Advice Request Are older iOS and iPadOS devices still safe to use?

Please provide comments and solutions that are helpful to the author of this topic.

oldschool

Level 81
Thread author
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
Are older iOS and iPadOS devices still safe to use? Recent critical vulnerabilities were patched only in newer devices after Apple started dropping support for older versions of iPhone last year. In light of these recent vulnerabilities, what is your take on the subject?

 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
What about for use only at home?

It really depends on what you plan on doing with them. If they're going to be digital photo frames or casual web browsing tablets, I don't see a huge harm in having it be a bit out of date.

I would personally not connect it to your iCloud account or sign into any other cloud services where you'd be sad if an attacker can gain control over your cookies/credentials to such services. And probably not enable or use a password manager that could allow for a compromised iPad to slurp up all your valuable passwords.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
It's worth pointing out that to date, there's not been any documented cases of in-the-wild spreading iOS malware/spyware, so this is more of a precautionary measure. Nothing technically prevents iOS security holes from being exploitable in such a manner the same way that Windows XP / IE6 would get drive-by malware simply by viewing a malicious ad.... however, to date we've seen little evidence of that actually happening even for outdated iOS devices.

iOS attacks tend to be targeted and political/government in nature. But since we are all security enthusiasts here I think we should practice what we preach -- Apple devices tend to get around 5 years of software updates from the last time they are sold, so it's worth factoring into your budget that you should plan on replacing the device every 5 years or so. Furthermore, it's worth considering whether or not it's worth stretching your budget for a high-end "Pro" device versus continuously replacing with mid-end ones
 

Vitali Ortzi

Level 22
Verified
Top Poster
Well-known
Dec 12, 2016
1,147
What about for use only at home?
Still an issue for browsing since it had webkit and sandbox escapes Wich some are easily exploitable thanks to open source POC/ webkit based jailbreak.
Even though iOS is targeed less I won't recommend using an outdated version.
Only without network connection.
Or isolation via firewall and temp app store used only for stuff like gaming (no personal usage )
Would be safe.
But since the botrom exploit maybe soon someone will compile a good alternative OS for outdated iPhones.
 
F

ForgottenSeer 85179

No. For example vulnerabilities in firmware can and will abused after the details/ fixes are available which is only 1 month!

That mean that every device over that small time, is affected.
That's also the reason why custom ROMs like LineageOS doesn't help
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
No. For example vulnerabilities in firmware can and will abused after the details/ fixes are available which is only 1 month!

That mean that every device over that small time, is affected.
That's also the reason why custom ROMs like LineageOS doesn't help
"Can", yes, but where is the "will" in this context of 32-bit iPads that run iOS 12.x? I've kept on top of most of the circulating Mac and iOS malware and to date there's been very little to write home about on the iOS side. Even with old and vulnerable devices, there are very very few examples of circulating malware for such devices. I 100% agree that with published vulnerabilities it is possible to to do so, but it doesn't seem like it is a prevalent attack vector.

If someone wants to keep a vintage iPad around for casual web browsing I'm not seeing enough reason so far to say that is ill-advised. Sure one day in the future when those things become insta-infected by malvertising and start stealing data or being part of botnets I'll sound the alarm, but right now that doesn't seem like the case.
 

Vitali Ortzi

Level 22
Verified
Top Poster
Well-known
Dec 12, 2016
1,147
"Can", yes, but where is the "will" in this context of 32-bit iPads that run iOS 12.x? I've kept on top of most of the circulating Mac and iOS malware and to date there's been very little to write home about on the iOS side. Even with old and vulnerable devices, there are very very few examples of circulating malware for such devices. I 100% agree that with published vulnerabilities it is possible to to do so, but it doesn't seem like it is a prevalent attack vector.

If someone wants to keep a vintage iPad around for casual web browsing I'm not seeing enough reason so far to say that is ill-advised. Sure one day in the future when those things become insta-infected by malvertising and start stealing data or being part of botnets I'll sound the alarm, but right now that doesn't seem like the case.
Just don't use any personal information / logins on that device and block camera since it sucks anyway.
Use a temp apple store account .
And do other local network mitigation via firewall.
 
F

ForgottenSeer 85179

"Can", yes, but where is the "will" in this context of 32-bit iPads that run iOS 12.x? I've kept on top of most of the circulating Mac and iOS malware and to date there's been very little to write home about on the iOS side. Even with old and vulnerable devices, there are very very few examples of circulating malware for such devices. I 100% agree that with published vulnerabilities it is possible to to do so, but it doesn't seem like it is a prevalent attack vector.

If someone wants to keep a vintage iPad around for casual web browsing I'm not seeing enough reason so far to say that is ill-advised. Sure one day in the future when those things become insta-infected by malvertising and start stealing data or being part of botnets I'll sound the alarm, but right now that doesn't seem like the case.
Of course that's a legitimate attack. Such exploits are highly wanted and if attacker can easily get control over a iPhone or up2date secure Android like Pixel phones, then that is a wanted chance for attacker.

Sure normally this doesn't affect normal user's as enough other attack options exists but I wouldn't don't care about outdated phones if it's not fully isolated from own Network and/ or if important tasks are done on that device
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Home use iPad should be fine.

Personal use iPhone, reasonably OK.

Work use iPhone, no.


Benefits of Newer Devices:
  1. Better hardware to meet modern requirements
  2. Extended support for the next 4-5 years
  3. More capable OS
  4. Improved user experience
There's a lot of mumbo jumbo that leaks out from Android and Windows experts, that simply cannot apply to the same effect for iOS. Apple is still vulnerable to attack, but don't be scare-mongered into thinking it's unsafe to use an older device. Many still use outdated versions of Android and Windows as their daily driver.

Apple have a trade-in program for their older devices, or free recycling for non-Apple products.

Source: Owner of iPad Mini 3 and 5. This post was sent from Android 10.
 
Last edited:

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
Benefits of Newer Devices:
  1. Better hardware to meet modern requirements
  2. Extended support for the next 4-5 years
  3. More capable OS
  4. Improved user experience
There's a lot of mumbo jumbo that leaks out from Android and Windows experts, that simply cannot apply to the same effect for iOS. Apple is still vulnerable to attack, but don't be scare-mongered into thinking it's unsafe to use an older device. Many still use outdated versions of Android and Windows as their daily driver.

It's also worth mentioning that each new Apple chip has new hardware-specific security features too. No 32-bit chips have a Secure Enclave, and secure boot was reinvented with the 64 bit chips to be less vulnerable to physical attacks too. In the A13 generation almost every piece of firmware along with the kernel are made read-only early in boot so that it is impossible for attackers to introduce kernel-level code payloads, they can only live off the land. Pointer signing was recent too.

Old devices can have software devices patched, but new devices have much better built-in safeguards that make various classes of attacks difficult to carry out. Plus all of this leads to fewer attacks being developed against older devices -- after all, why bother creating an attack if it doesn't even run on the devices that 70+% of iOS users have?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top