Skip to main content
banner image
venafi logo

Sennheiser Debacle: The Consequences of Poorly Secured Certificates

Sennheiser Debacle: The Consequences of Poorly Secured Certificates

Secured Certificates Keys Sennheiser
November 29, 2018 | Scott Carter

I recently wrote a blog for The SSL Store about the hazards of improperly using of self-signed certificates. But little did I know that I would see such an egregious example so soon after publishing that blog.

Researchers at German cyber-security firm Secorvo revealed that German software developer Sennheiser had inadvertently installed two self-signed root Certificate Authority (CA) certificates into the trust stores of users' computers, but also included the private keys in a format that could be easily extracted.

With access to a self-signed root certificate and the corresponding key, attackers can carry out man-in-the-middle attacks to impersonate any website on the Internet. And we’re talking all major websites here. Ars Technica cautions, “The software developer's mistake means that malicious third-parties can extract the private keys from the two applications and use them to issue forged certificates to spoof legitimate websites and software publishers for years to come.” In fact, since the root certificates are not set to expire until 2027, that’s quite a while.

The Sennheiser software in question was used to set up and manage softphones that allow users to make phone calls on a computer instead of using a physical phone. To do this, the company needed its headphones and speaker phones to work seamlessly with computer. And the way they did that was by establishing an encrypted Websocket with a browser. That process involved installing a self-signed TLS certificate in the operating system’s trust store, the central place where browser-trusted root CA certificates are stored.

The vulnerability occurred in version 7.3 of the HeadSetup app, where the self-signed root certificate was installed in a way that allowed the private cryptographic key to accessible. According to Ars Technica, “Because the key was identical for all installations of the software, hackers could use the root certificate to generate forged TLS certificates that impersonated any HTTPS website on the Internet. Although the self-signed certificates were blatant forgeries, they will be accepted as authentic on computers that store the poorly secured certificate root. Even worse, a forgery defense known as certificate pinning would do nothing to detect the hack.”

The blunder of headphone software installing root CA certificates is serious, the real story is that the power of machine identities is not well understood except by hackers,” warns Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “A certificate installed by default as a root CA for headphone software can easily enable ANY machine, website, cloud to appear trusted. These techniques are used every day by malware and trojans to making malicious sites. And developers aren’t learning from previous mistakes made by the largest vendors like Dell and Lenovo.”

Kevin goes on to remind us all that machine identities are often overlooked, or simply back-burnered, in security processes. And the results are serious enough to call attention to this negligence. “Machine identities like TLS keys and certificates are powerful weapons in the hands of cyber criminals and must be protect and their use treated as weapons. Global 5000 security and development teams must take this problem seriously.”

How actively is your organization managing its trust stores?

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years

Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years

Prepare this presentation and send it to me, once approved you can teach entire team.

Overheard at Machine Identity Protection Global Summit 2019

machine identity protection

Leaders Underscore the Critical Nature of Machine Identity Protection at Inaugural Global Summit

About the author

Scott Carter
Scott Carter

Scott Carter writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat