Skip to main content
banner image
venafi logo

Sennheiser Debacle: The Consequences of Poorly Secured Certificates

Sennheiser Debacle: The Consequences of Poorly Secured Certificates

Secured Certificates Keys Sennheiser
November 29, 2018 | Scott Carter

I recently wrote a blog for The SSL Store about the hazards of improperly using of self-signed certificates. But little did I know that I would see such an egregious example so soon after publishing that blog.

Researchers at German cyber-security firm Secorvo revealed that German software developer Sennheiser had inadvertently installed two self-signed root Certificate Authority (CA) certificates into the trust stores of users' computers, but also included the private keys in a format that could be easily extracted.

With access to a self-signed root certificate and the corresponding key, attackers can carry out man-in-the-middle attacks to impersonate any website on the Internet. And we’re talking all major websites here. Ars Technica cautions, “The software developer's mistake means that malicious third-parties can extract the private keys from the two applications and use them to issue forged certificates to spoof legitimate websites and software publishers for years to come.” In fact, since the root certificates are not set to expire until 2027, that’s quite a while.

The Sennheiser software in question was used to set up and manage softphones that allow users to make phone calls on a computer instead of using a physical phone. To do this, the company needed its headphones and speaker phones to work seamlessly with computer. And the way they did that was by establishing an encrypted Websocket with a browser. That process involved installing a self-signed TLS certificate in the operating system’s trust store, the central place where browser-trusted root CA certificates are stored.

The vulnerability occurred in version 7.3 of the HeadSetup app, where the self-signed root certificate was installed in a way that allowed the private cryptographic key to accessible. According to Ars Technica, “Because the key was identical for all installations of the software, hackers could use the root certificate to generate forged TLS certificates that impersonated any HTTPS website on the Internet. Although the self-signed certificates were blatant forgeries, they will be accepted as authentic on computers that store the poorly secured certificate root. Even worse, a forgery defense known as certificate pinning would do nothing to detect the hack.”

The blunder of headphone software installing root CA certificates is serious, the real story is that the power of machine identities is not well understood except by hackers,” warns Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “A certificate installed by default as a root CA for headphone software can easily enable ANY machine, website, cloud to appear trusted. These techniques are used every day by malware and trojans to making malicious sites. And developers aren’t learning from previous mistakes made by the largest vendors like Dell and Lenovo.”

Kevin goes on to remind us all that machine identities are often overlooked, or simply back-burnered, in security processes. And the results are serious enough to call attention to this negligence. “Machine identities like TLS keys and certificates are powerful weapons in the hands of cyber criminals and must be protect and their use treated as weapons. Global 5000 security and development teams must take this problem seriously.”

How actively is your organization managing its trust stores?

Related posts

Like this blog? We think you will love this.
old ciphertext mechanism on a desk with an hourglass
Featured Blog

Traditional Cryptographic Attacks: What History Can Teach Us

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection
Industry Research

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Scott Carter
Scott Carter

Scott is Senior Manager for Content Marketing at Venafi. With over 20 years in cybersecurity marketing, his expertise leads him to help large organizations understand the risk to machine identities and why they should protect them

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat