back to article Oh my chord! Sennheiser hits bum note with major HTTPS certificate cock-up

Headphone maker Sennheiser is facing the music after being caught compromising the security of its customers. The vendor's Headsetup and Headsetup Pro applications install both a root certificate and its secret private key on Windows and Mac computers, which can be used, for instance, by scumbags to intercept and decrypt users …

  1. Anonymous Coward
    Anonymous Coward

    Developers, developers, developers

    Lame, lame, lame! Enough said.

  2. Yet Another Anonymous coward Silver badge

    Not a problem

    None of them are online, they are all waiting for $500 unidirectional gold ethernet cables

  3. Someone Else Silver badge
    Pint

    Shaun...please...

    A man in the MIDI, sorry, middle attack could [...]

    Shaun? Stop that now, young man!

  4. Dan 55 Silver badge

    We're told Headsetup is a tool that connects voice chat websites to posh Sennheiser headsets.

    Why did Sennheiser think Bluetooth or a USB dongle were so lacking that they had to do this nonsense?

  5. Thoguht Silver badge

    Why? Because they aren't gold plated, of course. The Sennheiser software gold plates every data packet it handles for the ultimate digital audio experience.

  6. the spectacularly refined chap

    To be fair Sennheiser make some genuinely decent kit, it isn't bling and flash for the sake of it. Look at their product range and the kind of accessories you cite are conspicuous by their absence, they're not the same as e.g. Beats, charging a premium for stuff that is at best mid-range.

    Yes, a lot of the premium priced brands are simply marketing with nothing of substance to back it up, but genuine high-end audio gear commands a fair price too. You need to distinguish between the two.

  7. Pascal Monett Silver badge

    Re: Why did Sennheiser [..] do this nonsense?

    My question exactly. I've had radio headphones plugged into the TV for years, they didn't need no stinkin' app to work.

    My current headphones are a not-too-pricey Sony model that work fine and plug in like every other kind I've ever had. I fail to see what is the point in having an app at all. You have an app for the sound card (or chip these days), that is where the tweaking should take place.

    But headphones are for listening to the output, not for fiddling with it.

  8. SloppyJesse

    Maybe they had been drinking the same kool-aid as the IOT tat merchants - everything must connect back to the manufacturers site.

    Think of the data slurping opportunities...

  9. Martin an gof Silver badge

    Sennheiser does other stuff too

    The question is whether they have done this trick with other kit too - Sennheiaer not only makes consumer products, but also professional kit such as near-ubiquitous radio microphones and medical kit such as hearing aids used by large numbers of NHS and private clinjcs. These days everything is set up by computer so if they have used a similar technique on the software, there could be hundreds of vulnerable computers sitting in clinics (ane TV studios) around the country.

    How would we find out?

    M.

  10. Dan 55 Silver badge

    Re: Sennheiser does other stuff too

    Checking if there's a Sennheiser root certificate in the certificate store.

  11. Korev Silver badge
    Coat

    Re: Sennheiser does other stuff too

    Thanks for the Headsetup

  12. Anonymous Coward Silver badge
    Megaphone

    Re: Sennheiser does other stuff too

    But those other things don't need a HTTP proxy to work. The software in question was to link scripts on arbitrary websites to the local hardware and is only required because the browsers are reluctant to do cross-domain stuff like that.

    Radio mics don't tend to transmit over HTTP.

    Not saying that they haven't bundled the crap with other installers, or made similar SNAFUs, just saying that this particular cockup is unlikely to affect other devices.

  13. rmason Silver badge

    Re: Sennheiser does other stuff too

    I agree that this is unlikely to affect their other kit, but it does highlight the fact they don't "get" security and the focus was 100% on just making their kit work regardless.

    Which isn't brilliant.

  14. bombastic bob Silver badge
    Unhappy

    Re: Sennheiser does other stuff too

    their headphones are really good. But yeah, good at headphones. not so much at network security.

  15. djack

    The fix is just as bad

    Now the software relies on a key that only Sennheiser privately keeps a copy of.

    So they've just appointed themselves as a root CA. Wait until that key leaks and...

    What would be better in this case would be to generate a unique key on install. If it's only to authenticate 'localhost' then no-one else needs access to that key or to trust it. Plus if an attacker manages to steal a key off someone's installation, it will affect .. no-one else. If they have access to be stealing private keys, your system is already hosed without Sennheiser's help.

