The Cybersecurity of Headsets

The Cybersecurity of Headsets

For video sessions, I don’t like wearing audio headsets, and which enclose both ears. So this is the device I bought:

It is a great headset, and you can even connect it to multiple computers at the same time. But, what about its cybersecurity? Well, it fails completely, and shows some of the weakest security I have seen for the connection of devices to your machine. For this, we need to look at the digital certificate that it adds to your machine:

These are root certificates on the machine, and can be used to approve software and hardware installs for the computer. If we view the digital certificate we get:

This contains a 4K RSA public key and which was issued on 7 March 2022. But the problem here is that this is a root certificate, and can be used to sign for any software and hardware that is added to my machine. Also … and worst of all … it is self signed! The trust level in a self-signed certificate is … ZERO!

This is such a nieve approach to software security, and a self-signed certificate should never appear outside a development environment. It means that if the private key of the public key associated with this certificate was breached, an intruder could craft trusted software or hardware for my machine, and for it to be trusted with this certificate.

Conclusions

I sometimes worry about the lack of understanding of the PKI (Public Key Infrastructure) from developers, and also from some cybersecurity specialists. It should be the foundation of security on the Internet, but it is probably one of the least understood areas of computer science. If you want to understand them more, try here: