Headphone manufacturer Sennheiser recently patched a critical security vulnerability in its Sennheiser HeadSetup and HeadSetup Pro software that allowed malicious actors to create fake websites, make them look like original websites, and then carry out Man-in-the-middle attacks to install malware into targeted devices.
Sennheiser's HeadSetup and HeadSetup Pro software allow headphone users to connect their headphones with Windows and MacOS devices. The vulnerability allowed anyone to use a root certificate available in the operating system store to generate self-signed TLS certificates that could impersonate popular websites.
The self-signed root certificate was introduced by Sennheiser through version 7.3 update to the HeadSetup app. The private cryptographic key for the self-signed root certificate was stored in a file named SennComCCKey.pem in the HeadSetup folder and could be accessed by all users.
According to security researchers Hans-Joachim Knobloch and André Domnick at Secorvo Security who discovered the critical vulnerability, the private cryptographic key allowed an attacker to sign and issue technically trustworthy certificates and then act as an authority authorised by Sennheiser.
"Adding a Trusted Root CA certificate is a severe vulnerability, if a potential attacker has access to the associated private key. Such an attacker can issue forged certificates at his or her own discretion that will be automatically validated as valid and hence trusted on the affected vulnerable system.
"Moreover, since the certificate is not removed from the trusted root certificate store during update or removal of the software, every system on which HeadSetup 7.3 was installed at any time in the past – and every user on such a system – remains vulnerable. This vulnerability persists until the CA certificate expires in 2027 or one of the mitigations recommended in section 7 becomes effective," they added.
They also warned that by exploiting the said vulnerability, an attacker could gain access to a TLS certificate available in the operating system store, issue a code-signing certificate for any well-known software brand such as Microsoft or Apple and then use it to code-sign an installer executable containing malware.
After being alerted to the existence of the said vulnerability, Sennheiser issued a v.8.1.6114 update for HeadSetup software that, it said, would remove the risk of Sennheiser certificates being subject for misuse. The company also advised users not only to uninstall the app but also to remove all certificates from their devices to avoid being targeted by hackers in future.
Commenting on the discovery of a critical security vulnerability in Sennheiser software that exposed thousands of users to man-in-the-middle attacks and malware injection, Kevin Bocek, chief cyber-security strategist at Venafi, said in an email to SC Magazine UK that the blunder of headphone software installing root certificate authority (CA) certificates is serious and is the result of a lack of understanding about the power of machine identities.
"A certificate installed by default as a root CA for headphone software can easily enable ANY machine, website, cloud to appear trusted. These techniques are used every day by malware and trojans to make malicious sites. And developers aren’t learning from previous mistakes made by the largest vendors like Dell and Lenovo.
"Machine identities like TLS keys and certificates are powerful weapons in the hands of cyber-criminals and must be protected, with their use treated as weapons. Global security and development teams must take this problem seriously," he added.
According to researchers Knobloch and Domnick, in order to prevent the occurrence of a certificate management vulnerability during the design phase of a software, firms must ensure that security concepts for software must be documented and independently-reviewed prior to implementation, that making changes to system-wide security settings such as fiddling with AD administrative credentials or adding trusted root CAs must be avoided, and that any software design should not be cleared for implementation until it is cleared by an expert in the field.