Sennheiser's headphone drivers covertly changed your computer's root of trust, leaving you vulnerable to undetectable attacks

Your computer ships with a collection of trusted cryptographic certificates, called its "root of trust," which are consulted to verify things like SSL connections and software updates.

A recent report from Secorvo reveals that Sennheiser's Headsetup drivers for its headphones covertly inserted two certificates into this root of trust. What's more, the certificate was ineptly secured, making it possible to guess the other half of the key-pair (certificates come in pairs; what one signs, the other can verify, and a well-formed certificate can never be used to infer its matching other half).

Worse still: the Headsetup installer didn't remove the certificates when you uninstalled the software, leaving your computer in a vulnerable state.

The upshot: anyone with access to the Headsetup installer could figure out the signing key, then use that key to sign certificates that would allow them to impersonate Google, Apple, Microsoft, your bank, the IRS (etc) to your computer, in an undetectable way, opening the door for malware, phishing, and other attacks.

When the researchers analyzed the private key, they determined that it was encrypted with AES-128-CBC encryption and needed to find the proper password to decrypt it. As the HeadSetup program needed to decrypt the key as well, it means it must have been stored somewhere, which in this case was in a file called WBCCListener.dll.

"In order to decrypt the file we needed to know the encryption algorithm and key that the manufacturer used for encryption," the researchers explained. "Our first guess was that the vendor employed the common AES encryption algorithm with 128-bit key in CBC mode.