Device drivers don't usually need to be updated unless the driver interface changes (i.e. when you update the Linux kernel) or the driver needs to be updated to accommodate quirks of new software (i.e. graphics drivers and new video games).
They probably do want to be getting the latest security patches to the kernel and base OS.
I remember the creator of CopperheadOS claiming the "Nexus 5" (which is EOL) is not secure because of hardware (baseband?) vulnerabilities that wouldn't be trivial to fix.
Can anyone recommend a post that introduces these kind of issues for Android outsiders?
I assumed Android ROMs carry a fully fledged distribution, including the kernel and firmware. Sure, the latter might be out of date.
When I tried digging into the question "where does this so-called open source come from", I stumbled upon Kernels that basically have one commit adding the whole blob.
Is the ROM merely the application software built for a target kernel (which is persistent on the device)?
I've hacked around with Kernel modules on Android before, but miss the big picture in that regard.
Edit: especially the new update infrastructure (treble?), Does it change anything here?
The ROM is kinda an inaccurate term for the whole "blob" of binaries that gets copied to eMMC (or similar) storage. This can include multiple partitions, firmware updates (including for your baseband) etc.
Treble seems to mean that the software can be updated separately from the drivers and the firmware - https://www.androidauthority.com/project-treble-818225/, it could actually make things worse in terms of out of date drivers and firmware.
I think he's more saying that Nexus 5 is not secure going forwards because the firmware for the hardware is not getting updates. I can't see any reference to specific vulnerabilities, but when a platform is complex they're bound to exist. When you combine that with not getting updates, you have an insecure platform.
The firmware for the Nexus 5 wifi chip has well-known remotely-exploitable code-execution vulnerabilities [1] that were never patched. Nearly all modern devices have a full software stack inside the wifi (and other radio) chips and they all have plenty of security flaws and they're all proprietary and unaffected by the OS.
So it's not just about it not being secure going forwards. It and most other similar age handsets are insecure because a fix has never been released for the older chips.
Does anyone know anything about the GSMK Cryptophone 500? It's appears to be a modified Galaxy S3 with a heavily custom ROM and can double as an IMSI catcher. I wonder. Did they RE the baseband or replace it with their own?
I seem to remember there being relatively complete access to the S3 baseband at one point. Not sure I'd use it as a daily driver though. The S3 had big problems with the eMMC suddenly dying.
I am aware of the eMMC issues. Not to mention a phone from those days is slower then current phones, although I don't know much that matters with the custom ROM they use.
Yes, the drivers are ancient, and probably have a ton of security vulnerabilities. Has the general situation improved in recent years? To me it seems that hardware vendors generally don't care about these issues at all. Which phone would you say has secure drivers?
Hey, the replies here about CopperheadOS are pretty good for info on this.
It's a tradeoff - new phones are more secure, but they're also secured against you, e.g. if I OEM unlock my Galaxy Note 9, a bit is set permemnantly that could be used to determine whether the phone gets a warranty repair.
To get back on track, you may want to have a look to see if the "board support package" is still supported. You're well out of vendor support and it looks like the last commit to https://github.com/LineageOS/android_kernel_samsung_smdk4210... was 2013.
The gold standard would be a phone that runs a very-close or actually mainline Linux kernel, but I don't think we're there yet.
Nexus devices were fantastic, but they're gone now. Pixel, I guess, but I was scared off after the 5X and 6P hardware issues.
They probably do want to be getting the latest security patches to the kernel and base OS.