
Sennheiser Headset Software Could Allow Man-In-the-Middle SSL Attacks - edwinjm
https://www.bleepingcomputer.com/news/security/sennheiser-headset-software-could-allow-man-in-the-middle-ssl-attacks/
======
petepete
Have any hardware companies _ever_ written good accompanying software? From
all the custom-ui graphics card config nonsense to utilities that phone home
of their own accord, to things like this which are laughably awful.

I feel glad I left for the mild shores of Linux in the early 00s.

~~~
snaky
Apple?

~~~
moolcool
iTunes for Windows is hot garbage

~~~
Jonnax
They want you to buy a Mac. It's likely somewhat intentional.

~~~
ascagnel_
iTunes for Mac is slightly less-hot garbage.

They need to refactor the monolithic app that does everything into smaller,
more focused apps. My media player shouldn't also do document management for
my phone.

------
kanox
> the software was also installing a root certificate into the Trusted Root CA
> Certificate store.

This kind of stuff shouldn't even be legal.

~~~
Giroflex
As a bit of a layman, is there even any legitimate reason at all (other than a
user installing it in their own machine for reverse engineering purposes) for
anyone to install a root certificate anymore?

I could understand it if it was a small company doing so at the time when
certificates were expensive, but Sennheiser has plenty of money and
certificates can be obtained for free nowadays.

~~~
avian
I run some services for my private use. It's crazy that I need to have them
certified by some third-party over-seas CA since I can't get my own devices to
trust my own certificates.

We're not at that point yet, but running your own trust root is getting quite
annoying. For example, Android constantly nags about "network might be
monitored" when custom certificates are installed.

~~~
otterlicious
_Android constantly nags about "network might be monitored" when custom
certificates are installed._

It won't if you add name constraints to your root certificate (because then it
can't be used for blanket monitoring).

~~~
bostik
Does this actually work now? A name-constrained CA (or even its CSR) used to
break things in absolutely hilarious ways.

------
creeble
I'm a little lost on why the need a new root CA cert on a computer that
already has a cert store.

Can't they safely communicate with whatever.sennheiser.com using the existing
certs? Afaict, this isn't a stand-alone device trying to communicate, but your
computer, running some app.

What am I missing?

Edit: okay, I see below that they are using a local web server, and (thanks to
browser decisions about localhost) it requires https.

~~~
subway
The really silly thing is that it's 2018 and the browser vendors _still_
refuse to implement name based constraints on certificate authorities. It
should be perfectly reasonable for a local, single domain CA to be generated
and installed with the application. Instead we treat every CA as worthy to
handle every domain always.

~~~
bostik
I'm not sure that's a browser thing.

The X.509 spec specifies a field for that, which in OpenSSL would be called
"subjectNameConstraints". The rules for the constraint can be found in
RFC5280.[0] Mozilla have had an open development track for CA name constraints
for quite some time, but the last edit to the page is from 2015.[1]

I tried to actually use this field couple of years ago, and none of the
existing tools I tried had any support for it. OpenSSL would fail to parse a
CSR config with this key. Same for Go's TLS library.

So of course I did what any enterprising hacker would do: I created a CSR
manually with the correct OID in place. Trying to _sign_ that was nothing
short of hilarious. Loading up the CSR into OpenSSL would trigger a BIO_read_*
error. Trying the same with Go's TLS library triggered a panic!

I then realised that if you could somehow supply a certificate chain with a
name-constrained CA in it, it would act as a highly reliable DoS against
virtually all clients. (Probably against servers too, if you supplied a
client-cert chain.)

Based on discussions since, I have been informed that Microsoft's TLS stack
supports this - or at least should be technically capable of issuing CAs with
the field in place. But because practically nothing else in the world has the
support, and is in fact likely to crash when presented with one, even a
gradual rollout is simply not possible.

Hence every single CA you see will be valid for *.

0: [https://tools.ietf.org/html/rfc5280](https://tools.ietf.org/html/rfc5280)

1:
[https://wiki.mozilla.org/CA:NameConstraints](https://wiki.mozilla.org/CA:NameConstraints)

~~~
kakwa_
Another simple mitigation would be the ability for one certificate to be
signed by several CAs.

We could combined with some DNS records that states the policy for validating
the certificate (stating the number of CAs to validate a given certificate).

It could be a huge improvement on security, and eliminating CAs as single
point failures for the whole internet, at least for critical pieces of it.

------
Jonnax
Why are they deploying their own certificate into the root store????

This is shocking behaviour. What's the difference between this and malicious
software.

~~~
merb
the problem is not that they add a root ca to the store. the problem is that
they use the same Root CA on every computer in the world AND adding it into
the Store AND having the Root CA PRIVATE KEY on ANY computer.

~~~
avian
> the problem is not that they add a root ca to the store.

Yes there is. There is no valid reason for a glorified headphone driver to
mess with what website your browser trusts.

~~~
kilburn
There is a valid reason: to enable website-to-hardware communication (i.e, to
provide a javascript-based api for websites to interface with that hardware).

Ideally browsers should implement well standardized, secure APIs for all
devices in the world, but we are far from there. Until browser vendors
implement the API you need, the only option is to employ this trick.

