TfL change to website security prevents older smart phones accessing their website

[najaB]

The difference is, my washing machine doesn't suddenly stop washing certain types or brands of clothes that it used to do before.

The phone was never capable of accessing sites that use TLS 1.2. It's not the phone manufacturer's fault that the website made a change. The phone can still access unsecured sites and sites using TLS 1.1.

 

[Joe Paxton]

I wonder if there's some sort of proxy which can be used to access TLS 1.2 sites, i.e. effectively stripping the TLS out?

Also, the Traveline South East journey planner might be of use? No TLS, and the URL for the 'large text and mobile' version is thus:

http://www.travelinesoutheast.org.uk/bcl/XSLT_TRIP_REQUEST2

 

[najaB]

I wonder if there's some sort of proxy which can be used to access TLS 1.2 sites, i.e. effectively stripping the TLS out?

In theory, yes. But that would expose you to a man-in-the-middle attack so I would only trust a proxy that was under my control.

 

[Joe Paxton]

In theory, yes. But that would expose you to a man-in-the-middle attack so I would only trust a proxy that was under my control.

If all you are doing is checking the Tube service status page or even planning a journey then you may not care if someone knows what you are looking at.

 

[najaB]

If all you are doing is checking the Tube service status page or even planning a journey then you may not care if someone knows what you are looking at.

I agree. But would you want the faff of changing proxy settings when you want to look up timetables? Plus, TfL won't be the only organisation turning off support for older security standards.

 

[sk688]

Old smart phones have been at risk for a long time - particularly Android handsets. If you have anything prior to Android 6 you are recommended to just throw it away.

Hardly so . While phones running JB (4.1 , 4.2 , 4.3 ) are probably too old now and could be thrown away , some KitKat (4.4 ) phones are still fine, and as for Lollipop Handsets , they are hardly at the stage of being thrown away . My old HTC M7 stopped is on Lollipop , and it is still fine to use

 

[jon0844]

Old smart phones have been at risk for a long time - particularly Android handsets. If you have anything prior to Android 6 you are recommended to just throw it away.

By whom? Tim Cook?

Writing about mobile technology is my job and that's the first I've heard such a thing.

 

[Olaf]

Interesting, I hadn't heard that. Any chance of a link?

They appear to stopped updating this site in 2015, so there is lot of missing detail ...
http://androidvulnerabilities.org/by/version/

The score card up to about the end of 2015 ...
http://androidvulnerabilities.org/


This is the list of known issues newly identified this year ...
https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/Google-Android.html


As you will be aware, most older version of Android are not maintained, and although patches for issues may have been made available for more recent version, few operators facilitate upgrades to the handsets. As a consequence, there is vast pool of devices out there not only open to attack, but infested with malicious code.

 

[jon0844]

There are perhaps many devices that COULD be subject to attack, but many exploits are rather more dangerous 'on paper' and require a specific set of circumstances, possibly even direct access to a device, to enact.

As such I don't think too many people need worry, whether they have an old Android phone, Windows Phone or even an iOS device (not immune either).

Those people who have a really old, insecure, phone are most likely not presidents and are not at any real risk because they probably rarely use their device. If they were heavy users, they'd likely upgrade anyway because chances are their battery is now on its way out, and they'd like a better screen, faster data connectivity or whatever.

Many phones in the last 2 years or so will get security patches even if no more OS updates, and as I've said before, Play Services and other Google apps will be supported for many years beyond the ending of OS updates.

Would I like it for phones to get OS updates for longer? Sure.

 

[najaB]

They appear to stopped updating this site in 2015, so there is lot of missing detail ...

Okay, there are lots of identified vulnerabilities, but in a quick scan I couldn't see a recommendation to throw away devices prior to Android 6.

 

[Old Yard Dog]

Microsoft says otherwise.

While that is the official line, many users have reported serious problems getting Office 2007 to work on Windows 10. So I am not prepared to take the risk as I have little to gain. The crunch will come when Microsoft withdraw support for Windows 7.

 

[Olaf]

There are perhaps many devices that COULD be subject to attack, but many exploits are rather more dangerous 'on paper' and require a specific set of circumstances, possibly even direct access to a device, to enact.
...
.

