Slashdot Mirror

← Back to Stories (view on slashdot.org)

Millions of Smartphones in 11 Countries Were Taken Offline Yesterday by an Expired Certificate (theverge.com)

Posted by msmash on from the closer-look dept.

Ericsson has confirmed that a fault with its software was the source of yesterday's massive network outage, which took millions of smartphones offline across the UK and Japan and created issues in almost a dozen countries. From a report: In a statement, Ericsson said that the root cause was an expired certificate, and that "the faulty software that has caused these issues is being decommissioned." The statement notes that network services were restored to most customers on Thursday, while UK operator O2 said that its 4G network was back up as of early Friday morning.

Although much of the focus was paid to outages on O2 in the UK and Softbank in Japan. Ericsson later confirmed to Softbank that issues had simultaneously affected telecom carriers who'd installed Ericsson-made devices across a total of 11 countries. Softbank said that the outage affected its own network for just over four hours.

34 comments

  1. Certificates are such a pain in the dick. by Anonymous Coward · · Score: 0

    You fucking nerds need to figure out how to keep security settings from automatically disabling themselves all the damn time.

    1. Re: Certificates are such a pain in the dick. by Anonymous Coward · · Score: 0

      Makes me wonder why the LetsEncrypt crowd always saying short expiration is better. Specious argument

    2. Re:Certificates are such a pain in the dick. by Anonymous Coward · · Score: 0

      1) incident
      2) what is Company doing about Incident, it needs to be sure about Event before allowing the functionality
      3) okay Company will now disable Event unless it meets absolute fucking certainty

      You (or the media) are responsible for demanding certainty.

      The security setting is enabled. It wasn't automatically disabling itself. When you click "Disregard cert conflict, go anyway", you're the one disabling it.

    3. Re:Certificates are such a pain in the dick. by sabri · · Score: 1

      You fucking nerds need to figure out

      Having worked at Ericsson for 5 years, I can tell you this: the nerds are not the problem. The problem is that in Ericsson, every engineer is managed by multiple managers. Instead of the normal pyramid where you have let's say 10 engineers and 1 manager, Ericsson has an upside down pyramid. Each engineer has multiple managers that each want their own projects to take priority. Not to mention that the engineer:manager ratio is waaaay off.

      Not to mention the fact that promotions take place based on speaking the right language. And by that I mean: speaking Swedish.

      I quite Ericsson in 2013 and never looked back. And never will.

      --
      I'm not a complete idiot... Some parts are missing.
  2. Working as designed. by grep+-v+'.*'+* · · Score: 1

    Why is this a story again, because someone (thing) forgot to renew a cert that then affected a few (for large values) countries? It should be news if it HADN'T have dropped them out.

    OTOH these are the people tasks with keeping your phones and conversations "safe." What OTHER minor things have they overlooked? (Everyone, not just them. They're just at the head of the line right now.)

    --
    If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
    1. Re:Working as designed. by Littleman_TAMU · · Score: 1

      I agree with the sentiment, but since this caused a cell network outage it's a bigger story. Also, the fact that a large company like this didn't have procedures in place for tracking renewal of certificates makes it a bigger deal. Like you mention, if they don't have these procedures in place, it calls into question how they're handling keys and other security-related items.

  3. Stuff like this has me thinking twice ... by Qbertino · · Score: 1

    ... about using a major player smartphone. Eyeing and considering Sailfish and old Blackberry on a regular basis.

    --
    We suffer more in our imagination than in reality. - Seneca
    1. Re: Stuff like this has me thinking twice ... by Anonymous Coward · · Score: 0

      I bet you will never top comment about tiny pieces of metal

  4. People, rotate your certificates! by netwiz · · Score: 1

    It canâ(TM)t be considered critical enough. At work we have three teams that get alarms of expiring certificates, just to make sure it doesnâ(TM)t fall through the cracks. The next phase will be complete automation of the renewal process against the internal CA, with a review before the final deployment of the renewed cert.

    1. Re:People, rotate your certificates! by Anonymous Coward · · Score: 0

      In case you're unaware - CA and Intermediate certificates expire too.

  5. Only smartphones? by Anonymous Coward · · Score: 0

    Only smartphones? Really?

    One would have thought that network backbone equipment losing connectivity due to an expired certificate would break all mobile phones...

    1. Re:Only smartphones? by Goose+In+Orbit · · Score: 1

      It probably did...

      SMS messages were either not arriving at all, or erroneously being declared as such (I pity the poor soul who may have got a bunch of "Is o2 up yet?" messages from me because I was being told they hadn't been delivered)

      Voice calls ... not so sure, but the system would have been overloaded due to people resorting to speaking to each other on their handsets

    2. Re:Only smartphones? by jabuzz · · Score: 1

      It only broke data connections, and possibly SMS. So you could still make a call.

    3. Re:Only smartphones? by nogginthenog · · Score: 1

      Only in the morning. By afternoon my phone & my colleagues were unable to make calls.

    4. Re: Only smartphones? by Anonymous Coward · · Score: 0

      Nobody wants to talk to your dumb ass anyway.

    5. Re:Only smartphones? by Anonymous Coward · · Score: 0

      Oh no, they lost 4G for a few days, the world must come to a complete stop because every other communication medium no longer works.

