alt Hacker NewsHow sure are you that the vendor is actually providing device-specific updates? What about firmware updates? Outside of x86 ecosystem the whole-device-family updates in mainline Linux kernel is rare. You're probably deceiving yourself believing that your devices are up-to-date.
Most of the time laptops and many "mainline-friendly" phones stop receiving firmware updates in 2 years. By "firmware" I mean the binary blobs for the peripherals. Most of the SoCs have unified memory for the LTE and CPU modules. If a vulnerability found in the firmware of the LTE module, it can be used for data extraction.
CRA puts hard requirements on documenting and fixing vulnerabilities in device software in 5 year period. It cannot be infinite amount of years, so a reasonable update period had to be choosen. It covers everything provided by the vendor itself too. So if there are vulnerabilities in FW they have to fix it unlike the current situation.
> How sure are you that the vendor is actually providing device-specific updates?
First of all, my phone runs an FSF-endorsed operating system, so no closed drivers. Granted, not everything has been upstreamed yet, but they're working on it and I trust that it will be done soon. (They have done it with the devkit.)
Second, my phone has removable modem and removable WiFi card (no unified memory), so when the firmware can't be updated anymore, the card itself can be replaced. (They actually have already done it by releasing a new WiFi card; 5G modem is also being tested). In the worst case, the device can still be used as a pocket computer with no wireless communications.