Sennheiser Software Flaw Leaves Users Open to Hacking
You would not expect software for your headphones to seriously impair your computer’s security, but that’s exactly what Sennheiser managed to do. The desktop application for its headsets, called HeadSetup and HeadSetup Pro, included a botched root certificate, allowing anyone aware of the flaw to impersonate websites without detection. Sennheiser has issued a patch for the software, but it doesn’t seem to grasp the gravity of the screw-up.
The software, which runs on both Windows and Apple computers, is intended to help owners of the company’s headsets and speakerphones connect and use their devices. It does that, but it also included a root certificate with an exposed private key. Once installed, a system would trust a website with the matching certificate because Sennheiser stored the certificate in the operating system’s certificate store.
With that certificate installed, it’s trivially easy for an attacker to create a phishing website that looks like the real deal. As long as it uses the leaked private key from the Sennheiser program, your browser would report a legitimate website with HTTPS. The only way to tell something isn’t right is to check HTTPS certificate code, but virtually no one does that. At most, people look for the padlock in the address bar, which doesn’t mean anything in this case. Research firm Secorvo, which discovered the flaw, proved its point by building a fake Google website that looks legitimate to a compromised system.
Perhaps the worst aspect of Sennheiser’s error is that uninstalling HeadSetup won’t fix the vulnerability. Even after clearing all the software, the certificate remains in place and valid. The company has released a patch that replaces that certificate with one that doesn’t leak its private key, but there’s no way to force people to update or even to make sure they know there’s a problem.
The flaw has been compared with Lenovo’s Superfish bug, which affected PCs back in 2015. Superfish was a sketchy adware program bundled on Lenovo’s PCs, and like Sennheiser HeadSetup, it contained a flawed root certificate that allowed third-parties to spoof websites. That was arguably worse because the bug was preloaded on new PCs. There will be fewer systems affected by Sennheiser’s vulnerability, but the risk is very much the same for those with the bugged software.
Lenovo was eventually fined $3.5 million by the FTC over Superfish. Sennheiser might want to start setting some cash aside.
Continue reading
NASA’s Mars Helicopter Remains Grounded Awaiting Software Fix
NASA previously said the Ingenuity helicopter would take to the Martian skies over the weekend, but the agency announced late Friday that liftoff was delayed until at least April 14 because of a software issue.
Software Bug Delays Ingenuity Helicopter’s 4th Mars Flight
This appears to be the same issue that caused the delay in Ingenuity's first flight timeline. NASA says it's planning to try this one again today, and we should know in a few hours whether or not it was successful.
OnePlus Confirms No OnePlus 9T in 2021, New Android Software Coming
OnePlus has announced that it's not doing a T-series update to the OnePlus 9. The next time OnePlus releases a phone, it'll be running a new version of Android that replaces the current Oxygen OS.
VW Software Conveniently Helps Drivers Cheat Emissions Tests, Again
The software tricks emissions tests into thinking the vehicle is coughing out as little as one-fifteenth the amount of nitrogen oxide it really is.