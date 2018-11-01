Stories
Sennheiser Discloses Monumental Blunder that Cripples HTTPS on PCs and Macs

posted by mrpg on Thursday November 29, @07:30PM
Submitted via IRC for SoyCow1984

Audio device maker Sennheiser has issued a fix for a monumental software blunder that makes it easy for hackers to carry out man-in-the-middle attacks that cryptographically impersonate any big-name website on the Internet. Anyone who has ever used the company’s HeadSetup for Windows or macOS should take action immediately, even if users later uninstalled the app.

To allow Sennheiser headphones and speaker phones to work seamlessly with computers, HeadSetup establishes an encrypted Websocket with a browser. It does this by installing a self-signed TLS certificate in the central place an operating system reserves for storing browser-trusted certificate authority roots. In Windows, this location is called the Trusted Root CA certificate store. On Macs, it’s known as the macOS Trust Store.

The critical HeadSetup vulnerability stems from a self-signed root certificate installed by version 7.3 of the app that kept the private cryptographic key in a format that could be easily extracted. [...] the sensitive key was encrypted with the passphrase “SennheiserCC” (minus the quotation marks). That passphrase-protected key was then encrypted by a separate AES key and then base64 encoded. The passphrase was stored in plaintext in a configuration file. The encryption key was found by reverse-engineering the software binary.

[...] A later version of the Sennheiser app made a botched attempt to fix the snafu. It too installed a root certificate, but it didn’t include the private key. But in a major omission, the update failed to remove the older root certificate, a failure that caused anyone who had installed the older version to remain susceptible to the trivial TLS forgeries. Also significant, uninstalling the app didn’t remove the root certificates that made users vulnerable.

  • (Score: 1, Interesting) by Anonymous Coward on Thursday November 29, @07:48PM (2 children)

    by Anonymous Coward on Thursday November 29, @07:48PM (#767883)

    Why is there anything to install?

    • (Score: 0) by Anonymous Coward on Thursday November 29, @07:58PM

      by Anonymous Coward on Thursday November 29, @07:58PM (#767888)

      To allow Sennheiser headphones and speaker phones to work seamlessly with computers

      DUUUUH!!!!

      But for a serious answer:

      Sennheiser HeadSetup™ Pro is a client application running in the background on the headset users’ PC. The solution ensures that Sennheiser headsets and speakerphones work seamlessly with various leading softphones and give you access to latest firmware updates and personalized settings.

      Sennheiser HeadSetup™ Pro is designed to be simple to use, allowing Sennheiser headset and speakerphone users to enhance their experience and productivity simply and quickly.

      still pretty dumb

    • (Score: 0) by Anonymous Coward on Thursday November 29, @08:11PM

      by Anonymous Coward on Thursday November 29, @08:11PM (#767896)

      Apping the apps that app the app.

  • (Score: 1, Funny) by Anonymous Coward on Thursday November 29, @07:57PM

    by Anonymous Coward on Thursday November 29, @07:57PM (#767887)

    I bet Schneier ones have much better crypto.

  • (Score: 2) by ikanreed on Thursday November 29, @08:00PM

    by ikanreed (3164) on Thursday November 29, @08:00PM (#767889)

    This way we made our innocuous physical object to spy on you for our profit also allows nefarious individuals to spy on you for their profit. Our bad.

