Jump to content

Archived

This topic is now archived and is closed to further replies.

rugk

CSR Harmony Wireless Software Stack injects weak root certificate into trust store

Recommended Posts

I was quite surprised as I saw too very suspicious root certificates in my CA store.

These were installed by a Bluetooth driver from CSR. Obviously this enables interception of HTTPS connections if the private key is found.

 

post-3952-0-11027000-1445465831_thumb.png

 

Additionally it injected certs into the "trusted publisher store", which means it can also fake digital signatures.

The worst thing are the certificates itself - they are 1024bit RSA certificates, which are very insecure, so that it may be possible to crack the public key and get out the private key.

post-3952-0-85392900-1445466182_thumb.png

 

More information here: https://pastemarkdown.com/Su5Ch

And here you can see how it injects it: https://vimeo.com/rugkme/csrharmonyrootcert

Share this post


Link to post
Share on other sites

Thanks for posting this, it may help others in deciding or troubleshooting.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...