It seems to me that at this point for the normal person, the biggest security issue is not that some hacker will hack their phone to steal their data and render their device unusable, but rather that Google will
So I'm not terribly familiar with Bluetooth. Are these something that can be exploited by an unpaired device?
"Google Android on a Pixel 4a is vulnerable to remote code execution by arbitrary nearby wireless devices" is certainly a better reason to not use one than "security updates have ended".
and you'll see that every month lots and lots of CVEs are fixed with at least high or even critical severity in various stacks. If you're running a phone that hasn't received updates since August 2023, you can assume that you have dozens of remotely exploitable bugs on your system. The security track record of Android is absolutely terrible.
That phone hacking is not a big thing is simply because it's usually much easier for a hacker to get into the cloud services people use instead through targeted phishing attacks. If that makes you feel safe using a phone without updates, then good for you, but don't claim these updates aren't actually fixing serious bugs every month.
The fact that their bulletins say that there are high and critical vulnerabilities every month is sort of my point. Is this thing actually critical? Can you only send the vulnerable commands after you have paired? [0] suggests these are used after pairing, but like I said I'm not familiar enough with BT. If that's the case though, "User interaction is not needed for exploitation" is misleading; I'm not going to pair with random devices, so I'm not concerned. I see that with other vulnerabilities too. e.g. CVE-2024-31320 from last year is "critical", and says "there is a possible way to establish a companion device association without any confirmation due to CDM. User interaction is not needed for exploitation." Except if I'm understanding correctly, you need to install a malicious app, and what it does is let that app use a bluetooth device without asking. Big whoop, that's how everything works on desktop, and it's fine.
The problem is the security industry has such a low signal:noise ratio that it makes sense to just ignore everything they say as a user. They're constantly lying and saying there are important security updates when there aren't, and that everything is high/critical severity when it isn't. In a corporate setting, you just unthinkingly update to check boxes, but as an individual, it makes no sense to do that. And with Android, you have to take possibly undesirable feature updates to get kernel or system library updates. For some products, security updates are to "secure" the device against its owner! Advisories are often lacking enough information to be able to evaluate impact, which further makes it clear that the people publishing them are to be viewed with a skeptical eye.
It should be immediately obvious whether this is exploitable by random passersby (if it actually is) without me having to go learn how bluetooth works at a protocol level. "Don't think about it and just update, install a new OS, or buy new devices" is not a useful attitude.
Things don't become end of life when they stop receiving updates. They become finished. Whether and for what purposes they continue to be useful requires ongoing judgement.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-43096
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4377...
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4377...
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-49747
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-49748
These are just the RCE bugs without user interaction that were fixed with the January update. They are in the Bluetooth stack.