Updating CA root SSL certificates requires updating the firmware on streaming devices, smart devices, routers, cameras, and more.
A security expert predicts trouble ahead for IoT device makers and customers due to expired root SSL certificates. Terry Dunlap, is the chief security officer and co-founder of ReFirm Labs, a company that specializes in firmware security analysis.
Dunlap and cyber security specialists are tracking the impact of expiring Certificate Authority (CA) root SSL certificates on smart devices, including smart TVs, fridges, lightbulbs, and other IoT devices. This includes the IoT devices connected to corporate networks, including routers, video cameras, and VoIP phones. In May, several Roku channels went dark due to an expired certificate.
Dunlap has found that many devices ship with certificates that have already expired.
“Not only does it clutter up the firmware, but for sophisticated attackers, there are ways to use expired certs to do a man-in-the-middle attack,” he said.
A CA is a certificate authority, an organization that certifies the S in HTTPS, including Let’s Encrypt, Sectigo, DigiCert, and Comodo. The public key infrastructure is used to authenticate users and devices online. There are a minimum of three links in a certificate chain, including the root CA certificate that is embedded in browser or OS, and an intermediate CA certificate and an end-entity certificate, both provided by a server. The root CA is embedded into the client device, and updates must be done on the device itself via a software update.
The challenge with smart devices is that they are not updated as frequently as other devices like phones and laptops, and there is no automated system in place to deliver these updates. The other element in the equation is that these devices like plugs, lightbulbs, and cameras have low profit margins and short life spans. Many manufacturers don’t prioritize security until after there is a breach or a problem.
“They are not worried about security until after the fact, and there is a lack of attention to secure coding practices and a QA problem as well,” he said.
Dunlap’s advice to consumers is to learn how to update the firmware of their IoT devices and check for updates as he does with his home router.
“I have to constantly go to the company website, log in to the admin page of my browser, and pray that it doesn’t break the router in the process,” he said.
He doesn’t anticipate a total blackout of service from these IoT devices but that there will be a significant disruption that will overwhelm customer support centers.
For device manufacturers, sometimes the problem with expired certificates comes from firmware written by third-party suppliers.
“If you rely on any outside component for your device, such as a Wi-Fi chip, the supplier will give you the hardware component and a blog of code,” he said. “You don’t have access to the source code that goes into the firmware image that gets burned to your device.”
ReFirm’s Centrifuge Platform analyzes firmware before a device hits the market to reverse engineer the code and look for weaknesses and security risks, including expired security certificates.
“We can identify the code that has the highest risk of being exploited by an attacker,” he said.
Dunlap described how ReFirm worked with an automotive manufacturer to analyze firmware from a supplier. The wireless device under review was a diagnostic device used by service technicians that plugged into a car’s dashboard to read engine codes.
“We found that the tier 1 supplier had left its private signing key in the firmware,” he said. “We modified the firmware, and the car accepted it so that when a driver turned on the right turn signal, the left one came on.”
Dunlap said that his company is seeing more interest from security consultants and inquires about penetration testing.
“Either the consulting firms are being proactive and offering IoT assessments or their clients are bringing it up as a concern,” he said.
ReFirm Labs has a significant number of customers in the telecom sector, including companies that produce equipment for first responder networks.