The Most Important Cybersecurity Story That No One Is Talking About
This is not a good time of year for credit card readers to malfunction.
There’s no doubt what the most discussed cybersecurity story of the month is —with belligerent attackers, sophisticated counterhacks, corporate lawyers threatening journalists, speculation about the potential involvement of a rogue nation state,entertaining sniping about movie stars, and even real-world threats, the Sony data breach has all the excitement of one of the action-packed films pilfered from the studio’s networks.
At the far other end of the computer security sexiness spectrum—lacking every single one of those elements, and garnering maybe 0.1 percent of the media attention devoted to Sony—was another incident. Security researcher Brian Krebs reported last week that thousands of devices used to process credit card payments in the United States stopped working on Dec. 7.
There was no attacker behind the incident, which affected a specific brand of credit card terminals manufactured by Hypercom, which is now owned by Equinox Payments. The culprit: an expired digital certificate, created in 2004 and valid for 10 years. Digital certificates provide a crucial security function by assigning public keys to be used for cryptographic purposes, including digital signatures and encryption. The authority that issues those certificates determines how long the assigned key will be valid—in this case, 10 years—before the certificate needs to be replaced or updated.
Except that Equinox apparently didn’t realize it needed to update the certificate that is used in several of its devices to validate applications run when the systems are rebooted. When Dec. 7 rolled around, the payment card terminals simply stopped working. (Actually, it seems the terminals only detect the expired certificate when they are rebooted, so stores that haven’t restarted their payment terminals yet this month may still be in for a surprise).
“Given the age of these devices we are unsure of the precise numbers [of terminals affected],” Equinox vice president for payment solutions Stuart Taylor said, adding that though many of the terminals can be updated “in the field,” some need to be physically sent to a repair facility.
Taylor noted that though newer Equinox devices have certificates valid through 2022, Equinox is now doing an “audit of all of the certificates in all of the models that are out there, to ascertain the full matrix of certificates and expirations.” Meanwhile, the company is working to repair the affected terminals, and encouraging any affected retailers to report problems at their certificate expiry help page. But the machines go through “very extended distribution channels,” so it can be difficult to track them all down, Taylor said.
“To our knowledge, there has been no data breach or systemic problem associated with the service outage,” he added.
This is a textbook boring security story—an incident without a villain (and without any movie stars), with a moral focused on the importance of remembering and being able to update legacy systems. Except it’s also a story with really serious consequences for retailers across the country that were suddenly unable to process credit card transactions, going into one of the biggest shopping seasons of the year. (Several of them, Krebs reports, were initially worried that the malfunctioning machines had been caused by an intentional attack.)
It’s a story about our own security infrastructure—the certificates and public keys we rely on to protect our digital communications—turning on us and taking out a crucial piece of our commercial infrastructure that can apparently only be slowly and painstakingly restored through onerous updating procedures. Equinox vice president of payment solutions Stuart Taylor told Krebs that a “subset” of the affected terminals cannot be updated in the field.
It’s a story about the age and fragility of the payment processing technology we use, and the challenges of trying to roll out updates to those old technologies that we continue to depend on in lots of critical sectors from health care to commerce to the military, and even the challenges of remembering that we need to roll out updates to those decade-old technologies.
It's worth looking back at the Y2K problem realistically. Nowadays its story is usually told as an overblown, hysterical response to a problem that didn't exist. It really was a mammoth problem, though never as serious as it was presented by some breathless reporters. The real story is that a huge upcoming problem was noticed and corrected before it affected anything.
You see where I’m going with this—it may be without movie stars, but it’s not a boring story at all. It has the potential to be intensely disruptive, and even a little scary. It’s an incident that gets at the heart of several of the most profound and pressing computer security challenges we face—and too rarely discuss. Not that these kinds of security scares never make headlines—back in 1999, we actually spent a fair bit of time worrying about the possibility that a lot of computers might all suddenly stop working when we hit Jan. 1, 2000. But then, of course, they didn’t, and the Y2K scare became a sort of computer security punch line.
So it seems a little strange—and a little scary—to be talking, 14 years later, about an incident where thousands of computers spontaneously shut down at a predetermined time because they were old and no one had thought about preparing them for the future. In fact, it almost starts to sound like a plausible movie plot.
Josephine Wolff is a Ph.D. candidate at MIT and a fellow at Harvard’s Berkman Center for Internet and Society. Follow her on Twitter.