A security researcher just found a security bug in APT (the package manager by default in PureOS) which can result in arbitrary remote code execution from either MitM or compromised repo. There’s also a good PoC video.
https://justi.cz/security/2019/01/22/apt-rce.html
One way to defend against this is by using HTTPS instead of HTTP for APT, via installing apt-transport-https
. I also noticed this wasn’t installed by default on PureOS (then again, most distros don’t do this either).
Since these devices are affected, I thought I’d share for your security awareness.