I only wonder because, while I know no one could advise per se that people deliberately make bad security decisions, I don’t feel as a layman that the nature of the risk is adequately explained.
Specifically, if you use a really old OS or an old now unsupported phone. The explanations for why this is dangerous tend to focus on the mechanism by which it creates a security flaw (lack of patches, known hardware security flaws that can never be patched).
If we use an analogy of physical security whereby the goal is to prevent physical intrusion by thieves or various malicious actors, there’s a gradient of risk that’s going to depend a bit on things like who and where you are. If you live in a remote cabin in the woods and left your door open, that’s bad, but probably less bad than in a high crime area in a dense city. Similarly, if you’re a person of note or your house conspicuously demonstrates wealth, security would be more important than if it you’re not and it doesn’t.
I would think, where human beings are making conscious choices about targets for cybercrime some parralells would exist. If then, you turn on an old device that’s long obsolete for the first time in years and connect to the internet with it, while I know you are theoretically at great risk because your doors and windows are essentially wide open, how risky is that exactly? If you just connect, at home on your wifi and don’t do anything? Is someone inevitably going to immediately find and connect to this device and exploit it’s vulnerabilities? Or does there have to be a degree of bad luck involved?
I’ve brought up the idea of malicious actors who are human beings making conscious decisions, (hackers), but I was once told the concern is more to do with automated means of finding such devices when they’re exposed to the internet. This makes more sense since a theoretical hacker doesn’t have to sit around all day just hoping someone in the world will use an outdated device and that they’ll somehow see this activity and be able to exploit the situation, but I guess, it seems hard for me to imagine that such bots or automated means of scanning, even if running all day will somehow become aware the minute anyone, anywhere with an insecure device connects to the internet. Surely there has to be some degree coincidental happenstance where a bot is directed to scan for connections to a particular server, like a fake website posing as a bank or something? It just doesn’t seem it could be practical otherwise.
If I’m at all accurate in my assumptions, it sounds then like there’s a degree to which a random person, not well known enough to be a specific target, not running a website or online presence connecting an insecure device to the internet, while engaging in some risk for sure, isn’t immediately going to suffer consequences without some sort of inciting incident. Like falling for a phishing scam, or a person specifically aware of them with mal intent trying to target them in particular. Is that right?
You’ve mentioned a phone as an example a couple times now. What kind of phone are you referring to, a smart phone? Because I should mention that if you connect an old smartphone, or even a Windows XP laptop to your home WiFI you will not get a public IP on the internet. Your home router is acting as a NAT gateway and translating an internal IP into an external one. It would be the device being scanned, not your phone/laptop.
So connecting a Windows XP laptop to your WiFI is not going to open you up to the attacks that have been discussed here so far. The risk now is likely the web browser and software on the laptop that could b exploited by browsing to a malicious website.
I guess I ended up zeroing in on phones (smartphones) unintentionally just because my already long winded replies become even more so if I have to try to keep my terms generic but still meaningful. It’s a good an interesting point you raise though about a home router being a form of barrier between a device and would be attackers. However the phone then accidentally becomes a good example because one will often use such a device out and about with its own mobile internet connection. They also are a particularly rich target because of the fact that people have their most intimate and sensitive information on there. Contacts, apps that facilitate banking, payment systems, photos, emails.
Almost everyone using a smartphone uses it for these highly sensitive purposes and a great many don’t but a new phone just because the old one lost support or don’t update because they don’t want to. Again though, without specific numbers, it sure doesn’t seem like a similarly large number have their identities stolen or the bank account drained, or random items bought that they themselves never purchased.
It happens often enough to enough people that it’s far from unheard of, but then again it certainly doesn’t seem like a good chunk of the people one knows have had something like that happen to them even with the relatively high likelihood that a sizeable portion of them have theoretically been vulnerable to it at once time or another.