SSL certificates that expire on older devices and applications are expected to cause problems on smart TVs, refrigerators and IoT.
On May 30, the Rocu Channel shut down, leaving affected customers trying to figure out where the problem lay and what to do. THE company advised its customers to manually update their devices, specifying:
"Due to the expiration of the certificate, the select streaming channels on the Roku platform based on this certificate chain may not work as expected. Manually install a software update from Roku. ”
All SSL certificates come with an expiration date.
For SSL / TLS encryption to work, the server presents an SSL certificate to the client. If the server certificate is about to expire, sysadmin can easily renew it. However, in order for the client to trust any certificate that is presented as valid, its web browsers as well as its applications and smart devices are equipped with a set of pre-installed root certificates issued by a reputable certification authority.
Now, these root certificates have significantly longer expiration dates than web site certificates. They can last up to 20 or 25 years, but sooner or later they will expire.
In one post on his blog, security researcher Scott Helme said: “This problem was recently identified on May 30, 2020. At that exact time, when AddTrust External CA Root expired, it brought with it the first signs of the problem. We are coming to a point now where there are many certifications that will expire in the coming years, simply because it has been 20+ years since encrypted web started and this is the lifespan of a certificate. This will affect some organizations. "
Helme expects the next "potentially important date" to be September 30, 2021. That's when the CA certificates issued by the DST Root CA X3 will expire. This means that if client applications and devices are not updated in a timely manner, they will not recognize Let's Encrypt certificates and will have connection problems.
Helme, had warned for this impending problem for 2 years. In addition, he considers that there is a possibility that the recent certificates are not compatible with the old models of smart TV, due to the very little root storage that exists in these devices.
Solution with warnings
While the obvious solution is to update your smartphones regularly, it may not be as obvious to the end user. During regular updates, smart devices also download new certificates to add to their root systems.
This assumes that the device manufacturer continues to provide these updates, and of course with revised root certificates!
Realistically, a smart gadget can go through periods of prolonged inactivity lasting several weeks or months. If the updated gadget rarely gets its certificate expired while offline, it may have trouble reconnecting to the internet when it is turned on.
For example, a smart lamp may be able to connect to the internet, but may require a secure connection to its server to start receiving updates. If this smart bulb has previously been "disconnected" from the internet for a few months and now the grace period for updating the SSL certificate has passed, it may no longer be able to reconnect to the internet unless it is updated manually and if this is the case. still possible.
In addition, appliances such as smart bulbs, clocks or refrigerators do not have an advanced user interface that can give users enough clues as to what is going on, especially at a technical level. At first glance, even the most technically experienced user may not be able to diagnose the real issue.
The irony of all this, as Helme pointed out, is that even the most "modern" devices and gadgets are not smart enough, because they fail to take into account the latest root certificates!
In order for smart devices and IoTs to continue to run smoothly and ensure smooth operation, all stakeholders and manufacturers in the industry will have to agree on a standard set of practices and adhere to them.