[German]A few days after the nationwide outage of Verifone H5000 card terminals in Germany (since May 24, 2022, still ongoing) for cashless payment (there is rumor that an expired certificate could be the root cause) there is the next case. The podcast platform Megaphone, which was bought up by Spotify, went offline for 8 hours on May 31, 2022 due to an expired certificate. Was silly for people who want to monetize podcasts through this platform. However, the incident again shows the problem of expiring certificates, so I'll take up the specific case and the basic issue.
Advertising
The Spotify Megaphone incident
I have already been made aware of this issue on June 1, 2022 through my contacts at Kafka communications. This must have occurred on May 31, 2022. Kevin Bocek, VP Security Strategy & Threat Intelligence at Venafi noticed the case and notified various agencies. To this end, they state:
After the failure of Verifone's H5000 series card reader terminals, a second case occurred in a short period of time. Thus, according to a media report from Verge, podcasts hosted on Spotify's Megaphone platform were now unavailable for several hours due to an expired certificate.
All apps and services that were based on Spotify Megaphone were unavailable for eight hours. Since Megaphone is also offered as a service for publishers to monetize as well, the outage has painful consequences for some.
Background: In November 2020, Spotify acquired the Megaphone service/platform to offer podcast publishers innovative tools to earn more from their content. Then, during 2021, Spotify introduced new streaming ad insertion features, unlocked podcast ad buying in Spotify Ad Studio, and launched the Spotify Audience Network. Since the Audience Network launch, creators have seen a double-digit increase in fill rates and a double-digit increase in CPMs for opted-in megaphone publishers, Spotify writes in this December 2021 announcement (deleted now).
Problem: Expired certificates
Certificates are now widely used because they enable secure communication between machines, applications and services. No https connection can do without certificates to secure it. Recent data shows that growth in machine identities is increasing by 40 percent. Most enterprises will have more than half a million identities to manage by 2024.
The case above or the nationwide card payment terminal outage I mentioned above with suspected certificate issues (but negated by the terminal manufacturer) shows the consequences when a platform or services fails due to missing/invalid certificates. However, it should be noted that certificate expiration dates are often poorly managed.
In addition, managing machine identities is becoming more complex and difficult as more enterprises move to the cloud, where each container and application requires its own identity. If these critical certificates expire unexpectedly as a security precaution, consumers no longer have access to data, services and applications.
Advertising
Outages due to expired certificates can actually affect anyone. In the past, there have also been similar incidents at LinkedIn in 2019 and at O2 in 2018. The links at the end of the article point to other cases addressed here on the blog. Until companies invest in the automation needed to effectively automate the entire lifecycle of each machine identity, we can expect to see more outages of this nature.
This can and will affect end users, as the above photo of an expired certificate on a refrigerator shows. I had pointed out this issue in the blog post Expired certificates kicks IoT devices out of business. The question remains when the first cars, elevators, etc. will stop working because of this issue.
Similar articles:
Nation wide disruption with Verifon H5000 payment terminals in Germany
Quick Assist: Intune certificate expired and TLS problems in Windows
Windows 11: Expired certificates block build-in apps from Nov. 1, 2021
Expired certificates kicks IoT devices out of business
Microsoft says: Don't delete expired root certificates in Windows
