Hacker News new | ask | show | jobs
by zw7 1412 days ago
This is my concern. I use my old pixel (3a) as an always-on Syncthing node but worry about the security implications.

But I haven't been able to find good info on what exactly the implications are. If I'm not worried about targeted attacks, does a device that is just a passive node pose a significant risk?

In other words, how much do security updates address targeted attacks (not my threat model) vs widespread attacks of non-updated phones?
3 comments
spiffytech 1412 days ago
This varies case by case, and widespread attacks definitely happen.

Perhaps the most famous one on Android was the Stagefright attack, which could take over your phone by sending you a malicious MMS (which you didn't even have to open), or by getting the system media player to play a malicious MP3/MP4.

That was a while ago and I haven't kept current on similar attacks. Running an unpatched system is a gamble that nothing like that is still waiting to be discovered.

link
flanbiscuit 1412 days ago
> Perhaps the most famous one on Android was the Stagefright attack, which could take over your phone by sending you a malicious MMS (which you didn't even have to open), or my getting the system media player to play a malicious MP3/MP4.

Which I would assume is not an issue if I'm using an old Android phone without a SIM card, so there's no way to receive any type of sms/mms message

link
chasil 1412 days ago
The 3a will run Lineage, so you can get the latest OS updates. However, the vendor updates will not advance.

Lineage will try to scavenge firmware updates from other devices to upgrade what they can, but there might be problems with the wifi, bluetooth, or other firmware that can compromise the device.

This is less of a concern if your wifi connectivity is behind a NAT router, and Google is gone.

link
flanbiscuit 1412 days ago
> This is my concern. I use my old pixel (3a) as an always-on Syncthing node but worry about the security implications.

Interesting, I've never thought of using an Android phone as a Syncthing node.

Is there a way for an Android phone to connect to Wifi, but not the internet?

I use Syncthing with local discovery only, which only needs the devices to be on the same Wifi network. Not having internet access and also not having a SIM card to get calls/sms/mms message should greatly reduce the risk of attack to the point where I wouldn't feel worried about it.

link
Jaruzel 1412 days ago
> Is there a way for an Android phone to connect to Wifi, but not the internet?

If you can manually set the IP address on it instead of letting the WiFi AP give it one, then you can just leave out the default gateway entry - The device will then have no idea how to route network data outside of your local LAN.

Alternatively, set up a different WiFi SSID that gives out IP addresses, but again without a default gateway address, and have your device(s) connect to that instead.

Or finally, if your router supports it, set a rule to block your device(s) (via it's MAC address) from accessing the internet.

link
flanbiscuit 1411 days ago
all good ideas, thank you!

I think the first option might be the easiest because it doesn't involve having to change anything on the router.

It does seem possible on Android to set a static IP and remove the Gateway (or maybe set it to 127.0.0.1 if I can't leave it blank?)

https://service.uoregon.edu/TDClient/2030/Portal/KB/ArticleD...

link