Sennheiser Software Flaw Leaves Users Open to Hacking

Sennheiser Software Flaw Leaves Users Open to Hacking

You would not expect software for your headphones to seriously impair your computer’s security, but that’s exactly what Sennheiser managed to do. The desktop application for its headsets, called HeadSetup and HeadSetup Pro, included a botched root certificate, allowing anyone aware of the flaw to impersonate websites without detection. Sennheiser has issued a patch for the software, but it doesn’t seem to grasp the gravity of the screw-up.

The software, which runs on both Windows and Apple computers, is intended to help owners of the company’s headsets and speakerphones connect and use their devices. It does that, but it also included a root certificate with an exposed private key. Once installed, a system would trust a website with the matching certificate because Sennheiser stored the certificate in the operating system’s certificate store.

With that certificate installed, it’s trivially easy for an attacker to create a phishing website that looks like the real deal. As long as it uses the leaked private key from the Sennheiser program, your browser would report a legitimate website with HTTPS. The only way to tell something isn’t right is to check HTTPS certificate code, but virtually no one does that. At most, people look for the padlock in the address bar, which doesn’t mean anything in this case. Research firm Secorvo, which discovered the flaw, proved its point by building a fake Google website that looks legitimate to a compromised system.

Secorvo’s fake Google example.
Secorvo’s fake Google example.

Perhaps the worst aspect of Sennheiser’s error is that uninstalling HeadSetup won’t fix the vulnerability. Even after clearing all the software, the certificate remains in place and valid. The company has released a patch that replaces that certificate with one that doesn’t leak its private key, but there’s no way to force people to update or even to make sure they know there’s a problem.

The flaw has been compared with Lenovo’s Superfish bug, which affected PCs back in 2015. Superfish was a sketchy adware program bundled on Lenovo’s PCs, and like Sennheiser HeadSetup, it contained a flawed root certificate that allowed third-parties to spoof websites. That was arguably worse because the bug was preloaded on new PCs. There will be fewer systems affected by Sennheiser’s vulnerability, but the risk is very much the same for those with the bugged software.

Lenovo was eventually fined $3.5 million by the FTC over Superfish. Sennheiser might want to start setting some cash aside.

Continue reading

Earth’s ‘Minimoon’ Is About to Leave Us Forever
Earth’s ‘Minimoon’ Is About to Leave Us Forever

According to astronomers, Earth's latest artificial satellite is about to become a former satellite as it prepares to zip off into the inky blackness of space.

GoG Now Offers Menstrual Leave
GoG Now Offers Menstrual Leave

GoG is one of the first in the industry to provide its employees paid menstrual leave.

Roscosmos Will Leave the ISS in 2024 2028
Roscosmos Will Leave the ISS in 2024 2028

Yuri Borisov, newly minted head of the Russian space agency Roscosmos, has finally put paid to his predecessor's threats that Russia will leave the ISS after 2024.

NASA’s DART Craft Could Leave Asteroid ‘Unrecognizable’: Study
NASA’s DART Craft Could Leave Asteroid ‘Unrecognizable’: Study

With a diameter of just 560 feet (170 meters), NASA expected DART's 500-kilogram impactor to leave a crater and affect the satellite's orbit around the larger Didymos. Not so, says the new study.