Headphone maker Sennheiser is facing the music after being caught compromising the security of its customers.

The vendor's Headsetup and Headsetup Pro applications install both a root certificate and its secret private key on Windows and Mac computers, which can be used, for instance, by scumbags to intercept and decrypt users' encrypted HTTPS web browsing. In effect, installing the Headsetup software leaves you open to having your web connections snooped on or tampered with, and any sensitive information like passwords stolen.

A report out this week [PDF] by Secorvo Security Consulting details the blunder.

We're told Headsetup is a tool that connects voice chat websites to posh Sennheiser headsets. The software installs a trusted root security certificate, and uses that to open a local secure web socket, through which the website in the browser can access the swanky headphones using HTTPS. This secure link uses a TLS certificate chained to the installed root cert.

NBD: Adobe just dumped its private PGP key on the internet READ MORE

This is, we're told, required to avoid running afoul of cross-origin resource sharing rules put in place by modern browsers. The web socket requires a custom certificate because it must be assigned to the reserved IP address, 127.0.0.1 aka localhost. So Headsetup opens a web socket and presents a HTTPS certificate that is chained to the installed trusted root cert. The browser uses the installed root cert to check the socket's certificate is legit, and off it goes.

What is concerning to the researchers is that by having both the certificate and key present on the machine, an attacker can reuse the key – which is common to all installations – to create arbitrary HTTPS certificates for other websites and have them trusted by Headsetup users because the bogus certs are chained to the installed trusted root security certificate. This also means intercepted SSL/TLS connections can be decrypted, and malware can be digitally signed and trusted as legit software. This is music to the ears of determined hackers.

"We found that – caused by a critical implementation flaw – the secret signing key of one of the clandestine planted root certificates can be easily obtained by an attacker. This allows him or her to sign and issue technically trustworthy certificates," Secorvo explained.

"Users affected by this implementation bug can become victim of such a certificate forgery, allowing an attacker to send e.g. trustworthy signed software or acting as an authority authorised by Sennheiser."

Sennheiser announces €50,000 headphones (we checked, no typos) READ MORE

For example, an attacker could create a malicious password-stealing website that masquerades as a bank or shopping site, then place a link to the website on a support forum frequented by Sennheiser headset owners. When a Headsetup user visits the fake page, the site presents a HTTPS certificate chained to the HeadSetup root cert to pass itself off as a legit secure website. The bogus site would then ask for a username and password – something like "please login to continue" – and swipe the credentials before redirecting to the real site. That would require the fake site to have a carefully crafted domain name like store.amazom.com.

However, if it's possible for the hacker to control the victim's DNS lookups, the bogus website can appear even more legit by using a familiar domain name and having a little green padlock to show it's secure. A man in the MIDI, sorry, middle attack could also use the root cert and key to intercept and decrypt HTTPS connections to legit websites on the fly. Precautions can be taken to mitigate these kinds of shenanigans.

All in all, though, even if Sennheiser customers were in no immediate danger, this shabby approach to security is not a great look.

Fortunately, Sennheiser has already posted an update to rectify the issue by removing the certificates and keys. Now the software relies on a key that only Sennheiser privately keeps a copy of.

For Windows users, the updated Headsetup version is 8.1.6114, while Mac users will want to update to version 5.3.7011. Those who can't install the updates are being offered a removal script that purges the vulnerable crypto. ®