Attacks typically involve the use of multiple coordinated attacks. The level of attacks have increased both in the level and the individual targeting.

 

[Olaf]

... and off the press today:

Researchers find 38 Android devices shipping with pre-installed malware
https://nakedsecurity.sophos.com/20...-devices-shipping-with-pre-installed-malware/

...
Check Point’s Mobile Threat Prevention team says it detected malware in 38 Android devices belonging to a large telecommunications company and a multinational technology company.

The team said malicious code was already present on the devices even before they were issued to users. Just as the Windows-based malware cited above was introduced during the development process, so were the malicious apps Check Point discovered. Six infections were apparently added to the device’s ROM by bad actors using system privileges.
...
[There follows a list of well known models.]

Apologies for taking this thread off-topic, and last post on the subject.

 

[westv]

The TFL status page no longer works on my old smartphone and hasn't done for a number of weeks. Does anybody know of a suitable alternative?

Thanks.

 

[moogal]

I find tubestatus.net works well on my phone.

 

[rebmcr]

As an ongoing trend, the tech industry is moving away from the TLS1.0 type of encryption, which has been known to be flawed and vulnerable to attack for over a decade now — this has been deemed a long enough time to cater for introducing the newer better variants of TLS.

This will certainly begin to affect other sites and (more than likely) also render any alternatives also inaccessible before long. While I understand this is unfortunate for you, there's not much any one of us can do about it (other than retire older equipment).

 

[gazthomas]

The TFL status page no longer works on my old smartphone and hasn't done for a number of weeks. Does anybody know of a suitable alternative?

Thanks.

Are you able to install a modern browser App such as Crome?

 

[westv]

Tubestatus.net doesn't seem to work either. Not on the default browser or Bing.

Why is it so difficult to get a simple status page to work? My phone isn't that old (2011?).

It does make a slight farce of the desire to keep things as long as possible.

 

[Mojo]

You could try Twitter?

 

[Nick66]

Never heard of tubestatus.net but just tried it, looks simple clear and fast. Does the data come from a reliable source?

I would have suggested the Tube Map app but if you can't get tubestatus.net to work on your phone, forget it!

 

[Crossover]

Tubestatus.net doesn't seem to work either. Not on the default browser or Bing.

Why is it so difficult to get a simple status page to work? My phone isn't that old (2011?).

It does make a slight farce of the desire to keep things as long as possible.

In tech terms, 7 years old is fairly old. One of my phone is from 2010 and cannot do very much at all now!

 

[johntea]

Even if you find a workaround site, expect your old smartphone to no longer be able to connect to free public WiFi networks in the next several months due to TLS 1.0/1.1

It is quite sad your old smartphone basically becomes a backup emergency phone for calls and texts rather than anything 'smart' but if you look at it another way without updates it eventually becomes the equivalent of trying to browse the web in 2018 from a Windows 95 PC!

 

[AlterEgo]

Tubestatus.net doesn't seem to work either. Not on the default browser or Bing.

Why is it so difficult to get a simple status page to work? My phone isn't that old (2011?).

It does make a slight farce of the desire to keep things as long as possible.

A seven year old phone is pretty old.

 

[westv]

It is quite sad your old smartphone basically becomes a backup emergency phone for calls and texts rather than anything 'smart' but if you look at it another way without updates it eventually becomes the equivalent of trying to browse the web in 2018 from a Windows 95 PC!

The difference is, of course, that to upgrade you don't need to throw away the entire PC

 

[takno]

Tubestatus.net doesn't seem to work either. Not on the default browser or Bing.

Why is it so difficult to get a simple status page to work? My phone isn't that old (2011?).

It does make a slight farce of the desire to keep things as long as possible.

Sadly most of the Windows phones that got sold were essentially 2 or 3 years out of date when they were sold. You've really got to factor that into the price if you're looking to buy something that will last. When you're buying a smartphone or computer you aren't really buying a self-contained single purpose device which should last as long as the components - you're buying something that gets you access to an ever-evolving network with constantly developing opportunities, but also constantly evolving security threats.

In the case of PCs there may be an environmental argument for getting rid of something as old as 7 years anyway - power consumption for them has gone off a cliff in that time, and certainly if you leave one switched on most of the time you could probably pay for the replacement in saved electricity over a couple of years.