Expired Certificates Expose Ongoing Machine Identity Troubles at Major Brands

Aruba Networks is latest brand with certificate issues

Aruba Networks is the latest to acknowledge an issue with expired certificates.

As of Monday June 6, when accessing the Feature Navigator website via Firefox you’re met with the message: “it’s likely the website’s certificate is expired, which prevents Firefox from connecting securely. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.” (Venafi has reached out to Aruba Networks for comment.)

Venafi CEO Jeff Hudson warns about perils of the complacency that results in certificate-related outages and worse. “Certificates are machine identities and are used in attacks.  When the world is lulled into complacency and is not vigilant, security is compromised,” said Hudson when commenting on the Aruba outage.

The Aruba site certificate expiry incident highlights the need for organizations to treat certificate expiration as security events, says Pratik Savla, Lead Security Engineer at Venafi.

Sponsorships Available

Sponsorships Available

Sponsorships Available

“Depending on the site or service that’s in question, these instances should be handled akin to managing an incident response workflow as such instances have the potential to even facilitate security breaches,” Pratik said.

“If not already, Aruba needs to incorporate any reporting of these instances into an event/incident tracking system on their end so that such instances are handled in a timely manner and also any SLA [service level agreement] deadlines can be tracked clearly for these. A crucial component of this setup is a deploying a certificate lifecycle management solution to track and manage the certificates for sites and services that Aruba or any organization manages,” Savla said.

End-of-life terminals pose potentially large problem

Starting in May, there was a “nationwide disruption” to Verifone H5000 card payment terminals, according to golem.de, a German-language IT news site.

Payments with debit or credit cards were not possible, forcing customers to pay in cash at many locations in Germany, according to the report. The H5000 terminal problem has impacted large retail chains and gas stations as well as smaller retailers, the report said.

A German-language pop-up on a Verifone H5000 support page confirms the payment processing problem but goes on to say that that the issue is not related to a certificate expiration. The statement on the support page closes by saying that Verifone has “developed an update…to fix the problem.”

“We know for sure it is not a security issue nor a certificate expiration,” a Verifone spokesperson told Venafi. “Rather, it is a software malfunction in the H5000 software.”

“The Verifone H5000 series is not being sold or shipped by Verifone as of late 2019; all the other Verifone terminals available on the market are not affected,” Verifone added.

But some are disputing the claim that it is not an expired certificate. A long twitter thread from Jan Wildeboer, who describes himself as a Red Hat EMEA Evangelist, claims it’s a certificate problem on H5000 terminals that are EOLed or at end-of-life.

“It seems an update was available…But many H5000 did not get that update and now, as the certificate has expired, this update cannot be installed in the usual way,” Wildeboer said in a tweet.

“As this signing stuff isn’t your standard x.509 PKI (it’s really old stuff) Verifone is legally/philosophically correct when they say it isn’t a certificate issue,” Wildeboer said in a comment to Venafi.

And multiple comments in this Hackaday article point to a possible issue with certificate expiration on the H5000.

Whatever the case, it may be an indicator of a broader problem with certificates on point-of-sales (POS) terminals that are EOL.

“The concern is always that when it comes to end of life stuff, you’re losing security fixes,” says Venafi’s Savla.

“So, I mean the security nightmare is already there. The certificate expiring [if that’s the case] just adds more fuel to the fire,” Savla says.

Spotify: clear cut certificate expiration

Publishers and listeners for podcasts on Megaphone, owned by Spotify, faced service disruptions after the outage. Listeners, for example, lost access to their favorite podcasts.

Though the certificate outage was resolved, it was a massive disruption for Spotify.

An SSL certificate authenticates a website’s identity and enables an encrypted connection, a necessary security measure. An SSL secured website always has “HTTPS” in the URL, replacing the older, less secure HTTP. 

“When these critical security assets expire unexpectedly, they leave consumers without access to data, services and applications,” according to Kevin Bocek, VP Security Strategy & Threat Intelligence at Venafi.

Spotify confirmed the platform outage “due to an issue related to our SSL certificate.”

“During the outage, clients were unable to access the Megaphone CMS and podcast listeners were unable to download podcast episodes from Megaphone-hosted publishers. Megaphone service has since been restored,” a Spotify spokesperson told the media.

Venafi solution

Expired certificates not only cause outages but can also act as the gateway for criminals to infiltrate corporate networks, notes Savla.

“Not only can expired certificates cause unplanned system or service outages as has been seen several times over in different incidents, but what is not equally well-known is that they can also open the door through which malicious actors can find entry into one’s environment,” Savla said.

Proper and timely renewal of expired certificates is key to mitigating man-in-the-middle attacks, according to Savla. “The first step is to make sure that you develop and continuously update a detailed certificate inventory. Next, expiry notifications should be setup to ensure it reaches the right owners ahead of time. This includes a set period starting at least a month before the expiry date for non-critical systems and starting with at least two months before the expiry date for systems deemed critical.”

Venafi solutions include the Venafi Trust Protection Platform (TPP) and Venafi as a Service (VaaS).

Related Posts

• Venafi Trust Protection Platform
• Venafi as a Service (VaaS)
• Certificate Management for Code Signing

Expired Certificates at Spotify and Aruba Networks and problems at Verifone underscore the fact that major brands are grappling with a surge in machine identity issues.

“>