nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

back to article
Oh my chord! Sennheiser hits bum note with major HTTPS certificate cock-up

Anonymous Coward
Anonymous Coward

Developers, developers, developers

Lame, lame, lame! Enough said.

Yet Another Anonymous coward
Silver badge

Not a problem

None of them are online, they are all waiting for $500 unidirectional gold ethernet cables

Someone Else
Silver badge
Pint

Shaun...please...

A man in the MIDI, sorry, middle attack could [...]

Shaun? Stop that now, young man!

Dan 55
Silver badge

We're told Headsetup is a tool that connects voice chat websites to posh Sennheiser headsets.

Why did Sennheiser think Bluetooth or a USB dongle were so lacking that they had to do this nonsense?

Thoguht
Silver badge

Why? Because they aren't gold plated, of course. The Sennheiser software gold plates every data packet it handles for the ultimate digital audio experience.

the spectacularly refined chap

To be fair Sennheiser make some genuinely decent kit, it isn't bling and flash for the sake of it. Look at their product range and the kind of accessories you cite are conspicuous by their absence, they're not the same as e.g. Beats, charging a premium for stuff that is at best mid-range.

Yes, a lot of the premium priced brands are simply marketing with nothing of substance to back it up, but genuine high-end audio gear commands a fair price too. You need to distinguish between the two.

Pascal Monett
Silver badge

Re: Why did Sennheiser [..] do this nonsense?

My question exactly. I've had radio headphones plugged into the TV for years, they didn't need no stinkin' app to work.

My current headphones are a not-too-pricey Sony model that work fine and plug in like every other kind I've ever had. I fail to see what is the point in having an app at all. You have an app for the sound card (or chip these days), that is where the tweaking should take place.

But headphones are for listening to the output, not for fiddling with it.

SloppyJesse

Maybe they had been drinking the same kool-aid as the IOT tat merchants - everything must connect back to the manufacturers site.

Think of the data slurping opportunities...

Martin an gof
Silver badge

Sennheiser does other stuff too

The question is whether they have done this trick with other kit too - Sennheiaer not only makes consumer products, but also professional kit such as near-ubiquitous radio microphones and medical kit such as hearing aids used by large numbers of NHS and private clinjcs. These days everything is set up by computer so if they have used a similar technique on the software, there could be hundreds of vulnerable computers sitting in clinics (ane TV studios) around the country.

How would we find out?

M.

Dan 55
Silver badge

Re: Sennheiser does other stuff too

Checking if there's a Sennheiser root certificate in the certificate store.

Korev
Silver badge
Coat

Re: Sennheiser does other stuff too

Thanks for the Headsetup

Anonymous Coward
Silver badge
Megaphone

Re: Sennheiser does other stuff too

But those other things don't need a HTTP proxy to work. The software in question was to link scripts on arbitrary websites to the local hardware and is only required because the browsers are reluctant to do cross-domain stuff like that.

Radio mics don't tend to transmit over HTTP.

Not saying that they haven't bundled the crap with other installers, or made similar SNAFUs, just saying that this particular cockup is unlikely to affect other devices.

rmason
Silver badge

Re: Sennheiser does other stuff too

I agree that this is unlikely to affect their other kit, but it does highlight the fact they don't "get" security and the focus was 100% on just making their kit work regardless.

Which isn't brilliant.

bombastic bob
Silver badge
Unhappy

Re: Sennheiser does other stuff too

their headphones are really good. But yeah, good at headphones. not so much at network security.

djack

The fix is just as bad

Now the software relies on a key that only Sennheiser privately keeps a copy of.

So they've just appointed themselves as a root CA. Wait until that key leaks and...

What would be better in this case would be to generate a unique key on install. If it's only to authenticate 'localhost' then no-one else needs access to that key or to trust it. Plus if an attacker manages to steal a key off someone's installation, it will affect .. no-one else. If they have access to be stealing private keys, your system is already hosed without Sennheiser's help.

