Root Certificates From Sennheiser Headphone Software
Hans-Joachim Knobloch and André Domnick (PDF)
We found that – caused by a critical implementation flaw – the secret signing key of one of the clandestine planted root certificates can be easily obtained by an attacker. This allows him or her to sign and issue technically trustworthy certificates. Users affected by this implementation bug can become victim of such a certificate forgery, allowing an attacker to send e.g. trustworthy signed software or acting as an authority authorised by Sennheiser.
[…]
According to Sennheiser, the browser must be able to access this local web socket through a trusted HTTPS connection in order to bypass cross origin resource sharing (CORS) restrictions implemented by relevant browsers. Hence, the HeadSetup SDK needs a locally trusted TLS server certificate issued to the localhost IP address (127.0.0.1) and the associated private key.
[…]
Despite its designation as CA certificate, the HeadSetup software employs it as the TLS server certificate for the local secure web socket. In order to turn it into a trusted credential, the HeadSetup installer pushes the certificate into the local machine trusted root certificate store of the Windows system on which it is installed.
Note that the HeadSetup installer must run with local administrator privileges. Once the installing user confirms the installation of the software there is no further system prompt warning about the addition of the certificate to the trusted root store and displaying the certificate’s fingerprint, like there would be if this root certificate were added manually.
Via Andrew Ayer:
Like Superfish, anyone can use this key, which is the same on all installations, to forge certificates and impersonate websites.