Audio device maker Sennheiser has issued a fix for a monumental software blunder that makes it easy for hackers to carry out man-in-the-middle attacks that cryptographically impersonate any big-name website on the Internet. Anyone who has ever used the company’s HeadSetup for Windows or macOS should take action immediately, even if users later uninstalled the app.
To allow Sennheiser headphones and speaker phones to work seamlessly with computers, HeadSetup establishes an encrypted Websocket with a browser. It does this by installing a self-signed TLS certificate in the central place an operating system reserves for storing browser-trusted certificate authority roots. In Windows, this location is called the Trusted Root CA certificate store. On Macs, it’s known as the macOS Trust Store.
A few minutes to find, years to exploit
The critical HeadSetup vulnerability stems from a self-signed root certificate installed by version 7.3 of the app that kept the private cryptographic key in a format that could be easily extracted. Because the key was identical for all installations of the software, hackers could use the root certificate to generate forged TLS certificates that impersonated any HTTPS website on the Internet. Although the self-signed certificates were blatant forgeries, they will be accepted as authentic on computers that store the poorly secured certificate root. Even worse, a forgery defense known as certificate pinning would do nothing to detect the hack.
According to an advisory published by security firm Secorvo, the sensitive key was encrypted with the passphrase “SennheiserCC” (minus the quotation marks). That passphrase-protected key was then encrypted by a separate AES key and then base64 encoded. The passphrase was stored in plaintext in a configuration file. The encryption key was found by reverse-engineering the software binary.
Configuration settings within the HeadSetup binary.
Credit: Secorvo
Configuration settings within the HeadSetup binary. Credit: Secorvo
“It took us a few minutes to extract the passphrase from the binary,” Secorvo researcher André Domnick told Ars. From then on, he effectively had control of a certificate authority that any computer that had installed the vulnerable Sennheiser app would trust until 2027, when the root certificate was set to expire. Dominick created a proof-of-concept attack that created a single certificate, shown below, that spoofed Google, Sennheiser, and three of Sennheiser’s competitors.
A forged certificate generated using the root installed by HeadSetup.
Credit: Secorvo
A forged certificate generated using the root installed by HeadSetup. Credit: Secorvo
“As mentioned above several times, every system that ever had HeadSetup 7.3 installed will validate this certificate as trusted until the year 2027,” the Secorvo advisory explained.