Audio device maker Sennheiser has issued a fix for a monumental software blunder that makes it easy for hackers to carry out man-in-the-middle attacks that cryptographically impersonate any big-name website on the Internet. Anyone who has ever used the company’s HeadSetup for Windows or macOS should take action immediately, even if users later uninstalled the app.
To allow Sennheiser headphones and speaker phones to work seamlessly with computers, HeadSetup establishes an encrypted Websocket with a browser. It does this by installing a self-signed TLS certificate in the central place an operating system reserves for storing browser-trusted certificate authority roots. In Windows, this location is called the Trusted Root CA certificate store. On Macs, it’s known as the macOS Trust Store.
A few minutes to find, years to exploit
The critical HeadSetup vulnerability stems from a self-signed root certificate installed by version 7.3 of the app that kept the private cryptographic key in a format that could be easily extracted. Because the key was identical for all installations of the software, hackers could use the root certificate to generate forged TLS certificates that impersonated any HTTPS website on the Internet. Although the self-signed certificates were blatant forgeries, they will be accepted as authentic on computers that store the poorly secured certificate root. Even worse, a forgery defense known as certificate pinning would do nothing to detect the hack.
According to an advisory published by security firm Secorvo, the sensitive key was encrypted with the passphrase “SennheiserCC” (minus the quotation marks). That passphrase-protected key was then encrypted by a separate AES key and then base64 encoded. The passphrase was stored in plaintext in a configuration file. The encryption key was found by reverse-engineering the software binary.
“It took us a few minutes to extract the passphrase from the binary,” Secorvo researcher André Domnick told Ars. From then on, he effectively had control of a certificate authority that any computer that had installed the vulnerable Sennheiser app would trust until 2027, when the root certificate was set to expire. Dominick created a proof-of-concept attack that created a single certificate, shown below, that spoofed Google, Sennheiser, and three of Sennheiser’s competitors.
“As mentioned above several times, every system that ever had HeadSetup 7.3 installed will validate this certificate as trusted until the year 2027,” the Secorvo advisory explained.
A later version of the Sennheiser app made a botched attempt to fix the snafu. It too installed a root certificate, but it didn’t include the private key. But in a major omission, the update failed to remove the older root certificate, a failure that caused anyone who had installed the older version to remain susceptible to the trivial TLS forgeries. Also significant, uninstalling the app didn’t remove the root certificates that made users vulnerable.
Even on computers that didn’t have the older root certificate installed, the newer version was still problematic. That’s because it installed a server certificate for the computer’s localhost, i.e. 127.0.0.1. Not only is it a violation of CA/Browser Forum: Baseline Requirements to issue certificates for non-routable IP addresses, it’s not at all clear that Sennheiser has complied with the same processes that certificate authorities are required to follow in securing their root keys.
If all of this sounds familiar, it may be because Lenovo in 2015 was caught selling computers that came preinstalled with root certificates that left HTTPS connections vulnerable to the same trivial forgery attacks. The certificates were installed so that adware known as Superfish could inject ads into encrypted webpages. In the weeks following the revelation, the CEO responsible for the Superfish debacle insisted that no threat existed, despite near unanimity among security professionals that the practice was nothing short of reckless.
As noted above, certificate pinning is a technique that’s designed to protect people from forged certificates even when they’re generated by browser-trusted authorities. It works by storing digital fingerprints of certificates for some of the bigger websites on the Internet and comparing them to certificates presented by visited websites. Unfortunately, as this document from Google makes clear, certificate pinning does nothing to flag forged certificates that are chained to a properly installed root certificate.
It’s troubling that three years later, engineers from Sennheiser were still making the same critical error as Lenovo and that Sennheiser fixed the mistake only after researchers from an outside firm pointed it out. Secorvo’s Dominick said he tested his proof-of-concept only against Windows versions of HeadSetup but that he believes the design flaw is present in macOS versions as well.
That means anyone who has ever used the app should ensure that the root certificates it installed are removed or blocked. Microsoft has proactively removed trust of the certificates without requiring any action on the part of end users. Manual removal instructions for Macs and PCs are here and here, respectively.
Post updated to report Microsoft has removed trust of the certificates from Windows.