IoT Devices Are Facing a Root Certificate Doom

The IoT ecosystem is heading toward a seemingly unsolvable problem as some root certificates are set to expire, leaving people with crippled smart devices, according to security researcher Scott Helme.

People might not realize that most smart devices have a root certificate, which allows them to communicate online safely. These certificates generally have long lifespans, up to 25 years, but not all of them. It’s conceivable that some smart devices will remain in operation for many years, but the certificates will expire at some point, leaving them at best with only basic functions.

“This problem was perfectly demonstrated recently, on 30 May at 10:48:38 GMT to be exact,” said Helme in an interview with The Register. “That exact time was then the AddTrust External CA [Certificate Authority] Root expired and brought with it the first signs of trouble that I’ve been expecting for some time.”

The incident he’s referring to has to do with Roku and a number of its streaming devices.

“Due to a global technical certificate expiration, select streaming channels on the Roku platform that rely on this certificate chain may not be working as expected,” read the announcement from Ruku.

Fortunately, in this case, users received the option to update their devices manually with a patch issued by Roku. Since Internet connectivity was unavailable, automatically upgrading the devices was out of the question.

This is just a taste of things to come, as the same types of certificates are implemented in billions of devices, many of which are still in operation. The researcher also warns that the next devices in line are smart TVs.

Some companies have figured out a way to prolong the CA Root certificates used in their TVs, but that’s only a band-aid until 2028. The obvious problem is that smart TV manufacturers only issue upgrades for a few years, after which the TVs are mostly abandoned, with companies pushing customers to buy new ones.

Helme also explained that an important date would be September 30, 2021, when the DST Root CA X3 certificate used by Let’s Encrypt expires. Numerous devices will be at risk simply because it will be virtually impossible to teach all the customers how to upgrade their devices manually.

Add Comment

Your email address will not be published. Required fields are marked *