Does Using VPN on a Dubious Custom Mobile ROM Reduce the Risk to the Network?

Question

I have flashed an old Samsung phone with a custom ROM. The OS (and all the needed software) come from a website that "should" be safe, from users that "should" be trustworthy. Still, I like to be a bit paranoid when it comes to security.

And so, let's assume the mobile is now compromised, as a result of something nefarious in its ROM, and I connect it to my home WiFi (WPA2-secured). For our purposes, let's assume I'm not planning to enter any userID/passwords, and simply use the device to browse the Internet (not logging into anything).

If I installed and used a VPN on this device, would that reduce the risk to my network and the other devices?

I know that you're not supposed to use open public WiFi (I've also checked this question: How to use public WiFi safely?), but my situation made me wonder, if my fears are true, doesn't that mean a malicious user could, say, go to a public library that offers secure WiFi to their clients, to whom it provides the password, and connect to the network, compromising any other devices that use it?

Answer 1

A VPN sits on top of, and is dependent on, the Operating System and the hardware. If the Operating System or the hardware is custom, it can simply choose to ignore the VPN for its malicious activity.

That means that it is possible for the compromised phone to attack the network at will, targetting the WiFi Access Point/Router or creating an "Evil Twin" network in order to capture traffic of other nearby devices.

Note that just having a malicious device does not mean that all other devices are instantly compromised. Those other devices need to have vulnerabilities that the malicious device can access. So you can't say that the situation reesults in "compromised" devices, but rather that they can be attacked.

Answer 2

It depends on a couple factors, but I would say your network is safe.

If your VPN is configured to be an "Always-on VPN" and "Block connections without VPN" is set, any application running on the mobile will only have access to the VPN and nothing else.

If the ROM you installed is used by thousands of users and you got it from a reputable source, you are mostly safe, sometimes more safer than using some OEM-ROMs around.

Bu if you are really serious about being paranoid about security, don't use an old mobile phone with a custom ROM. Use your paranoia to buy a recent phone with a good security record (Pixel phones come to mind). Or buy a router with networking settings that allow you to create a VLAN for each client, and isolate this mobile on a segregated VLAN without access to the other VLANs.