HEADPHONES ARE NOT something you’d usually think of as being a vehicle for a cybersecurity vulnerability, but Sennheiser’s HeadSetup software was found to be installing a root certificate into the Trusted Root CA Certificate store that could enable man-in-the-middle (MITM) attacks.
Right, some context: the Trusted Root CA Certificate store is a place where a list of entities issue certificates, used in things like communication with servers, that are accepted by client systems. Think of it as a kind of trust box that ensure communication say between a PC and a software company can be trusted.
Adding a root certificate into the store would make a connection between the company issuing the certificate and the machine hosting the store to be seen as legitimate and trusted.
In the case of the Sennheiser’s HeadSetup software, a transport layer security (TLS) certificate is issued to enable the use of a trusted HTTPS local web socket to connect with an external server to essentially allow the headset to be used with an in-browser softphone.
“Note that the HeadSetup installer must run with local administrator privileges. Once the installing user confirms3 the installation of the software there is no further system prompt warning about the addition of the certificate to the trusted root store and displaying the certificate’s fingerprint, like there would be if this root certificate were added manually,” said security firm Secorvo, which noted that when the software and certificate files are deleted, the trusted root certificate remains.
On its own that wouldn’t necessarily be a problem. But the certificate uses the same private decryption key for every installation of the HeadSetup software, which is also stored locally on a user’s machine.
This means a hacker could decrypt the key and then use it to issue fraudulent certificates which appear to be legitimately from Sennheiser, to targets and then establish communications with a domain the hacker doesn’t control or indeed need to.
With this in place, a hacker could effectively snoop on a persons’ traffic and read and alter the supposedly encrypted traffic to targeted domains. From there information could be pilfered, such as data pertaining to log in to web services.
This might seem like a bit of a faff to carry out a man-in-the-middle attack, but the vulnerability shows how all the connected tech now being offered to use isn’t as nearly as secure as its makers or indeed we’d like. And shows that security needs to be a priority when it comes to connected gadgets.
Sennheiser is working on an updated version of the HeadSetup software that should be rolling out imminently. µ
Source : Inquirer