Your smart TV, set-top box or smart refrigerator might lose most of its internet connections in the next year or two, a digital-security expert warns. Even old Android phones might stop working. By the middle of the decade, we may be looking at a Y2K-scale mass failure of smart-home and Internet of Things devices.
“Within the next 12 months we’re going to have lot of things breaking,” security researcher and consultant Scott Helme told The Register in an interview yesterday (June 10)
This is because the Certificate Authority root security certificates built into many smart-home and Internet of Things devices are beginning to expire, Helme wrote on his blog.
Such certificates make it possible for digital devices to establish secure online connections with servers, and almost all internet connections have to be secure these days.
The root certificates can be renewed with firmware updates, but such updates can be hard to find and hard to install by device owners, especially if a smart-home or IoT device has no associated mobile app or administrative interface.
“We’re coming to a point in time now where there are lots of CA Root Certificates expiring in the next few years simply because it’s been 20+ years since the encrypted Web really started up and that’s the lifetime of a Root CA certificate,” Helme wrote on his blog Monday (June 8).
No Netflix for you
Helme pointed out that two weeks ago, at 10:48 Universal Time (6:48 a.m. in New York) on May 30, many Roku devices suddenly could not connect to online services and streams because their root certificates had expired.
Online-syncing service SugarSync, password manager RoboForm and payment-processors Stripe and Speedly were among more than a dozen other services that seemed to have similar issues, according to online reports.
Roku had already made a certificate-updating patch available, but many devices had not installed it. So on May 30, Roku put up a web page instructing owners on how to manually install the necessary system update.
At least Roku had such an update ready for its users whose devices were affected. Owners of smart-home devices that don’t constantly connect to the internet, or whose manufacturers are not aware of the problem, may not be so lucky.
“Are manufacturers going to release an update?” Helme wondered aloud to The Register in an interview. “Then how is the consumer going to know that they need to install it? Is the TV going to prompt them?”
Beware September 2021
The next big date to watch is Sept. 30, 2021, Helme said, when the root certificates used by many widely used Let’s Encrypt certificates are set to expire. If the makers of the affected devices don’t push out updates, and the owners of those devices don’t install the updates, then the devices will be reduced to old-fashioned “dumb” appliances.
Root certificates are the most basic level of the worldwide “web of trust” system of digital certificates that make secure internet communications, include all online shopping, possible. We’re not going to get into the details, but when a root certificate expires, the devices using those certificates will no longer be trusted by other devices on the internet.
So, bingo: A device whose root certificate has expired won’t be able to connect to Netflix to stream a movie, or to Amazon to make an online purchase, or to Gmail to view the user’s messages.
The most vulnerable devices
Helme said users of Windows computers won’t need to worry, as Microsoft has built in constant updating of certificates. Web browsers on most platforms get certificate updates regularly. And because iPhones get system updates so frequently, “I wouldn’t be too concerned about this problem if I was an iOS user (I am).”
“But it looks like Android users might have some concerns in the not too distant future,” Helme added.
That’s because as of April 2020, nearly 40% of all Android devices visible to Google were using now-unsupported Android versions such as Nougat or earlier. (These statistics don’t include Amazon Fire tablets, Xiaomi Mi phones or other devices that run non-Google versions of Android.) Many of those older devices may soon lose the ability to connect to most app servers and websites.
“Now, mobile apps and browsers aren’t generally too much of a problem,” Helme wrote on his blog, “but Smart TVs, well, they’re a whole different game.”
Helme said smart TVs rarely get updates once they’re out of the box, and usually only to remove old features. Many models use root certificates that are so old, he said, that even new models had trouble connecting to the BBC’s iPlayer service, which needs to verify that the receiving TV is indeed in the U.K.
Missing the update window and getting locked out
Because some smart-home devices — for example, a smart light bulb or wall-outlet plug — can go for months without connecting to the internet, Helme fears that many devices will miss the window between when an update that installs a new root certificate is made available and when the old certificates expire.
After the windows passes, those devices that are still using the old root certificates won’t even be able to connect to their own manufacturer’s servers to install the firmware updates that would fix the problem.
“I thought I should start highlighting this now in that we do have a little bit of time,” Helme told The Register. “This is going to be a problem; we are not on top of this.”