What Can You Do with an Insecure Laptop, Phone, Tablet or Music Player?
The short answer is not much. The long answer is “it depends.’ We have looked at resurrecting old devices that no longer receive security updates, given the likelihood of having to check devices in luggage and potential damage or theft. We now plan to travel with some old devices, but with some restrictions on how we use them. The article that follows discusses the security and usability issues for several devices that we have resurected.
MacBook circa Late 2009
Our old MacBook has not received security updates for at least two years and as such has not been used. The battery is no longer good either. Since it is essentially valueless, getting it stolen would not be a problem except for the potential data security issues. The battery was dead, but I found a reputable third-party replacement for $44. I backed up the disk with Clonezilla, and installed the current version of Ubuntu 16.04. The only thing that took some tinkering was copying the firmware for the iSight video camera and installing it. During the install, I enabled home directory encryption.
With about two hours of work, the laptop is secure and works surprisingly well for normal office and browsing tasks. The battery life is only two to three hours, but with some research and tweeking, that could probably be improved. I was pleasantly surprised that I was even able to get Skype working.
Android Tablets and Phones
LineageOS is an alternative Android Firmware available for some phones and tablets. Unfortunately, it takes some research using the LineageOS CVE Tracker to figure out whether or not the firmware for your particular device is up to date on CVE security patches; some of the devices are up to date, but the CVE Tracker has not been updated.
This can be a good alternative, but probably is not a good idea for a device with critical information, as a build problem with permissions could leave you with a very insecure device.
Using Devices that Cannot Be Secured
Using old iPhones, iPods and Android devices that cannot be brought to current security patch levels is problematic, since a key logger other malware could be installed without your knowledge. You could lose access to email and other passwords. Because many services allow you to reset a password via email, you could lose control of critical financial and social media accounts.
What You Cannot Do
Here are things you cannot safely do:
- Do not use your primary Apple ID and/or Google ID with contacts and email. You can get a second ID that you do not use for contacts or email and use this. Through the Apple Family Sharing plan, you may even be able to get access to some apps. You CANNOT use this device for email.
- Do not use an account where an attacker could get access to credit card information by logging in to a subscription account.
- Do not log in to web sites.
- Do not connect the device to your home Wi-Fi network.
- Do not install Google Authenticator or another authentication program.
What You Can Do
There are two principles to using an insecure device:
- Do not use it for anything where compromise would be a problem. Nothing of value should be present on the device. No important passwords.
- Minimize the exposure of the device.
These two principles lead to a few simple practices:
- Turn off Wi-Fi outside your home network, or better, just turn it off altogether.
- Turn off Bluetooth.
- Turn off location services, since this may turn on Wi-Fi and/or Bluetooth.
- Use an Apple ID or Google ID that is not used for ANYTHING that needs to be secure.
- Add music and ebooks only via USB connections.
- Update content only through USB connections.
There are some things that you can do using an insecure device, but they are quite limited:
- You can use it as an e-reader.
- You can use it as a music player.
- You can use it to read newspaper apps if you sync via iTunes, as long as the log-in account uses a unique password and the customer service portal does not expose your credit card information.