Expiring SSL certs expected to break smart TVs, fridges, and IoTs

On May 30th, select Roku streaming channels stopped working, leaving impacted customers clueless with no idea what was wrong.

The company advised those customers to update the devices manually:

"Due to a global technical certificate expiration, select streaming channels on the Roku platform that rely on this certificate chain may not be working as expected. Please install a manual software update from Roku now."

The same day payment platforms Stripe and Spreedly experienced disruptions and blamed it on expiring Certificate Authority (CA) root certificates.

We always knew SSL certificates came with an expiration date, but we didn't plan for the fact it'd be happening this year!

For SSL/TLS encryption to work, the server presents an SSL certificate to the client: an app such as a web browser, or a device. Should a server certificate be approaching its expiration, the sysadmin can easily renew it. However, for the client to "trust" any presented certificate as valid, web browsers, apps, and devices come equipped with a set of pre-installed root certificates issued by a trustworthy CA.

Now, those root certs do have significantly longer expiration dates than the server certificates - up to as much as 20 or 25 years, but sooner or later, they, like mortals, will expire.

In a post to his blog, Security Researcher Scott Helme said, "This problem was perfectly demonstrated recently, on 30 May at 10:48:38 GMT to be exact. That exact time was then the AddTrust External CA Root expired and brought with it the first signs of trouble that I've been expecting for some time."

"We're coming to a point in time now where there are lots of CA Root Certificates expiring in the next few years simply because it's been 20+ years since the encrypted web really started up and that's the lifetime of a Root CA certificate. This will catch some organisations off guard in a big way," he added.

Helme expects the next "potentially significant date" to be 30th September 2021. That's when CA certificates issued by DST Root CA X3 will expire.

That means unless client apps and devices are updated in time, they'll fail to recognize Let's Encrypt certificates causing connection issues.

Helme, who had been warning "about this impending problem for probably 2 years," provided some additional insights on his blog about recent Let's Encrypt certificates may not be compatible with most smart TV models, due to "very few root stores" existing on the devices.

Solution with caveats

While applying updates to your smart devices regularly is an obvious solution, it may not be so apparent to the end-user. During regular updates, smart devices can download new root CA certificates to add to their root stores.

That is assuming the device manufacturer is continuing to provide these updates, and that too, with the revised root certificates!

Realistically speaking, a smart gadget can go through periods of prolonged inactivity lasting a few weeks or months. If the infrequently-updated gadget has had its root CA certificate expire while it has been offline, it may have trouble reconnecting to the internet when turned on.

For example, a smart bulb may have the ability to connect to the internet, but it may need a secure connection to its server before it can start pulling updates. Had this smart bulb been previously "disconnected" from the internet for a few months, and now the grace period to update its root CA certificate has elapsed, it may no longer be able to reconnect to the internet unless manually updated if that is even possible.

Moreover, devices like smart bulbs, watches, or fridges lack an advanced UI that can give users enough indication as to what is going on, especially at a technical level. At first glance, even the most technically savvy user may not succeed at diagnosing the actual issue.

Given the very many choices of CAs out there who can issue root certificates, there seems to be a significant delay between how often, and how many of these certificates get propagated to end devices.

For example, BBC recently renewed their SSL certificate but purposely opted for a root CA certificate issued in 2012 rather than say 2020. Naturally, this would mean a 2012 root certificate would expire sooner, in 2032 (assuming a 20-year expiration date) than a 2020-issued certificate would have, but, an older certificate also means there's a higher chance of its recognition.

Many devices and smart TVs manufactured in the years following 2012 would likely come installed with that 2012-issued root CA, and are therefore more likely to be compatible with BBC. To our surprise, however, "the eight-year-old Root CA still hasn't managed to make its way onto a significant portion of 'Smart' TVs," stated Helme, and this hiccup has urged BBC to explore other solutions to the issue.

The irony of all this, as Helme highlighted, is, even the most "modern" devices and gadgets aren't modern enough, for they fail to account for the latest root certificates!

For smart devices and IoTs to continue functioning uninterruptedly, and to ensure a smooth user experience, industry stakeholders, partners, and competitors need to agree on a standard set of practices and abide by them. In 2020, there's little reason as to why some devices still won't recognize root certs issued back in 2012.