Your computer ships with a collection of trusted cryptographic
certificates, called its “root of trust,” which are consulted to verify
things like SSL connections and software updates.
A recent report from Secorvo
reveals that Sennheiser’s Headsetup drivers for its headphones covertly
inserted two certificates into this root of trust. What’s more, the
certificate was ineptly secured, making it possible to guess the other
half of the key-pair (certificates come in pairs; what one signs, the
other can verify, and a well-formed certificate can never be used to
infer its matching other half).
Worse still: the Headsetup installer didn’t remove the certificates when
you uninstalled the software, leaving your computer in a vulnerable
state.
The upshot: anyone with access to the Headsetup installer could figure
out the signing key, then use that key to sign certificates that would
allow them to impersonate Google, Apple, Microsoft, your bank, the IRS
(etc) to your computer, in an undetectable way, opening the door for
malware, phishing, and other attacks.