DCFusor
Silver badge

Maybe they do get security

But work for, dunno, Amber Rudd or perhaps some .gov entity in Oz or the US?

The list of those who want backdoors isn't a short one.

MJI
Silver badge

Sennheiser

Great value headphones.

Yet people would still buy fashion brands of low quality. Simply due to a peer pressure.

Why do people still buy say Beats junk?

Version 1.0
Silver badge

Re: Sennheiser

I was happy paying $$$ for a Sennheiser HD280PRO without any damn internet connection at all - and everyone who listens with them just sits there stunned because they have never heard sounds that realistic, or that clear.

I keep them away from Fat Freddies cat though.

katrinab
Silver badge
WTF?

My Marshalls headphones work fine without any sort of software or root certificates. What could a headphone possibly do that requires anything other than the standard operating system audio stack?

Stevie
Silver badge

Bah!

CDs. Conventional Stereo. Wired headphones.

aka "Air Gapped Music".

T'would seem I am immune to this dastardly exploit. Suck on it, net-aware fadyoofs.

Anonymous Coward
Anonymous Coward

Certificate Security played with a private key of F major

bombastic bob
Silver badge
Coat

Just 'A minor' setback. It will 'B sharp' soon enough. Enough to 'C major' improvements.

Q: what has 17 flats?

A: An 18-wheeler with one good tire

coat, please

Someone Else
Silver badge

@AC

Certificate Security played with a private key of F major

Bah! iI they were really that good, their private key would be F# minor.

matjaggard

Re: @AC

Was the code written in C#?

Deej

I bet that, for such an attacker, this will be music to their ears

89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921

They made a pig's ear of that

Other than amazing sound quality, the best thing about (some) Sennheisers is that you can replace any part when it fails. After years of having to throw away great headphones from other manufacturers because of a mysteriously located cable break, or sonically obliterated driver, broken headband, lost and inexplicable tiny plastic part etc... I got some HD600s and haven't looked back.

Chairman of the Bored
Silver badge

Life ain't fair

Now that I've worked long and hard enough to afford network connected, software infested, high-end audio tat...

...my hearing is shot from decades of exposure to cooling fans, screaming managers, pleading customers, and so forth. Maybe the whole 'go to war' thing might not have helped, either.

But, that's why I've got a 100W stack with an ominous subwoofer. To paraphrase Trump, "Crank her up! Crank her up!"

Mines the one with the hearing aids and Metallica tickets in the pocket...

Chairman of the Bored
Silver badge
Pirate

Gold plated tat ... and star employees

A two part story about some great employees...

Part 1:

An engineer working for me was in a Best Buy (for right pondians, think of an ironically named version of Currys). In this Best Buy he observed a salesman foisting gold-plated HDMI cables on an unsuspecting elderly lady, "Ma'am, you see, the gold plating prevents the audio from having hiss and crackle..." As this was a bridge too far, he engaged the salesman and saved her a load of cash. Actually, after his analog/digital explanation she was so pissed she abandoned her multi-thousand dollar TV order. Our hero got ejected from the store, told he would be arrested (for what?) if he ever re-entered, and called some things I'm not going to repeat here.

Part 2:

He never re-entered. But morale around the office suddenly became extremely high. It turns out that somebody bought some TV-B-Gones (https://www.tvbgone.com/) and clandestinely installed in the store so that the TVs on display would turn off. My people set up a seemingly random succession of "customers" who would rotate out the TV B Gones as they ran out of batteries. Hard to sell overpriced crap when it keeps shutting off, and your employees are running around with their hair ablaze.

I'm proud of these people but a little upset I wasn't invited to participate.

MJB7
Boffin

Certificate pinning won't help

Certificate pinning won't help with this at all. At least with Chrome, certificate pinning accepts any certificate signed by a locally installed root cert (as opposed to one which is distributed with the operating system). This is so that businesses who use a TLS decryption/encryption device to scan all outgoing TLS can continue to do so.

(I suspect the commentards here will have definite views on the desirability of such devices, but I can see why Chrome would decide not to fight that battle.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing