An Internet of Trouble lies ahead as root certificates begin to expire en masse, warns security researcher

'This is going to be a problem; we are not on top of this'


Interview Expiring root certificates will cause devices like smart TVs and refrigerators to fail in the next few years, security researcher Scott Helme has warned.

Secure internet connections depend on the server presenting a valid certificate to the client, the most common problem being that the server certificate is out of date, easily fixed by the server admin.

In order to validate the certificate, though, the client must have a trusted root certificate from the issuing authority, and this, says Helme, is a problem for devices that never get updated.

Typically root certificates have a long lifetime, such as 25 years, but nevertheless they do expire; and if one is embedded in a smart TV, fridge or security system, the consequence is that it will stop connecting while giving users little clue about what has gone wrong.

"This problem was perfectly demonstrated recently, on 30 May at 10:48:38 GMT to be exact," says Helme. "That exact time was then the AddTrust External CA [Certificate Authority] Root expired and brought with it the first signs of trouble that I've been expecting for some time."

The outcome was that some Roku streaming devices stopped working and had to be manually updated, an issue the company described as "a global technical certificate expiration." There were also issues at payment providers Stripe and Spreedly.

"We're coming to a point in time now where there are lots of CA Root Certificates expiring in the next few years simply because it's been 20+ years since the encrypted web really started up and that's the lifetime of a Root CA certificate. This will catch some organisations off guard in a big way," says Helme.

Helme has worked with the BBC on this issue. When the BBC got a new certificate issued for a server recently, it used a CA root certificate dating from 2012. The problem, however, is that "the eight-year-old Root CA still hasn't managed to make its way onto a significant portion of 'Smart' TVs," he says.

It was fixed by adding additional intermediate certificates that chain to an older root certificate, giving those boxes a reprieve until 2028, but the clock is ticking. "The real solution, is that the client needs to be updated," says Helme. "Smart TV manufacturers might release updates for a couple of years, but we're talking a decade or more if you want to resolve this particular problem." The BBC "is now requiring manufacturers that want the iPlayer certification, going forwards, to resolve this."

Android smartphones may also have this issue since older devices tend not to receive updates as vendors prefer to work on newer and shinier models. "There is a significant portion of devices that are either lagging seriously behind on updates or simply aren't being updated," says Helme.

Apple does a better job of maintaining its iOS devices, however: "If you run a service with legacy clients you need to consider how your choice of CA can affect them."

Why bring the issue up now? "Up until now it's been a theoretical issue because we didn't have a demonstrable example," Helme tells The Reg. Now the BBC's workarounds, Roku's issues and more show that this is not the case. The issue is not limited to streaming media clients either. "If [a device] depends on certificates from a public CA for secure communications, this is a consideration," he says.

How many people will be affected?

"This is hard to quantify, especially as it will affect machines in the coming two to three years. Are manufacturers going to release an update? Then how is the consumer going to know that they need to install it? Is the TV going to prompt them? I thought I should start highlighting this now in that we do have a little bit of time. This is going to be a problem; we are not on top of this."

When will the next widely used root certificate expire? "Possibly March next year," he says. "Within the next 12 months we're going to have lot of things breaking, or hopefully a response from the industry to start fixing stuff."

One potentially significant date is 30 September 2021, when the DST Root CA X3 certificate used by many Let's Encrypt certificates expires. Again, it is no use simply updating the certificate on the server; the client must have an updated root certificate for this to be effective.

The problem is hard for most people to understand, Helme says. "Even speaking to technology people, this is still an abstract problem to many of them. I don't think we should expect the average consumer to even think about this."

Some IoT devices such as security systems or lighting systems do make secure internet connections to enable remote control and reporting, but have no visual user interface, which could leave users perplexed as to why they no longer work. "From the consumer's perspective, the thing doesn't work. That's about as advanced a notification as they are going to get," Helme remarks.

Is it not the case that well-designed IoT devices update automatically? "There are definitely good examples out there, but I feel the good examples are the few and the bad examples are the many," Helme tells The Reg. "I think this issue is slowly manifesting itself, and the recent incident on 30 May was the first hard example of it happening."

It is all part of a broader issue, which is that "we generally aren't fantastic at keeping things up to date," in Helme's words. "If a device got updated even once every five years, this problem would not exist. I would be perfectly happy with a five-year update cycle for my refrigerator." ®

Similar topics


Other stories you might like

  • DuckDuckGo tries to explain why its browsers won't block some Microsoft web trackers
    Meanwhile, Tails 5.0 users told to stop what they're doing over Firefox flaw

    DuckDuckGo promises privacy to users of its Android, iOS browsers, and macOS browsers – yet it allows certain data to flow from third-party websites to Microsoft-owned services.

    Security researcher Zach Edwards recently conducted an audit of DuckDuckGo's mobile browsers and found that, contrary to expectations, they do not block Meta's Workplace domain, for example, from sending information to Microsoft's Bing and LinkedIn domains.

    Specifically, DuckDuckGo's software didn't stop Microsoft's trackers on the Workplace page from blabbing information about the user to Bing and LinkedIn for tailored advertising purposes. Other trackers, such as Google's, are blocked.

    Continue reading
  • Despite 'key' partnership with AWS, Meta taps up Microsoft Azure for AI work
    Someone got Zuck'd

    Meta’s AI business unit set up shop in Microsoft Azure this week and announced a strategic partnership it says will advance PyTorch development on the public cloud.

    The deal [PDF] will see Mark Zuckerberg’s umbrella company deploy machine-learning workloads on thousands of Nvidia GPUs running in Azure. While a win for Microsoft, the partnership calls in to question just how strong Meta’s commitment to Amazon Web Services (AWS) really is.

    Back in those long-gone days of December, Meta named AWS as its “key long-term strategic cloud provider." As part of that, Meta promised that if it bought any companies that used AWS, it would continue to support their use of Amazon's cloud, rather than force them off into its own private datacenters. The pact also included a vow to expand Meta’s consumption of Amazon’s cloud-based compute, storage, database, and security services.

    Continue reading
  • Atos pushes out HPC cloud services based on Nimbix tech
    Moore's Law got you down? Throw everything at the problem! Quantum, AI, cloud...

    IT services biz Atos has introduced a suite of cloud-based high-performance computing (HPC) services, based around technology gained from its purchase of cloud provider Nimbix last year.

    The Nimbix Supercomputing Suite is described by Atos as a set of flexible and secure HPC solutions available as a service. It includes access to HPC, AI, and quantum computing resources, according to the services company.

    In addition to the existing Nimbix HPC products, the updated portfolio includes a new federated supercomputing-as-a-service platform and a dedicated bare-metal service based on Atos BullSequana supercomputer hardware.

    Continue reading

Biting the hand that feeds IT © 1998–2022