Two applications developed by German electronics company Sennheiser contain vulnerabilities that could make it possible for hackers to forge digital certificates and impersonate legitimate websites.
Sennheiser’s two apps, HeadSetup and HeadSetup Pro, installed certificates on users’ computers then failed to secure the key, according to a vulnerability report published Wednesday by the German security consulting firm Secorvo. The mistake means that hackers could decrypt the key and use the certificate, a means of digital authentication, to monitor victims’ traffic and launch main-in-the-middle attacks.
“We found — caused by a critical implementation flaw — the secret signing key of one of the clandestine planted root certificates can be easily obtained by an attacker,” the Secorvo report states. “This allows him or her to sign up and issue technically trustworthy certificates. Users affected by this implementation bug can become victim of such a certificate forgery, allowing an attacker to send e.g. trustworthy signed software or acting as an authority authorised by Sennheiser.”
Sennheiser said this month it is aware of the issue and has removed the two apps from its available downloads while it works on a fix. Microsoft also published a security advisory Wednesday, warning customers to update their HeadSetup and HeadSetup Pro software.
– All my HTTPS traffic was sniffed and I got pwned
– I got a new headset
Contrary to popular belief, the S in Sennheiser doesn't stand for SSL. https://t.co/gTYW7o2AZ1
— Michal Špaček (@spazef0rze) November 28, 2018
The flaws bear some similarity to vulnerabilities previously uncovered in Lenovo and Dell products.
Lenovo’s so-called Superfish software came pre-installed on consumer laptops, injecting advertisements into search results and hijacking encrypted SSL/TLS web connections on user machines. The revelation that the company put so many users at risk sparked outrage in the security community. “Installing Superfish is one of the most irresponsible mistakes an established tech company has ever made,” wrote David Auerbach, a Slate technology columnist, in 2015.
Dell in 2015 disclosed an unintended security vulnerability existed in its computers. That flaw, known as eDellRoot, also made it possible for attackers to use root access to create valid certificates for malicious websites.