https://arstechnica.com/information-technology/2018/11/sennheiser-discloses-monumental-blunder-that-cripples-https-on-pcs-and-macs/
By Dan Goodin
Ars Technica
11/28/2018
Audio device maker Sennheiser has issued a fix for a monumental software
blunder that makes it easy for hackers to carry out man-in-the-middle
attacks that cryptographically impersonate any big-name website on the
Internet. Anyone who has ever used the company’s HeadSetup for Windows or
macOS should take action immediately, even if users later uninstalled the
app.
To allow Sennheiser headphones and speaker phones to work seamlessly with
computers, HeadSetup establishes an encrypted Websocket with a browser. It
does this by installing a self-signed TLS certificate in the central place
an operating system reserves for storing browser-trusted certificate
authority roots. In Windows, this location is called the Trusted Root CA
certificate store. On Macs, it’s known as the macOS Trust Store.
A few minutes to find, years to exploit
The critical HeadSetup vulnerability stems from a self-signed root
certificate installed by version 7.3 of the app that kept the private
cryptographic key in a format that could be easily extracted. Because the
key was identical for all installations of the software, hackers could use
the root certificate to generate forged TLS certificates that impersonated
any HTTPS website on the Internet. Although the self-signed certificates
were blatant forgeries, they will be accepted as authentic on computers
that store the poorly secured certificate root. Even worse, a forgery
defense known as certificate pinning would do nothing to detect the hack.
[...]
--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_
