Expired certificates kick IoT devices out of business

[German]Now a view at the 'bitter end of smart devices' such as smart TVs, refrigerators or other IoT devices (smart speakers, thermostats, etc.) becomes visible. There are not even missing updates for their software. Expired security certificates could kick those devices into the 'offline' mode, no connection is possible anymore.


It already caught my eye on Twitter a few days ago – someone pointed out expired certificates on intelligent refrigerators.

When I did a search today, some more tweets came up. In the following someone asks the question what happens when certificates expire.

The message: An Internet of Trouble (IoT) is ahead of the crowd of buyers of so-called smart devices. The Register has published a paper An Internet of Trouble lies ahead as root certificates begin to expire en masse, warns security researcher. The article bases on this post from Scott Helme. This security researcher point out that if the root certificates (root certificates) expire and the devices can no longer connect to the Internet, there is a great deal of trouble ahead.


No secure connections without a valid certificate

Because secure Internet connections depend on the server presenting a valid certificate to the client. The most common problem is that the server certificate is outdated, which can easily be fixed by the server administrator. However, to validate the certificate, the client must have a trusted root certificate from the issuing authority, and that, according to security specialist Helmets, is a problem for devices that are never updated.

Typically, root certificates have a long lifetime, e.g. 25 years, but they still expire. If one of these root certificates is embedded in a smart TV, refrigerator or security system, it will cause the connection to break down. And users get little indication of what went wrong.

Example AddTrust certificate expires

"This problem was recently, on May 30th at 10:48:38 GMT, to be exact, perfectly demonstrated," Helmets is quoted as saying. "At that exact time, the AddTrust External CA [Certificate Authority] root expired, bringing the first signs of problems I had been waiting for for some time."

As a result, some Roku streaming devices stopped working and had to be updated manually. The company referred to the problem as "global technical certificate expiration". There were also problems with the payment providers Stripe and Spreedly.

"We are now reaching a point where there are many CA root certificates that will expire over the next few years. It's simply more than 20 years since people really started using the encrypted web. And the two decades are the lifespan of a root CA certificate. This will have taken some organizations by surprise," says Helme.

Helme worked with the BBC on this issue. When the BBC recently issued a new certificate for a server, it used a 2012 CA root certificate, but the problem is that "the eight-year-old root CA has still not managed to get to a significant proportion of 'smart' TVs," says Helme. The article provides more examples – and owners of older Android devices or mobile devices will have similar surprises.

Cookies helps to fund this blog: Cookie settings

This entry was posted in devices, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *