Smart TVs, refrigerators and light bulbs may stop working next year: Here's why

Smart TVs, refrigerators and light bulbs may stop working next year: Here's why

Your smart TV, set-top box, and smart refrigerator may lose most of their Internet connections in the next year or two, digital security experts warn. Your old Android phone may not work either. By the middle of this decade, there could be a Y2K-scale mass failure of smart home and Internet of Things devices.

"Within the next 12 months, a lot of things are going to break," security researcher and consultant Scott Helm told The Register yesterday (June 10).

This is because the root security certificates of the certification authorities built into many smart home and Internet of Things devices are beginning to expire, Helme wrote on his blog.

Such certificates allow digital devices to establish secure online connections with servers, and these days almost every Internet connection must be secure.

Root certificates can be updated with firmware updates, but such updates are hard to find and difficult for device owners to install, especially when there is no mobile app or management interface associated with smart home or IoT devices.

"More than 20 years have passed since the encrypted web really began, and we are at a point where there are many CA root certificates that will expire in the next few years simply because that is the lifetime of root CA certificates," Helme wrote on his blog on Monday (June 8).

Helme noted that two weeks ago, on May 30 at 10:48 AM (6:48 AM UTC, New York), many Roku devices were suddenly unable to connect to online services and streams because their root certificates had expired.

There were more than a dozen other services that experienced similar problems, according to online reports, including online synchronization service SugarSync, password management service RoboForm, and payment processing services Stripe and Speedly.

Roku had already released a certificate update patch, but many devices had not installed it. So on May 30, Roku published a web page instructing owners how to manually install the necessary system updates.

At least Roku had such updates available for users with affected devices. Owners of smart home devices that are not constantly connected to the Internet or whose manufacturers are not aware of the problem may not be so lucky.

"Are manufacturers going to release updates? Helm responded in an interview with The Register. So how will consumers know they need to install it? Will the TV prompt them?

The next big date to watch is September 30, 2021, when the root certificates used in many widely used Let's Encrypt certificates expire, Helme said. If the manufacturers of the affected devices do not push updates and the owners of those devices do not install the updates, the devices will become obsolete "dumb" appliances.

Root certificates are the most basic level of the worldwide "web of trust" system of digital certificates that enable secure Internet communications, including all online shopping. Without going into detail, when a root certificate expires, the device using that certificate is no longer trusted by other devices on the Internet.

In other words, bingo: a device with an expired root certificate will no longer be able to connect to Netflix to stream movies, connect to Amazon to make online purchases, or connect to Gmail to view user messages.

According to Helm, Windows computer users need not worry because Microsoft has built-in constant certificate updates. Web browsers on most platforms receive regular certificate updates. And because iPhones receive very frequent system updates, "if I were an iOS user [I] wouldn't worry about this issue as much."

"But it seems that Android users may have some concerns in the not-too-distant future," added Helme.

That's because, as of April 2020, nearly 40% of all Android devices Google could identify were using a pre-Nougat, currently unsupported version of Android. (This statistic does not include Amazon Fire tablets, Xiaomi Mi phones, or other devices running non-Google Android versions.) Many of these older devices may soon lose the ability to connect to most app servers and websites.

"Currently, mobile apps and browsers are generally not much of an issue," Helme wrote on his blog.

According to Helme, smart TVs rarely get updates out of the box, usually just removing old features. Many models use so old root certificates that even newer models have trouble connecting to the BBC iPlayer service, which requires confirmation that the receiving TV is really in the UK, he says.

After the window has passed, devices still using the old root certificate will not even be able to connect to the manufacturer's servers to install firmware updates that fix the problem.

"We thought we should start highlighting this now, given that we still have a little time," Helme told The Register. 'This is going to be a problem.'

.

Categories