Comment: Expiring Android versions leave individuals open to cyber threats
January 2021 by Victor Chebyshev, security expert at Kaspersky
The announcement that certificates for older Android versions will expire on the 1st September 2021 has meant that some devices and websites are likely to witness problems as early as January.
As past experiences have clearly shown, expiring certificates and lack of updates provide cybercriminals with the perfect window to exploit vulnerabilities.
Kaspersky has released the below statement about the risks posed by this announcement, and the key ways individuals can protect themselves from malicious activities.
Victor Chebyshev, security expert at Kaspersky, comments:
“The decentralised Android operating system update scheme frequently presents challenges. In the case of expiring root certificates, the users of Android devices are left on their own to solve this problem, as it is a highly technical issue. We have to keep in mind that, to organise a secure connection with a website, a web master uses the https (SSL) protocol; each website has its own certificate, which is signed with another certificate – a root certificate. So, by having a root certificate on your device, you can check the legitimacy of the website certificate. These root certificates have an expiry date, and they are due to expire in September 2021. If there is no manufacturer update, websites with certificates, which are signed by those root certificates, will not open. It’s possible cybercriminals will use this situation to advance their aims, such as organising man-in-the-middle attacks to steal website credentials. As it’s not possible to update to new certificates, because manufacturers don’t provide operating system updates, there is only one option for us to stay safe and to use our favourite websites: using a third-party web browser, such as Firefox. Luckily this works pretty well.”