Your connected devices may soon be rooted, can you update or will you have to recycle?

In case you didn’t know it keeping the web secure is pretty hard, one of the fundamental building blocks of web security are certificates. These digital certificates are elements of trust that are exchanged across the web in order to enable secure internet transmission, they’re the backbone of the HTTPS system.

It seems that according to one security researcher we are about to enter an age where random devices will just cease to be able to communicate with the internet at large because the Root CA Certificate on that device will expire. Without a valid certificate at both ends of a transaction there’s not going to be a secure connection.

Why will the certificates expire? the type of certificate that exists in your OS or hardware is a Root CA Certificate, these certificates can have a life of upto 25 years. Problem is not all hardware use NEW certificates. It’s common for devices to ship with still in date but older certificates.

As a certificate is approaching the end date you can just update the OS or firmware and it will have a new valid certificate. Spot the issue? How many stranded devices are there in the world? How many devices that users either don’t install updates on, or no updates exist?

For an in-depth description of certificates and the issue you can read the Blog Post here. What does this actually mean? It means if the certificate that is embedded in a device, be that an older Android Phone, IoT device or basically any digital device does not get a new certificate it will be unable to connect to the secure internet.

According to the security researcher we are approaching a period where many of these original certificates will expire, and as such we should expect more and more connected devices to just drop off the secure web.

What can you do? Firstly it’s good practice to ensure that all of your devices have the latest OS or Firmware, so perhaps a weekend project of ensuring that everything that can be updated is. There’s no guarantee you’ll get a new certificate but if a company is maintaining a device you can be sure they know this problem exists.

Everything you own may have certificate that lasts for another 10 years, or a device might break in 15 seconds. This is why buying cheaper unsupported IoT hardware isn’t advisable. You want devises that will be maintained.

In the end there’s nothing you can do to replace a certificate, if a device you has is going to expire and there is no official fix, and it NEEDS connectivity to work, just remember to recycle it responsibility when it dies.