    6. Re: Only smartphones? by Anonymous Coward · · Score: 0

      ^^ and *this* is why I come to Slashdot. For the intelligent discourse. ^^

    7. Re:Only smartphones? by Calydor · · Score: 1

      "Alright Alice, now for the next 200 MB file for payroll, enter the following ..."

      --
      -=This sig has nothing to do with my comment. Move along now=-
  6. You misunderstand. by Anonymous Coward · · Score: 5, Informative

    This wasn't Ericsson brand cell phones going offline because of this certificate. This was *ENTIRE CELL NETWORKS* going offline because the backend hardware's certificates were being rejected because they expired without replacement certificates in place.

    Having a different brand of cell phone doesn't help if your phone is rightly rejecting expired certificates from the cell network, or if the cell network is not authorizing new cellular connections because it can't connect to servers.

    This was likely a backend problem, either with authentication servers for the basestation/router licenses, or some centralized bckend service that was actually web based.

    1. Re:You misunderstand. by phantomfive · · Score: 1

      Things like "Certificate renewal" and "DNS renewal" should have reminders (or errors, or whatever) in your monitoring tool, well in advance. That can be an extra double-check to make sure you get it done, in case you forget (or quit, and someone replaces you has to do it).

      --
      "First they came for the slanderers and i said nothing."
    2. Re:You misunderstand. by bill_mcgonigle · · Score: 1

      Things like "Certificate renewal" and "DNS renewal" should have reminders (or errors, or whatever) in your monitoring tool,

      Some of my clients have every piece of infrastructure monitored that can possibly go wrong, and some that probably can't.

      Meanwhile, our local ILEC will happily tell you that they don't need to monitor anything because customers will call and let them know what's out.

      The difference? The ILEC is not subject to competitive pressures; they benefit from a monopoly grant from the State and are happy to bank the [minuscule] spending decrease to the detriment of their customers. The State also appears to be happy with that balance, and those customers vote to support that State. This is why dystopian novels get written.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    3. Re:You misunderstand. by Anonymous Coward · · Score: 0

      Why the hell does the headline say 'smartphone' then, instead of something descriptive such as '4G phone network'?

  7. Thanks Ericsson by PPH · · Score: 1, Insightful

    Time to switch to Huawei.

    --
    Have gnu, will travel.
    1. Re:Thanks Ericsson by Anonymous Coward · · Score: 0

      Haha, you joke, but there are idiots who think "there's nothing wrong!" with Huawei, lol. Mostly screeching Chinese who don't need a phone anyway due to their inability to control the volume of their voices.

  8. Likely scenario...? by Anonymous Coward · · Score: 0

    This is a guess but I've seen this sort of thing happen too many times:
    They pushed out an update to the network infrastructure which was immediately pulled down and installed. The update had only been QA tested with self signed certs (if at all) because it was easier and just assumed to work with the live certs. Due to update missing correct/valid certs the core network infrastructure then disconnected all secure connections because they couldn't trust the networks they were on, meaning further pushed updates to fix the issue weren't possible (due to untrusting the update server) so physical access on each box was required to roll back. If they were particularly unlucky the update was pushed to partner infrastructure.
    Every IT nerd has ballsed up like this at some point usually on a minor scale, e.g. like shutting down a remote host instead of rebooting, however it's something special when it costs companies millions.

  9. Security theater again by Micah+NC · · Score: 1

    Along with half of all malicious websites having TLS / SSLs ...

    Goes to show our security systems are more hazardous than the bad guys.

  10. And we still want self driving cars? by capt_peachfuzz · · Score: 1

    As a thought experiment, what will it look like when this happens to a network of connected self driving cars?

    I say "when", not "if". I can't think of a way that this doesn't happen someday.

    For starters, emergency vehicles will not be able to get through the resulting traffic jams after a few million cars come to a stop.

    On the bright side, you'll probably still be able to read the ads on the entertainment system

    1. Re:And we still want self driving cars? by Anonymous Coward · · Score: 0

      Since they control themselves from their own computer rather than the cloud and have to survive lack of cell coverage and entering tunnels... probably nothing more than they'll refuse to start. They won't be driving down the road then suddenly fail and crash. Even if they stopped then I'd expect the controller to safely pull over first.

  11. what about ... by Anonymous Coward · · Score: 0

    the 'faulty' engineers that allowed this to happen. are they also being 'decommissioned'?

  12. When will these amateurs learn? by gweihir · · Score: 1

    We need to start doing IT with professionals. You know, with people that actually have a clue what they are doing. Sure, they will cost more individually, but overall the whole thing will get a lot cheaper as such major pathetic fuckups will become very rare.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  13. We need to talk about your TPS reports by Joe_Dragon · · Score: 1

    We need to talk about your TPS reports

  14. Total Inability To Support Users Phones by PPH · · Score: 1

    n/t

    --
    Have gnu, will travel.
  15. Why do certificates "expire"? Money grab by Anonymous Coward · · Score: 0

    The entirety of my thought is in the subject!

  16. It's your fucking job to stay on top of this by Anonymous Coward · · Score: 0

    so do your fucking job or go dig clams for a living...

    Sheesh!