Yesterday, Sennheiser, an audio device maker issued a fix for a major software blunder that let hackers easily carry out man-in-the-middle attacks by cryptographically impersonating any website on the internet.
What exactly happened?
HeadSetup established an encrypted websocket with a browser to allow Sennheiser headphones and speaker phones to work smoothly with computers. A self-signed TLS certificate is installed in the central place that is reserved by the operating system for storing browser-trusted certificate authority roots. This location is called the Trusted Root CA certificate store in Windows and macOS Trust Store for Mac.
This self-signed root certificate installed by version 7.3 of the HetSetup pro application gave rise to the vulnerability as it kept the private cryptographic key in such a way that it could be easily extracted. Since, the key was identical for all the installations of the software, hackers could easily use the root certificate for generating forged TLS certificates that impersonated any HTTPS website on the internet.
Though the self-signed certificates were mere forgeries, they would still be accepted as authentic on computers as they store the poorly secured certificate root. Even the certificate pinning, a forgery defense can’t do anything to detect such hacks.
According to Secorvo, a security firm, “the sensitive key was encrypted with the passphrase SennheiserCC. The key was then encrypted by a separate AES key and then base64 encoded. The passphrase was stored in plaintext in a configuration file. The encryption key was found by reverse-engineering the software binary.”
Secorvo researcher André Domnick holds a control over a certificate authority which could be trusted by any computer that had installed the vulnerable Sennheiser app. Dominick said, “he tested his proof-of-concept only against Windows versions of HeadSetup but that he believes the design flaw is present in macOS versions as well.”
A solution which didn’t prove to be succesful
A later version of the Sennheiser app was released to solve this issue. This one came with a root certificate installed but it didn’t include the private key. It seemed like a good solution until the update failed to remove the older root certificate. This was a major failure which caused anyone who had installed the older version, susceptible to the TLS forgeries. Also, uninstalling the app wasn’t enough as it didn’t remove the root certificates that made users vulnerable to the attack. For the computers that didn’t have the older root certificate installed, the newer version was still causing trouble as it installed a server certificate for the computer’s localhost, i.e. 127.0.0.1.
Users have given a negative feedback as it was a major blunder. One of the users commented on ArsTechnica’s post, “This rises to the level of gross negligence and incompetence. There really should be some serious fines for these sorts of transgressions.”
The company ended up violating CA/Browser Forum: Baseline Requirements to issue certificates which itself was a big problem. This latest threat opens up many questions including the most crucial ones ‘If there is still a safer way to get a HTTPS website communicate directly with a local device?’ Also, ‘if these companies are taking enough steps to protect the users from such frauds?’
All users that have installed the app are advised that they should remove or block the installed root certificates. Microsoft has proactively removed the certificates so users need not take any further actions. However users have to manually remove the certificates from Macs and PCs.
Read more about this news on ArsTechnica.