It's worth keeping in mind that desktops and laptops have similar issues. They have huge numbers of components, many with their own complex firmware like HDDs/SSDs, Wi-Fi, etc. It's even rarer to have proper firmware updates on those than phones.
Conversation
Replying to
AOSP offers much better privacy and security than a traditional operating system without a strong security model and strong exploit mitigations too. LineageOS hinders some of that, but most is still intact. Most devices not having full security updates is a huge issue though.
1
This Tweet was deleted by the Tweet author. Learn more
Having the AOSP security updates doesn't mean you're receiving most of the critical security vulnerability fixes. A disproportionately large number of the security issues are in device-specific code, lots of it closed source. Having most fixed wouldn't really help much anyway.
1
Replying to
An attacker doesn't need hundreds of vulnerabilities available, although there are hundreds of serious unfixed vulnerabilities after a year of not receiving updates from the vendors and only applying AOSP security fixes and upstream kernel fixes (and the latter is not a given).
1
Replying to
An attacker only needs a few good vulnerabilities to have a working exploit chain. It makes sense for them to target SoC vendor code portable across millions of devices but harder to update than AOSP code. Shipping the AOSP updates alone leaves many critical gaping holes open.
1
This Tweet was deleted by the Tweet author. Learn more
I find it a bit frustrating that many people are misled into thinking the problem is solved for them because they have security updates for one part of the system (AOSP components) via a custom ROM. I wish LineageOS and others would set the security patch level accurately.
1
Replying to
They should really not include the field at all by default, and device maintainers should be responsible for overriding it and setting it to the patch level they're able to provide. If they can't provide the current one, which is the case for most phones, it shouldn't say so.
1
Replying to
It's also not just that they should set it to what they're *able* to provide but what they actually *do* provide. For example, if they aren't going to bundle all the drivers/firmware for a phone, they can't claim the latest patch level without checking that it's up-to-date.
1
Replying to
I've brought this up with them and it's not only clear that they don't care, but that they're primarily interested in promoting the project based on misleading users with this. They also take a similar stance to other security issues around builds, signing and updates.