As well known security researcher Scott Helme have warned that your smart home devices may fail in couple of years. The Root Certificates on these smart devices including Smart TV’s, Refrigerator will expire in coming years, He said.
Tens of Thousands of connected devices will stop functioning, which occurs when SSL (Secure Sockets Layers ) certificates guarding the safety of products expire. By the middle of this decade, we are looking at an issue that is similar to the Y2K level of mass failure of IoT (Internet of Things) and smart devices.
SSL protocols allow devices to stay secure when connected to the Internet, establishing an encrypted link between a web server and the device or system trying to connect to it.
By September 2021, many devices are expected to stop working
The warning has come to many Roku streaming users as a surprise as many of their devices have stopped working on May 30. The company asked the affected customers to update the devices manually to fix the issue.
In a post issued to the community, Roku mentioned that the failure happened because of “Due to a global technical certificate expiration”. There were also issues at SugarSync, online syncing service and password manager RoboForm also payment providers Stripe and Spreedly were affected.
Scott Helme have explained that in coming years a lot of CA certificates are going to expire in next few years as its been more than 20 years since the encrypted web really started up and that’s the lifetime of a Root CA certificate. The potentially significant date for the other certificates to expire could be nearly as September 2021, Also it is not sure what devices could be affected with this issue.
Typically root certificates have a long lifetime, such as 25 years, but nevertheless they do expire; and if one is embedded in a smart TV, fridge or security system, the consequence is that it will stop connecting while giving users little clue about what has gone wrong, He added.
The root certificates can be renewed with firmware updates, but such updates are hard to find and Installed by the device owners especially if the device doesnt have any Mobile App or an administrative interface which makes the fix difficult for the companies.
Helme has worked with the BBC on this issue. When the BBC got a new certificate issued for a server recently, it used a CA root certificate dating from 2012. The problem, however, is that “the eight-year-old Root CA still hasn’t managed to make its way onto a significant portion of ‘Smart’ TVs,” he said in an Interview with The Register.
The issue was fixed by adding certificates that chain to an older root certificate which is now have an expiry of 2028. Android devices and Smart TV’s are the most vulnerable products to this issue as the Smart TV manufacturers will only release updates for couple of years and older android devices will have this issue as the companies prefer to work on their latest and popular devices mostly, except the Google Pixel line up which receives monthly security updates. So is Apple which does a brilliant job in maintaining their iOS with latest security patches which makes the devices less vulnerable.
Also Windows computers owners won’t need to worry, as Microsoft has built in constant updating of certificates. Web browsers on most platforms get certificate updates regularly.
iOS, Microsoft and Google Pixel devices are less vulnerable to this issue
As per Helme, how many devices will be affected by this issue is hard to quantify at this point of time as most of the devices will get affected in the coming years. Especially whether the manufacturers are going to release update?, How the consumers are going to apply the patch ? How are they going to be notified whether they need to apply the update ? These questions are yet to find its answers.
The DST Root CA X3 certificate used by many Let’s Encrypt certificates expires on September 2021. Updating the server side certificate wont fix the issue alone as the client devices also required to be updated as well to get this issue fixed.
In recent years, many smart devices were released which started the boom for connected devices industry. To gain the initial market share and capitalize, they rushed to production without thorough security testing procedures including without providing latest system updates.
Its been years many security reasearchers are stressing on making security standards for IoT and smart devices, but the manufacturers didn’t show much interest in committing to the idea. This could mean that this might not finish in coming years.