Sennheiser’s flawed headphone software is a Trojan horse hackers could exploit

sennheiser hd1 wireless pink floyd logos
Bill Roberson/Digital Trends

Though you may not expect headphones to pose a cybersecurity risk, German-based security firm Secorvo discovered that Sennheiser headphones could be used as a Trojan horse that potentially opens up your computer to hackers. Fortunately, the problem isn’t hardware related, as the headphones themselves are safe to use. Instead, the security flaw exists within Sennheiser’s HeadSetup software and how it installs and manages encrypted certificates on your PC.

According to researchers, Sennheiser’s desktop software was installing a self-signed root certificate into the Trusted Root CA Certificate store that’s valid until January 13, 2027, as well as an encrypted private key. The problem for Sennheiser is that the certificate uses the same decryption key for every installation of the software. An attacker who’s able to decrypt this key would be able to issue forged certificates that impersonate any HTTPS website. These new certificates would give attackers access to traffic for other domains, allowing hackers to perform man-in-the-middle attacks.

“We found that — caused by a critical implementation flaw — the secret signing key of one of the clandestine planted root certificates can be easily obtained by an attacker,” Secorvo noted in its report. “This allows him or her to sign and issue technically trustworthy certificates. Users affected by this implementation bug can become victim of such a certificate forgery, allowing an attacker to send [for example] trustworthy signed software, or acting as an authority authorized by Sennheiser.”

“With this in place, a hacker could effectively snoop on a persons’ traffic and read and alter the supposedly encrypted traffic to targeted domains,” The Inquirer noted of the danger of the HeadSetup vulnerability. “From there, information could be pilfered, such as data pertaining to log in to web services.”

As a result of Secorvo’s report, Microsoft has also issued security advisory ADV180029, warning users and system administrator that “inadvertently disclosed digital certificates could allow spoofing.” This type of vulnerability isn’t unlike the widely publicized Lenovo Superfish bug from 2015. In the Lenovo case, users became aware that pre-installed bloatware were signed with a weak security certificate that could allow hackers to inject malicious software on Lenovo systems or access data that would have otherwise been encrypted.

Sennheiser claims that is is working on an update to its HeadSetup software to patch the vulnerability. “Sennheiser was informed about this vulnerability in advance, is aware of the vulnerability impact, and started working on an updated version of HeadSetup to resolve the issue,” Secorvo wrote in its report. “According to the developers, this process will take a while.”

In the interim, Sennheiser has implemented a temporary fix to keep users protected by removing the certificate. Users can access the temporary solution through the headphone maker’s support site while the HeadSetup software is being updated.

Computing

Microsoft to separate Cortana from search with the next version of Windows 10

Changes are on the way for two key features in Windows 10. A separation of Windows 10 search and Cortana will allow Microsoft to more often innovate on each of the features independently.
Mobile

Android vs. iOS: Which smartphone platform is the best?

If you’re trying to choose a new phone and you’re not sure about the merits and pitfalls of the leading smartphone operating systems, then come on in for a detailed breakdown as we pit Android vs. iOS in various categories.
Gaming

‘Fortnite’ security flaw let hackers spy on players through microphones

A security vulnerability found in Fortnite allowed hackers to gain access to other players' accounts, potentially letting them spy on conversations using the in-game microphone. It has been addressed.
Web

Shutdown makes dozens of .gov websites insecure due to expired TLS certificates

The US government shutdown is causing trouble in internet security. As the shutdown enters day 22, dozens of government websites have been rendered insecure or inaccessible due to expired transport layer security (TLS) certificates.
Computing

Faster new PCIe 5.0 standard leapfrogs the best feature of AMD’s Ryzen 3

PCIe 5.0 will bring even faster data transfers, but it may only be found on HPCs and servers initially. The standard is four times faster than your current PC at transferring data, and new devices could appear later this year.
Deals

From Chromebooks to MacBooks, here are the best laptop deals for January 2019

Whether you need a new laptop for school or work or you're just doing some post-holiday shopping, we've got you covered: These are the best laptop deals going right now, from discounted MacBooks to on-the-go gaming PCs.
Product Review

LG Gram 14 proves 2-in-1 laptops don’t need to sacrifice battery for light weight

The LG Gram 14 2-in-1 aims to be very light for a laptop that converts to a tablet. And it is. But it doesn’t skimp on the battery, and so it lasts a very long time on a charge.
Computing

Keep your laptop battery in tip-top condition with these handy tips

Learn how to care for your laptop's battery, how it works, and what you can do to make sure yours last for years and retains its charge. Check out our handy guide for valuable tips, no matter what type of laptop you have.
Computing

Protect your expensive new laptop with the best Macbook cases

If you recently picked up a new MacBook, you’ll want something to protect its gorgeous exterior. Here, we've gathered the best MacBook cases and covers, whether you're looking for style or protection.
Computing

Watch out for these top-10 mistakes people make when buying a laptop

Buying a new laptop is exciting, but you need to watch your footing. There are a number of pitfalls you need to avoid and we're here to help. Check out these top-10 laptop buying mistakes and how to avoid them.
Computing

Don't spend a fortune on a PC. These are the best laptops under $300

Buying a laptop needn't mean spending a fortune. If you're just looking to browse the internet, answer emails, and watch Netflix, you can pick up a great laptop at a great price. These are the best laptops under $300.
Computing

Dell XPS 13 vs. Asus Zenbook 13: In battle of champions, who will be the victor?

The ZenBook 13 UX333 continues Asus's tradition of offering great budget-oriented 13-inch laptop offerings. Does this affordable machine offer enough value to compete with the excellent Dell XPS 13?
Gaming

Take a trip to a new virtual world with one of these awesome HTC Vive games

So you’re considering an HTC Vive, but don't know which games to get? Our list of 25 of the best HTC Vive games will help you out, whether you're into rhythm-based gaming, interstellar dogfights, or something else entirely.
Computing

The Asus ZenBook 13 offers more value and performance than Apple's MacBook Air

The Asus ZenBook 13 UX333 is the latest in that company's excellent "budget" laptop line, and it looks and feels better than ever. How does it compare to Apple's latest MacBook Air?