1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Sennheiser's headphone software had a serious security flaw that could compromise your...

By Greg S
Nov 29, 2018
Post New Reply
  1. A flaw in Sennheiser's HeadSetup software that works with the company's headphones has been discovered that allows for man-in-the-middle attacks to be carried out. German consulting firm Secorvo has published a vulnerability report and Sennheiser has updated its software to eliminate the threat.

    The vulnerability in question occurs because the software was installing a root certificate and an encrypted private key to the Trusted Root CA Certificate store. By doing so, a spoofed certificate could be generated and appear as a valid certificate to end users. Connecting to HTTPS sites would still show a secure connection, even though a malicious entity could gain access to any data transmitted.

    In HeadSetup and HeadSetup Pro, the vulnerable certificates will no longer be installed. Sennheiser has published a script that will remove affected certificates from affected computers as well as a guide using Active Directory and Group Policy Editor to achieve the same result.

    Not unlike Lenovo's Superfish software, Sennheiser's mistake leaves users open to the same type of forgery attack. The main difference though is that Sennheiser is not abusing the flaw, it was simply an unknown security issue.

    To make matters worse, browsers such as Google Chrome will not detect forged certificates that are linked with correctly installed root certificates. Certificate pinning is a known type of attack that is mitigated by modern browsers, but does not work in this case because the chain of trust does not appear broken at any step.

    Both Windows and MacOS users are believed to be affected by the issue, but the solutions are already available. If using Sennheiser's HeadSetup or HeadSetup Pro software, update it immediately to the latest version.

    Permalink to story.


Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...