Skip to main content

Sennheiser's headphone drivers covertly changed your computer's root of trust, leaving you vulnerable to undetectable attacks

By

Your computer ships with a collection of trusted cryptographic certificates, called its "root of trust," which are consulted to verify things like SSL connections and software updates.

A recent report from Secorvo reveals that Sennheiser's Headsetup drivers for its headphones covertly inserted two certificates into this root of trust. What's more, the certificate was ineptly secured, making it possible to guess the other half of the key-pair (certificates come in pairs; what one signs, the other can verify, and a well-formed certificate can never be used to infer its matching other half).

Worse still: the Headsetup installer didn't remove the certificates when you uninstalled the software, leaving your computer in a vulnerable state.

The upshot: anyone with access to the Headsetup installer could figure out the signing key, then use that key to sign certificates that would allow them to impersonate Google, Apple, Microsoft, your bank, the IRS (etc) to your computer, in an undetectable way, opening the door for malware, phishing, and other attacks.

When the researchers analyzed the private key, they determined that it was encrypted with AES-128-CBC encryption and needed to find the proper password to decrypt it. As the HeadSetup program needed to decrypt the key as well, it means it must have been stored somewhere, which in this case was in a file called WBCCListener.dll.

"In order to decrypt the file we needed to know the encryption algorithm and key that the manufacturer used for encryption," the researchers explained. "Our first guess was that the vendor employed the common AES encryption algorithm with 128-bit key in CBC mode. In the HeadSetup installation directory, we found only one piece of executable code that contained the file name SennComCCKey.pem, a DLL file named WBCCListener.dll. We searched for “AES” in the strings contained in this DLL. The result is shown in Figure 4: there is indeed the algorithm identifier aes-128.cbc. We found the key that the vendor used in close proximity to that algorithm identifier, stored in clear in the code."

Once they decrypted the private key into a standard OpenSSL PEM they once again needed a passphrase to utilize it. This passphrase was located in a configuration file called WBCCServer.properties as shown below.

In 2017, Lenovo was sanctioned by the FTC for a similar blunder, when its "Superfish" spyware shipped pre-installed on low-end laptops.

Sennheiser Headset Software Could Allow Man-in-the-Middle SSL Attacks [Lawrence Abrams/Bleeping Computer]

Certificate Management Vulnerability in Sennheiser HeadSetup [Hans-Joachim Knobloch and André Domnick/Secorvo Security Consulting GmbH]

(Image: LukeBam06, CC-BY-SA)

from Boing Boing https://ift.tt/2raGXXE
via IFTTT

Labels:

Comments

Post a Comment

Popular posts from this blog

Instagram accidentally reinstated Pornhub’s banned account

By
After years of on-and-off temporary suspensions, Instagram permanently banned Pornhub’s account in September. Then, for a short period of time this weekend, the account was reinstated. By Tuesday, it was permanently banned again. “This was done in error,” an Instagram spokesperson told TechCrunch. “As we’ve said previously, we permanently disabled this Instagram account for repeatedly violating our policies.” Instagram’s content guidelines prohibit  nudity and sexual solicitation . A Pornhub spokesperson told TechCrunch, though, that they believe the adult streaming platform’s account did not violate any guidelines. Instagram has not commented on the exact reasoning for the ban, or which policies the account violated. It’s worrying from a moderation perspective if a permanently banned Instagram account can accidentally get switched back on. Pornhub told TechCrunch that its account even received a notice from Instagram, stating that its ban had been a mistake (that message itse...
Post a Comment
Read more

Colorado police identified the serial killer who murdered 4 women 40 years ago after exhuming his body to analyze a DNA sample

By
A scientist examines computer images of DNA models. Getty Images Police in Colorado have cracked the cold cases of four women killed 40 years ago. Denver PD said genetic genealogy and DNA analysis helped them identify the serial killer. He had died by suicide in jail in 1981. DNA from his exhumed body matched evidence from the murders. Police in Colorado have cracked the code on four murder cases that went unsolved for 40 years, using DNA from the killer's exhumed body. The cases pertain to four women killed in the Denver metro area between 1978 and 1981. They were 33-year-old Madeleine Furey-Livaudais, 53-year-old Dolores Barajas, 27-year-old Gwendolyn Harris, and 17-year-old Antoinette Parks. The four women were stabbed to death. Denver Police Commander Matt Clark said in a press conference Friday that there was an "underlying sexual component" to the murders but didn't elaborate further. In 2009, a detective reviewed Parks' case and picked several p...
Post a Comment
Read more

Gemini vs. ChatGPT: Which one planned my wedding better?

By
I was all about the wedding bells after getting engaged in June, but after seeing some of these wedding venue quotes, it’s more like alarm bells. "Ding-dong" has been remixed to "cha-ching" – and I need help. I don’t even know how to begin wedding planning. What are the first steps? What do I need to prioritize first? Which tasks are pressing – and which can wait a year or two? I decided to enlist the help of an AI assistant. Taking it one step further, I thought it’d be interesting to see which chatbot – Gemini Advanced or ChatGPT Plus (i.e., ChatGPT 4o) – is the better wedding planner. Gemini vs ChatGPT: Create a to-do list I’m planning on have my wedding in the summer of 2026 – sometime between August and September. Besides that, I don’t have anything else nailed down, so I asked both Gemini and ChatGPT to give me a to-do list based on the following prompt: “My wedding is between August 2026 and September 2026. Give me a to-do list of things to do for the...
Post a Comment
Read more