An Internet of Trouble lies ahead as root certificates begin to expire en masse, warns security researcher
'This is going to be a problem; we are not on top of this'
Interview Expiring root certificates will cause devices like smart TVs and refrigerators to fail in the next few years, security researcher Scott Helme has warned.
Secure internet connections depend on the server presenting a valid certificate to the client, the most common problem being that the server certificate is out of date, easily fixed by the server admin.
In order to validate the certificate, though, the client must have a trusted root certificate from the issuing authority, and this, says Helme, is a problem for devices that never get updated.
Typically root certificates have a long lifetime, such as 25 years, but nevertheless they do expire; and if one is embedded in a smart TV, fridge or security system, the consequence is that it will stop connecting while giving users little clue about what has gone wrong.
"This problem was perfectly demonstrated recently, on 30 May at 10:48:38 GMT to be exact," says Helme. "That exact time was then the AddTrust External CA [Certificate Authority] Root expired and brought with it the first signs of trouble that I've been expecting for some time."
The outcome was that some Roku streaming devices stopped working and had to be manually updated, an issue the company described as "a global technical certificate expiration." There were also issues at payment providers Stripe and Spreedly.
"We're coming to a point in time now where there are lots of CA Root Certificates expiring in the next few years simply because it's been 20+ years since the encrypted web really started up and that's the lifetime of a Root CA certificate. This will catch some organisations off guard in a big way," says Helme.
Helme has worked with the BBC on this issue. When the BBC got a new certificate issued for a server recently, it used a CA root certificate dating from 2012. The problem, however, is that "the eight-year-old Root CA still hasn't managed to make its way onto a significant portion of 'Smart' TVs," he says.
It was fixed by adding additional intermediate certificates that chain to an older root certificate, giving those boxes a reprieve until 2028, but the clock is ticking. "The real solution, is that the client needs to be updated," says Helme. "Smart TV manufacturers might release updates for a couple of years, but we're talking a decade or more if you want to resolve this particular problem." The BBC "is now requiring manufacturers that want the iPlayer certification, going forwards, to resolve this."
Android smartphones may also have this issue since older devices tend not to receive updates as vendors prefer to work on newer and shinier models. "There is a significant portion of devices that are either lagging seriously behind on updates or simply aren't being updated," says Helme.
Apple does a better job of maintaining its iOS devices, however: "If you run a service with legacy clients you need to consider how your choice of CA can affect them."
Why bring the issue up now? "Up until now it's been a theoretical issue because we didn't have a demonstrable example," Helme tells The Reg. Now the BBC's workarounds, Roku's issues and more show that this is not the case. The issue is not limited to streaming media clients either. "If [a device] depends on certificates from a public CA for secure communications, this is a consideration," he says.
How many people will be affected?
"This is hard to quantify, especially as it will affect machines in the coming two to three years. Are manufacturers going to release an update? Then how is the consumer going to know that they need to install it? Is the TV going to prompt them? I thought I should start highlighting this now in that we do have a little bit of time. This is going to be a problem; we are not on top of this."
When will the next widely used root certificate expire? "Possibly March next year," he says. "Within the next 12 months we're going to have lot of things breaking, or hopefully a response from the industry to start fixing stuff."
One potentially significant date is 30 September 2021, when the DST Root CA X3 certificate used by many Let's Encrypt certificates expires. Again, it is no use simply updating the certificate on the server; the client must have an updated root certificate for this to be effective.
The problem is hard for most people to understand, Helme says. "Even speaking to technology people, this is still an abstract problem to many of them. I don't think we should expect the average consumer to even think about this."
Some IoT devices such as security systems or lighting systems do make secure internet connections to enable remote control and reporting, but have no visual user interface, which could leave users perplexed as to why they no longer work. "From the consumer's perspective, the thing doesn't work. That's about as advanced a notification as they are going to get," Helme remarks.
Is it not the case that well-designed IoT devices update automatically? "There are definitely good examples out there, but I feel the good examples are the few and the bad examples are the many," Helme tells The Reg. "I think this issue is slowly manifesting itself, and the recent incident on 30 May was the first hard example of it happening."
It is all part of a broader issue, which is that "we generally aren't fantastic at keeping things up to date," in Helme's words. "If a device got updated even once every five years, this problem would not exist. I would be perfectly happy with a five-year update cycle for my refrigerator." ®