Expiring root certificates threaten IoT in the enterprise

So many everyday items in the developed world are now connected to the Internet, often inexplicably. It adds another layer of potential technology failure that for personal appliances can be something of an amusing annoyance: blinds that won’t open, microwaves that don’t adjust for time changes, refrigerators that need firmware updates.

But in the enterprise, when Internet of Things devices fail, it’s no Twitter-thread joke. Factory assembly lines grind to a halt. Heart-rate monitors in hospitals switch offline. Elementary school smart boards go dark.

Smart device failures are an increasing risk in the enterprise world, and not just because of the oft-discussed security worries. It’s because some of these devices’ root certificates — necessary for them to connect to the Internet securely — are expiring.

“Devices need to know what to trust, so the root certificate is built into the device as an authentication tool,” explains Scott Helme, a security researcher who has written extensively about the root certificate expiration issue. “Once the device is in the wild it tries to call ‘home’ — an API or manufacturer’s server — and it checks against this root certificate to say, ‘Yes, I’m connecting to this correct secure thing.’ Essentially [a root certificate is] a trust anchor, a frame of reference for the device to know what it’s speaking to.”

In practice this authentication is like a web or a chain. Certificate authorities (CAs) issue all kinds of digital certificates, and the entities “talk” to each other, sometimes with multiple levels. But the first and most core link of this chain is always the root certificate. Without it, none of the levels above could make the connections possible. So if a root certificate stops working, the device can’t authenticate the connection and won’t link to the Internet.

Here’s the problem: The concept of the encrypted Web developed around 2000 — and root certificates tend to be valid for about 20 to 25 years. In 2022, then, we’re smack in the middle of that expiration period.

The CAs have issued plenty of new root certificates in the last two-plus decades, of course, well ahead of expirations. That works well in the personal device world, where most people frequently upgrade to new phones and click to update their laptops, so they would have these newer certs. But in the enterprise, it can be far more challenging or even impossible to update a device — and in sectors like manufacturing, machines may indeed still be on the factory floor 20 to 25 years later.

Without an Internet connection, “these devices aren’t worth a thing,” says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, provider of machine identity management services. “They essentially become bricks [when their root certs expire]: They can’t trust the cloud anymore, can’t take commands, can’t send data, can’t take software updates. That’s a real risk, particularly if you’re a manufacturer or an operator of some kind.”

A Warning Shot

The risk isn’t theoretical. On September 30, a root certificate issued by the massive CA Let’s Encrypt expired — and several services across the Internet broke. The expiration wasn’t a surprise, as Let’s Encrypt had long been warning its customers to update to a new cert.

To read the complete article, visit Dark Reading.