  16. DCFusor Silver badge

    Maybe they do get security

    But work for, dunno, Amber Rudd or perhaps some .gov entity in Oz or the US?

    The list of those who want backdoors isn't a short one.

  17. MJI Silver badge

    Sennheiser

    Great value headphones.

    Yet people would still buy fashion brands of low quality. Simply due to a peer pressure.

    Why do people still buy say Beats junk?

  18. Version 1.0 Silver badge

    Re: Sennheiser

    I was happy paying $$$ for a Sennheiser HD280PRO without any damn internet connection at all - and everyone who listens with them just sits there stunned because they have never heard sounds that realistic, or that clear.

    I keep them away from Fat Freddies cat though.

  19. katrinab Silver badge
    WTF?

    My Marshalls headphones work fine without any sort of software or root certificates. What could a headphone possibly do that requires anything other than the standard operating system audio stack?

  20. Stevie Silver badge

    Bah!

    CDs. Conventional Stereo. Wired headphones.

    aka "Air Gapped Music".

    T'would seem I am immune to this dastardly exploit. Suck on it, net-aware fadyoofs.

  21. Anonymous Coward
    Anonymous Coward

    Certificate Security played with a private key of F major

  22. bombastic bob Silver badge
    Coat

    Just 'A minor' setback. It will 'B sharp' soon enough. Enough to 'C major' improvements.

    Q: what has 17 flats?

    A: An 18-wheeler with one good tire

    coat, please

  23. Someone Else Silver badge

    @AC

    Certificate Security played with a private key of F major

    Bah! iI they were really that good, their private key would be F# minor.

  24. matjaggard

    Re: @AC

    Was the code written in C#?

  25. Deej

    I bet that, for such an attacker, this will be music to their ears

  26. 89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921

    They made a pig's ear of that

    Other than amazing sound quality, the best thing about (some) Sennheisers is that you can replace any part when it fails. After years of having to throw away great headphones from other manufacturers because of a mysteriously located cable break, or sonically obliterated driver, broken headband, lost and inexplicable tiny plastic part etc... I got some HD600s and haven't looked back.

  27. Chairman of the Bored Silver badge

    Life ain't fair

    Now that I've worked long and hard enough to afford network connected, software infested, high-end audio tat...

    ...my hearing is shot from decades of exposure to cooling fans, screaming managers, pleading customers, and so forth. Maybe the whole 'go to war' thing might not have helped, either.

    But, that's why I've got a 100W stack with an ominous subwoofer. To paraphrase Trump, "Crank her up! Crank her up!"

    Mines the one with the hearing aids and Metallica tickets in the pocket...

  28. Chairman of the Bored Silver badge
    Pirate

    Gold plated tat ... and star employees

    A two part story about some great employees...

    Part 1:

    An engineer working for me was in a Best Buy (for right pondians, think of an ironically named version of Currys). In this Best Buy he observed a salesman foisting gold-plated HDMI cables on an unsuspecting elderly lady, "Ma'am, you see, the gold plating prevents the audio from having hiss and crackle..." As this was a bridge too far, he engaged the salesman and saved her a load of cash. Actually, after his analog/digital explanation she was so pissed she abandoned her multi-thousand dollar TV order. Our hero got ejected from the store, told he would be arrested (for what?) if he ever re-entered, and called some things I'm not going to repeat here.

    Part 2:

    He never re-entered. But morale around the office suddenly became extremely high. It turns out that somebody bought some TV-B-Gones (https://www.tvbgone.com/) and clandestinely installed in the store so that the TVs on display would turn off. My people set up a seemingly random succession of "customers" who would rotate out the TV B Gones as they ran out of batteries. Hard to sell overpriced crap when it keeps shutting off, and your employees are running around with their hair ablaze.

    I'm proud of these people but a little upset I wasn't invited to participate.

  29. MJB7
    Boffin

    Certificate pinning won't help

    Certificate pinning won't help with this at all. At least with Chrome, certificate pinning accepts any certificate signed by a locally installed root cert (as opposed to one which is distributed with the operating system). This is so that businesses who use a TLS decryption/encryption device to scan all outgoing TLS can continue to do so.

    (I suspect the commentards here will have definite views on the desirability of such devices, but I can see why Chrome would decide not to fight that battle.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018