vendor – almost a third sold are not

That means no security updates, which puts users at risk of compromise


An investigation by consumer watchdog Which? has found that nearly a third of all phones sold on second-hand sites are no longer supported by the vendor, leaving punters at risk of being hacked.

The publication found that 31 per cent of all phones sold via CeX no longer receive security patches. For musicMagpie and SmartFoneStore, those numbers are 20 per cent and 17 per cent respectively.

As a result of the findings, musicMagpie has withdrawn all unsupported units from sale. SmartFoneStore has pledged to warn customers about abandoned mobiles. So far, there's no word from high-street tech buyer CeX.

It's not uncommon for smartphone manufacturers to cease providing software updates after just a year. This is most keenly observed in the Android sphere. To Apple's credit, it continues to support 64-bit handsets, including old gear like the 2015 iPhone 6s.

android

More than a billion hopelessly vulnerable Android gizmos in the wild that no longer receive security updates – research

READ MORE

Google has tried to address this problem with the Android One programme, which is described as the "gold standard" of the platform. It guarantees three years of updates and two operating system upgrades.

However, it has a significant flaw insofar as it's entirely voluntary. Moreover, the decentralised nature of Android means that users are largely at the mercy of vendors, who are perversely incentivised to discontinue devices before their natural lifespan. The logic follows that the shorter the lifespan, the sooner the upgrade.

Unfortunately, existing consumer law doesn't compel vendors to provide patches for a predetermined period of time, as Professor Alan Woodward, a computer science and security specialist at the University of Surrey, lamented.

Woodward told The Reg he thinks it's necessary for governments to take regulatory action, and it's looking more likely that they will. Recent advances in "right to repair" law give credence to this. As an alternative, there could be a market solution that sees punters fork out for additional updates beyond the predetermined lifespan of a product, similar to how Microsoft sells extended support for old versions of Windows.

Javvad Malik, security awareness advocate at KnowBe4, argued that the onus is on manufacturers and resellers to ensure punters are aware of the risks of using unsupported kit.

"Manufacturers and retailers need to be transparent with consumers as to how long software updates will be available for. This should explain in clear terms what this means to the consumer in terms of security, and in terms of usability.

"Another approach that is touted is for manufacturers to open-source old code or place code in escrow, so that when the software is no longer officially supported, or the manufacturer goes out of business, someone else can take the code and continue support."

Regardless of the eventual approach taken, something needs to be done. Speaking to The Register, F-Secure's Fennel Aurora, a global partner product advocate, said the problem predominantly impacts those on lower incomes.

"Most smartphones on the market are not the high-end all-inclusive models," he said. "Rather, most people are limited to cheaper models, which in general have a shorter time to programmed obsolescence, have a much shorter software support duration and are more likely to come pre-installed with privacy-invasive applications."

Liviu Arsene, global cybersecurity researcher at BitDefender, added that those who buy second-hand devices are arguably more motivated by cost, and may lack the technical nous to identify and understand security threats.

"It's likely that for users who opt for purchasing refurbished devices with end-of-life versions of Android, security might not be a priority," he said. "These could be affordable devices for less tech-savvy family members that only use basic functions, such as calling and texting, and not for power users looking for productivity features.

"However, unpatched devices are a security and privacy risk for both the owner and other family members. Since Android devices are equipped with sensors like camera, microphone, GPS, and are even used for online shopping, successful compromise could lead to much more than financial data theft, but also potential extortion and surveillance." ®


Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022