Sennheiser's headphone drivers covertly changed your computer's root of trust, leaving you vulnerable to undetectable attacks


#1

Originally published at: https://boingboing.net/2018/11/29/check-your-headsetup.html


#2

Why do headphones need software drivers in the first place?


#3

Likes a hard analogue line in/out for my audio. Anything alse causes conflicts, processor load, and all sorts of shenanigans.


#5

All these .DLL thingies means it’s only PC’s whom are concerned by this bug? Plz remember Sennheiser makes fantastic headsets, and evenly good microphones; but hey, they’re still in the analog domain …


#6

I was wondering that too. Maybe they have a proprietary layer on top of the basic Bluetooth stack like Apple did with their AirPods?

Even with that, I can’t figure out why they would need to install a certificate in the root store. Is Sennheiser trying to avoid paying for a certificate for code signing or something?


#7

Almost certainly for no good reason. Typical reasons are to run some manufacturer supplied equalization or “3d sound” garbage, or to allow remapping of the HID buttons on the headphones for mute/volume control.

This was really stupid but also illustrates how bad our current certificate root of trust system is.


#8

Cory didn’t call it out specifically, but this does also affect any Mac to which the software was installed.

Now then, who had “headphone drivers that allow MITM attacks” on their dystopian hellscape timeline bingo card?


#9

I had a similar experience with Jabra products (although not as far as I know a security issue). Bought a headset that did not work properly with the mac even though it was advertised as such. Replaced it with a hockey puck style base station for conference calls which had call quality problems. So returned them all and tried to remove the software which proved to be extremely challenging. Uninstall didn’t work, the steps their support gave me left an annoying icon on my top menu bar (showing the software wasn’t really removed).

Finally was able to brute force uninstall by searching for strings on the file but it left a very bad taste in my mouth.


#10

From the linked Secorvo report:

“The Sennheiser HeadSetup SDK supports the use of a locally connected headset by web- based softphones in a browser, loaded from a server web site via HTTPS.

According to [Senn2018], the way HeadSetup supports this application scenario is by opening a local secure web socket (WSS) through which the headset can be accessed from within the browser.”

That sounds pretty niche to me.


#11

I wouldn’t rely on it only being Windows that is compromised, this is a security problem, not an OS problem.

ETA: @alahmnat confirmed it is a Mac problem too.


#12

I have two of their headphones, they’re excellent quality but I’m glad I’ve owned them for over a decade now. No fancy stuff back then to fuck up.


#13

Is Neodymium really that soft?


#14

I think this is more a problem with headsets than it is with headphones.

Think

and not


#15

:joy: Oh fuck all. This is priceless.

plugs analog headphone cable back in

rocks out


#16

They may have outsourced the driver or bought generic code.


#17

One nice side effect of using linux is you don’t buy peripherals which need ‘drivers’ for basic functionality, because they won’t work. Which means you don’t end up with a laptop full of useless or actively harmful crapware.


#18

I’m thinking that anything that changes the root certificates should have more than just the usual admin-access warning prompt.


#19

To subvert your security of course.

This is way too big a security hole. If any driver can insert insecure certificates, and almost anything can require drivers, then this seems like a rather obvious way to subvert people’s security.

Clearly the root of trust needs to be better secured.


#20

Yeah, too much already requires admin access. This is exactly why multiple levels of superuser access is necessary. Installing an application is a totally different level of access than changing the root of trust.


#21

I have “EVERYTHING can be used as an attack vector”, does this qualify?