If somebody sells you “end-to-end” encryption, you should probably be sure that is what you are getting.

Source: Bleeping Computer

The details: Headphone maker Sennheiser has been caught compromising the security of its customers.

The vendor's Headsetup applications install both a root certificate and its secret private key on Windows and Mac computers, which can be used to intercept and decrypt users' encrypted HTTPS web browsing. In effect, buyers of certain Sennheiser headset products who installed the company's HeadSetup software to configure and use these peripherals would have inadvertantly ended up installing a root certificate signed by the company, which would allow a malicious party to imitate an arbitrary trusted website and intercept all traffic to and from it.

Why it matters: What is concerning to the researchers is that by having both the certificate and key present on the machine, an attacker can reuse the key – which is common to all installations – to create arbitrary HTTPS certificates for other websites and have them trusted by Headsetup users because the bogus certs are chained to the installed trusted root security certificate. This also means intercepted SSL/TLS connections can be decrypted, and malware can be digitally signed and trusted as legit software.

The hacker’s perspective:

Andrew Hutchison, Software Developer at Randori, says:

"Tech news is full of platitudes about security concerns in "our increasingly
connected world", and to a certain extent they're valid. If you could go twenty years back in time and sit in design meetings with the architects of the TLS standard, you'd probably laughed out of the room for suggesting that "headphone driver software" would become a security concern adjacent to their work.

Yet, while no one could have anticipated that headphones would even
require driver software in modern day, the nature of this problem isn't new.

It's perhaps understandable to allow administrator-level permissions to device driver software. Stringent internal practices could have detected the certificate addition and mitigated the exploitation potential of the vulnerability, but it's far from the mind of many security professionals to ask what kind of headsets their employees use.

This is as it should be!

Choice of peripherals is driven by function, cost, brand familiarity, and any number of factors, many of which are largely orthogonal to the mindset of a defensive security team. It's simply impossible to anticipate all the new and stupid ways that security can fail. This is but the latest in a series of root cert vulnerabilities, many of which were similarly difficult to detect. An attacker only needs one."