Sennheiser Software Flaw Leaves Users Open to Hacking

Sennheiser Software Flaw Leaves Users Open to Hacking

You would not expect software for your headphones to seriously impair your computer’s security, but that’s exactly what Sennheiser managed to do. The desktop application for its headsets, called HeadSetup and HeadSetup Pro, included a botched root certificate, allowing anyone aware of the flaw to impersonate websites without detection. Sennheiser has issued a patch for the software, but it doesn’t seem to grasp the gravity of the screw-up.

The software, which runs on both Windows and Apple computers, is intended to help owners of the company’s headsets and speakerphones connect and use their devices. It does that, but it also included a root certificate with an exposed private key. Once installed, a system would trust a website with the matching certificate because Sennheiser stored the certificate in the operating system’s certificate store.

With that certificate installed, it’s trivially easy for an attacker to create a phishing website that looks like the real deal. As long as it uses the leaked private key from the Sennheiser program, your browser would report a legitimate website with HTTPS. The only way to tell something isn’t right is to check HTTPS certificate code, but virtually no one does that. At most, people look for the padlock in the address bar, which doesn’t mean anything in this case. Research firm Secorvo, which discovered the flaw, proved its point by building a fake Google website that looks legitimate to a compromised system.

Secorvo’s fake Google example.
Secorvo’s fake Google example.

Perhaps the worst aspect of Sennheiser’s error is that uninstalling HeadSetup won’t fix the vulnerability. Even after clearing all the software, the certificate remains in place and valid. The company has released a patch that replaces that certificate with one that doesn’t leak its private key, but there’s no way to force people to update or even to make sure they know there’s a problem.

The flaw has been compared with Lenovo’s Superfish bug, which affected PCs back in 2015. Superfish was a sketchy adware program bundled on Lenovo’s PCs, and like Sennheiser HeadSetup, it contained a flawed root certificate that allowed third-parties to spoof websites. That was arguably worse because the bug was preloaded on new PCs. There will be fewer systems affected by Sennheiser’s vulnerability, but the risk is very much the same for those with the bugged software.

Lenovo was eventually fined $3.5 million by the FTC over Superfish. Sennheiser might want to start setting some cash aside.

Continue reading

Review: The Oculus Quest 2 Could Be the Tipping Point for VR Mass Adoption
Review: The Oculus Quest 2 Could Be the Tipping Point for VR Mass Adoption

The Oculus Quest 2 is now available, and it's an improvement over the original in every way that matters. And yet, it's $100 less expensive than the last release. Having spent some time with the Quest 2, I believe we might look back on it as the headset that finally made VR accessible to mainstream consumers.

AMD Buys FPGA developer Xilinx in $35 Billion Deal
AMD Buys FPGA developer Xilinx in $35 Billion Deal

The deal, which we discussed earlier this month, will give AMD access to new markets that it hasn't previously played in, including FPGAs and artificial intelligence.

AMD’s New Radeon RX 6000 Series Is Optimized to Battle Ampere
AMD’s New Radeon RX 6000 Series Is Optimized to Battle Ampere

AMD unveiled its RX 6000 series today. For the first time since it bought ATI in 2006, there will be some specific advantages to running AMD GPUs in AMD platforms.

VIA Technologies, Zhaoxin Strengthen x86 CPU Development Ties
VIA Technologies, Zhaoxin Strengthen x86 CPU Development Ties

VIA and Zhaoxin are deepening their strategic partnership with additional IP transfers, intended to accelerate long-term product development.