Of course, companies should NOT reuse the same certificate between
installations though (just generate a certificate during the installation
process and life is good again).

~~~
merb
> Ideally browsers should implement well standardized, secure APIs for all
> devices in the world, but we are far from there. Until browser vendors
> implement the API you need, the only option is to employ this trick

well not only browsers, os's in general ;)

------
hkt
From smart TVs to this. How awful.

Software is eating perfectly good peripherals and _totally_ ruining them.

------
nimbius
The comfort in this article is knowing for every boutique german headphone
company that insists on becoming a CA, there are thousands of nameless chinese
companies producing superior products at lower prices that do to some measure
respect the users privacy in that they arent more than just a USB peripheral.

Sades and Xiberia for example make perfectly useful (if not a little bit
cyberpunk) headsets that just operate as USB soundcards with no special CA
requirement.

And if you're just in the mood to listen to some music without special
software in this foul year of our lord 2018, Might i suggest a pair of
Superlux 668B's? for ~$40 theyre easily better than anything Sennheiser
produces that requires its own PKI.

~~~
LMYahooTFY
I know this is really nitpicky, but is Sennheiser really a "boutique" company?

I was under the impression their maybe one of the biggest and most prominent
headphone manufacturers in the world, especially when measured by R&D.

~~~
snaky
Exactly. The funny thing is the most of 'boutique' headphones companies are
small Chinese vendors now, mostly unknown for the Western people outside of
HeadFi forums.

------
_null_
This seems like pure laziness. Did the developers really not have an
understanding of basic PKI? Or did they realize late in the game that their
local web socket was gonna require HTTPS and slap this on at the last minute?

~~~
snaky
Why should developers care if customers don't?

Do we know about a one B2C company who lost the business due the security
breaches in their products?

------
StillBored
Hmm, I recently picked up a pair of pxc 550s (crazy good black Friday deal),
and I saw the thing about installing their android/iphone app to do NFC
pairing, but I frankly have no idea why you would want that, or really much of
anything else in the app. The reviews even mention that the eq controls don't
even work for DRM'ed content.

OTOH, it seems if you pair the headphones with normal bluetooth its just using
A2DP/SBC and the audio quality is _miserable_. Maybe its using a custom
bluetooth profile/a2dp codec?

Basically, why exactly do they even need a full blown app?

(on a further side note, I've gotten to the point where I don't really even
notice AC and computer fan noise so much so that while a couple of coworkers
complained about it, it wasn't until I tried the PXC 550's at work that I
realized our AC blowers are really _LOUD_. With the 550's the constant low
frequency rumble is just gone. I guess my earplugs just wern't blocking that
much low frequency.).

~~~
NullPrefix
RMA for miserable sound ?

~~~
fein
Bluetooth is absolute garbage for serious audio. Wired will always sound
better, and a DAC + Amp driving the cans will always sound the best.

Sennheiser does make BT headphones with a dedicated tower that helps a bit,
but nothing can replace a hard line.

~~~
Marsymars
> Sennheiser does make BT headphones with a dedicated tower that helps a bit,
> but nothing can replace a hard line.

Their RS line of headphones don't actually use Bluetooth. Their older ones use
the Kleer protocol, while the newer ones use a proprietary wireless protocol.
Lossless audio in either case.

------
SuperGent
HN discussion and original report -
[https://news.ycombinator.com/item?id=18550854](https://news.ycombinator.com/item?id=18550854)

------
sambe
How does the process of getting the certificate installed work? Does the user
manually accept the installation at any point? Or is part of the blame on
Microsoft for allowing this?

~~~
Crosseye_Jack
You "just" need admin priv's to install one. there are "legit" reasons for
using one atm (how else do you communicate with a localy running application
from a site using SSL/TLS without using a browser extenstion? I honestly want
to know as it would be handy for a project i'm working on).

For example Battle.net have a per machine generated CA that gets installed
when you install BNet (which is why it recently started asking for admin privs
to install / update instead of just asking for them when installing a game).

Its used for talking to BNet when following a battle.net link which can be
used to prompt you to join BattleNet groups and other things. They used to use
a cert signed by a public CA but that's is frowned upon (as the only way the
client could really use it is if it knew the key for the cert which would lead
to either a million localhost.bnet.tld (I don't remember the actual hostname
so pulled one out of the air) certs or a shared cert with a million people who
could access the private key if they went looking hard enough). They made a
forum post about it when the issue about their own self signed CA started
showing up everywhere [0].

I believe Spotify do something similar so things like open.spotify.com and
other widgets can control the locally running spotify app.

MS themselves have a certtool in Visual Studio to create and add certs when
dev'ing using the latest builds of ASP.NET Core 2 as the default for new
projects is to use SSL (but iirc the cert tool VS uses does give you a prompt
about it installing a cert).

[0]
[https://us.battle.net/forums/en/bnet/topic/20760626838](https://us.battle.net/forums/en/bnet/topic/20760626838)

------
angel_j
It would be strange if it wasn't allowed.

You are the man in the middle of a headset.

------
ams6110
All the technical mistakes aside, yet another illustration of why I refuse to
use wireless peripherals. They're uniformly shoddy at best, dropping
connections or having difficulty pairing often. The idea that headphones
should need software strikes me as insane.

~~~
dangoor
This is why Apple’s AirPods have been so popular. They really work quite well,
compared to any other wireless headphones I’ve used. Easier pairing and better
connections.

~~~
willio58
Also, surprisingly durable. Around April I accidentally left them out of their
charger and outside in the pocket of a foldable chair when I went out of town
for 1 month. It rained on them multiple times. When I found them I was sure
they would be broken.. I charged them up and I still use them daily. No
issues.

