Skip to main content

Sennheiser’s flawed headphone software is a Trojan horse hackers could exploit

Bill Roberson/Digital Trends

Though you may not expect headphones to pose a cybersecurity risk, German-based security firm Secorvo discovered that Sennheiser headphones could be used as a Trojan horse that potentially opens up your computer to hackers. Fortunately, the problem isn’t hardware related, as the headphones themselves are safe to use. Instead, the security flaw exists within Sennheiser’s HeadSetup software and how it installs and manages encrypted certificates on your PC.

According to researchers, Sennheiser’s desktop software was installing a self-signed root certificate into the Trusted Root CA Certificate store that’s valid until January 13, 2027, as well as an encrypted private key. The problem for Sennheiser is that the certificate uses the same decryption key for every installation of the software. An attacker who’s able to decrypt this key would be able to issue forged certificates that impersonate any HTTPS website. These new certificates would give attackers access to traffic for other domains, allowing hackers to perform man-in-the-middle attacks.

“We found that — caused by a critical implementation flaw — the secret signing key of one of the clandestine planted root certificates can be easily obtained by an attacker,” Secorvo noted in its report. “This allows him or her to sign and issue technically trustworthy certificates. Users affected by this implementation bug can become victim of such a certificate forgery, allowing an attacker to send [for example] trustworthy signed software, or acting as an authority authorized by Sennheiser.”

“With this in place, a hacker could effectively snoop on a persons’ traffic and read and alter the supposedly encrypted traffic to targeted domains,” The Inquirer noted of the danger of the HeadSetup vulnerability. “From there, information could be pilfered, such as data pertaining to log in to web services.”

As a result of Secorvo’s report, Microsoft has also issued security advisory ADV180029, warning users and system administrator that “inadvertently disclosed digital certificates could allow spoofing.” This type of vulnerability isn’t unlike the widely publicized Lenovo Superfish bug from 2015. In the Lenovo case, users became aware that pre-installed bloatware were signed with a weak security certificate that could allow hackers to inject malicious software on Lenovo systems or access data that would have otherwise been encrypted.

Sennheiser claims that is is working on an update to its HeadSetup software to patch the vulnerability. “Sennheiser was informed about this vulnerability in advance, is aware of the vulnerability impact, and started working on an updated version of HeadSetup to resolve the issue,” Secorvo wrote in its report. “According to the developers, this process will take a while.”

In the interim, Sennheiser has implemented a temporary fix to keep users protected by removing the certificate. Users can access the temporary solution through the headphone maker’s support site while the HeadSetup software is being updated.

Editors' Recommendations

Chuong Nguyen
Silicon Valley-based technology reporter and Giants baseball fan who splits his time between Northern California and Southern…
GPUs could become Trojan horses for future cyberattacks
nvidia ampere gpu could destroy xbox series x rtx 2080 super review feature

The graphics card inside your computer is a powerful tool for gaming and creative work, but it can also potentially serve as a Trojan horse for malware. Cybercriminals are finding ways to exploit graphics cards and their VRAM to inject malicious code into your system. The approach is claimed to have worked during a proof-of-concept hack on both discrete and integrated GPUs from AMD, Intel, and Nvidia.

Because antivirus software today cannot scan the graphics card's own video RAM, known as VRAM, hackers are now targeting GPUs to carry out their dirty work. On the other hand, conventional methods used today that target the system's main memory would trigger the antivirus software.

Read more
Sennheiser’s HD 560S headphones aim for budget-conscious audiophiles
Sennheiser HD 560S headphones.

Sennheiser has announced the HD 560S, a pair of headphones that the company says is designed for “analytical listening sessions at an accessible price." The HD 560S will retail for $200 and will be available starting September 29.

The company has been rolling out special editions of some of its most popular products, like the HD 800 S or the HD 25, in celebration of its 75th anniversary, but rest assured, the longtime audio company is still delivering new products alongside its commemorative items.

Read more
Hackers can easily watch your every move, control PCs with free NanoCore Trojan

If your laptop or desktop is running Windows, you might want to make sure you're up and running with the latest version of the operating system and your antivirus software. Researchers have discovered a new strain of the "NanoCore" remote access trojan (RAT), which could leave the most amateur hackers in complete control of your PC.

While RAT trojans have been around for some time, the latest trojan, known as NanoCore v1.2.2, is particularly dangerous. It is freely available for hackers to download on the dark web and can also easily be deployed to PCs. The most common method for deployment is via bogus "Urgent" phishing emails that typically contain fake order invoice documents with hidden malicious macro scripts. It is well known to security researchers but also can reach deep into the Windows registry and, even the network.

Read more