I’m curious as I’ve been running DNS66 on my previous and current phone and whilst it does exactly what it says (blocks all ads across the device) my concern is that the last published update in fdroid sas 2021.

I’m currently running AdAway which has been more recently updated and does an equally good job of blocking in-app ads.

My question though is more, if the software is still doing what it was intended to do is there a fundamental risk in using software that is no longer being updated?

  • jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    30
    ·
    edit-2
    1 year ago

    Depends on your risk surface. If the program in question that doesn’t get any updates is isolated from the network completely. air gapped. Then it’s probably fine. It’s working.

    The trouble is the internet is constantly evolving, and so as soon as an exploit is discovered it’s added to a bunch of exploit scanners which look for things online that they can exploit. So if you have a piece of software that’s not getting updates, and it’s attached to the network. You could get in trouble.

    And not just the software itself, any libraries it used, any build environment objects that pulled in. All of those are part of the ecosystem. So while the code itself may not have somebody looking at it for an exploit, it could use a standard library which now has an exploit which is in metasploit with somebody’s just scanning the internet to find your little phone.

    • variants
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      So I have an older phone lying around and I’ve always wondered how risky would it be to connect it to Wi-Fi. Just because it has lost software updates a while back does that automatically open a gap in my network? Or would someone have to put in a lot of effort to get through like my routers firewall

      • jayandp@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        8
        ·
        1 year ago

        Your router’s firewall only blocks access to unauthorized ports. If your device is talking to the Internet, then that device is exposed to that connection. Your router’s firewall does not prevent your device from using an outdated and exploitable software on the Internet.

        Theoretical example, your device is stuck using an old web browser for whatever reason, that browser does not have a recent patch for an exploit involving loading infected pictures. You use that device to load a website with those infected pictures and your device loads malware because of that. Now your device could become a conduit for somebody to tunnel into your home network and look for any other things to exploit, whether those devices connect to the Internet themselves or not.

        Obviously, you can often update web browsers on older devices, use a fork specifically designed for older devices, etc. But there are oversights. Old Android versions can’t update Webview outside of OS updates. Webview is what apps use to load web pages inside the app, and if you’re using an old app, which uses the old Webview, to load a webpage that the owner abandoned and has been taken over by a malicious third-party, your device could be exploited just by that app loading that webpage without you meaning to.

        • variants
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Wow that makes a lot of sense thank you for taking the time to explain it!

  • phx@lemmy.ca
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    Depends on the software, what it does, known vulnerabilities (in the software itself but also underlying libraries etc).

    Since it is likely intercepting DNS and blocking known ad domains, it could be vulnerable to exploits which rely on malicious encoding in DNS records etc

  • SokathHisEyesOpen@lemmy.ml
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    There’s no need to update if there are no known exploits. A lot of companies push updates just to force a new privacy policy these days. Not every update is a security patch or new feature, unfortunately.