Sennheiser’s flawed headphone software is a Trojan horse hackers could exploit

sennheiser hd1 wireless pink floyd logos
Bill Roberson/Digital Trends

Though you may not expect headphones to pose a cybersecurity risk, German-based security firm Secorvo discovered that Sennheiser headphones could be used as a Trojan horse that potentially opens up your computer to hackers. Fortunately, the problem isn’t hardware related, as the headphones themselves are safe to use. Instead, the security flaw exists within Sennheiser’s HeadSetup software and how it installs and manages encrypted certificates on your PC.

According to researchers, Sennheiser’s desktop software was installing a self-signed root certificate into the Trusted Root CA Certificate store that’s valid until January 13, 2027, as well as an encrypted private key. The problem for Sennheiser is that the certificate uses the same decryption key for every installation of the software. An attacker who’s able to decrypt this key would be able to issue forged certificates that impersonate any HTTPS website. These new certificates would give attackers access to traffic for other domains, allowing hackers to perform man-in-the-middle attacks.

“We found that — caused by a critical implementation flaw — the secret signing key of one of the clandestine planted root certificates can be easily obtained by an attacker,” Secorvo noted in its report. “This allows him or her to sign and issue technically trustworthy certificates. Users affected by this implementation bug can become victim of such a certificate forgery, allowing an attacker to send [for example] trustworthy signed software, or acting as an authority authorized by Sennheiser.”

“With this in place, a hacker could effectively snoop on a persons’ traffic and read and alter the supposedly encrypted traffic to targeted domains,” The Inquirer noted of the danger of the HeadSetup vulnerability. “From there, information could be pilfered, such as data pertaining to log in to web services.”

As a result of Secorvo’s report, Microsoft has also issued security advisory ADV180029, warning users and system administrator that “inadvertently disclosed digital certificates could allow spoofing.” This type of vulnerability isn’t unlike the widely publicized Lenovo Superfish bug from 2015. In the Lenovo case, users became aware that pre-installed bloatware were signed with a weak security certificate that could allow hackers to inject malicious software on Lenovo systems or access data that would have otherwise been encrypted.

Sennheiser claims that is is working on an update to its HeadSetup software to patch the vulnerability. “Sennheiser was informed about this vulnerability in advance, is aware of the vulnerability impact, and started working on an updated version of HeadSetup to resolve the issue,” Secorvo wrote in its report. “According to the developers, this process will take a while.”

In the interim, Sennheiser has implemented a temporary fix to keep users protected by removing the certificate. Users can access the temporary solution through the headphone maker’s support site while the HeadSetup software is being updated.

Mobile

Think iPhones can’t get viruses? Our expert explains why it could happen

If your iPhone has been acting strangely, then you may be concerned about the possibility it is infected with a virus or some malware. We take a look at just how likely that is and explain why iOS is considered relatively safe.
Mobile

Rooting your Android device is risky. Do it right with our handy guide

Wondering whether to root your Android smartphone or stick with stock Android? Perhaps you’ve decided to do it and you just need to know how? Here, you'll find an explanation and a quick guide on how to root Android devices.
Gaming

How do Nintendo Switch, Xbox One X compare to each other? We find out

The Nintendo Switch is innovative enough to stand apart from traditional consoles, but could it become your primary gaming system? How does the Switch stack up against the Xbox One?
Computing

After fourth attack, hacker puts personal records of 26M people up for sale

A serial hacker going by the name of Gnosticplayers is selling the personal data of 26 million people who have been using the services of six different companies from across the world.
Computing

HP spring sale: Save up to 58 percent on laptops, desktops, printers, and more

From now until March 23, the HP spring sale lets you take as much as 58 percent off of a huge range of laptops, desktop PCs, printers, and more, potentially saving you more than $1,000. We’ve rounded up a dozen of the best deals right…
Computing

Yes, Apple’s new iMacs look great, but they do have one glaring problem

With processors ranging up to the eight-core Core i9, the 2019 iMac update looks like a pretty solid upgrade to Apple's classic all-in-one. But hidden in the details of the product page, there's one outdated component Apple is holding onto.
Computing

Grab 1 terabyte of SSD storage for just $100 with this sale on Amazon

If you're looking for an excellent opportunity to pick up a 1TB SSD at a low price, Amazon has you covered with Samsung's 860 QVO 1TB 2.5-inch SATA III Internal SSD. It is an excellent offering for both multimedia enthusiasts and gamers.
Computing

The iMac finally got updated, but how does it compare to the Mac mini?

Apple announced a long-awaited update to the Mac mini. Thanks to the updated specs and increase in price, it's begun to creep up to the base model iMac. In this guide, we now put up the specs on the newest refreshed Mac mini against the…
Computing

Here's our guide to how to charge your laptop using a USB-C cable

Charging via USB-C is a great way to power up your laptop. It only takes one cable and you can use the same one for data as well as power -- perfect for new devices with limited port options.
Computing

Pinning websites to your taskbar is as easy as following these quick steps

Would you like to know how to pin a website to the taskbar in Windows 10 in order to use browser links like apps? Whichever browser you're using, it's easier than you might think. Here's how to get it done.
Computing

Great PC speakers don't need to break the bank. These are our favorites

Not sure which PC speakers work best with your computer? Here are the best computer speakers on the market, whether you're working with a tight budget or looking to rattle your workstation with top-of-the-line audio components.
Computing

Should you buy the affordable MacBook Air, or is the MacBook Pro worth the price?

Though they both share Retina Displays and similar keyboards, there are still some specs differences and other changes that differentiate the new 2018 MacBook Air and MacBook Pro. In this guide, we stack the two up against each other.
Computing

Changing a PDF into an EPUB file is easier than you might think

If you like to read on a tablet or ebook reader, you'll find that ePUB files offer a number of advantages over PDFs. With this guide, we'll show you how to convert a PDF to EPUB in a few quick steps.
Computing

Confused about RSS? Don't be. Here's what it is and how to use it

What is an RSS feed, anyway? This traditional method of following online news is still plenty useful. Let's take a look at what RSS means, and what advantages it has in today's busy world.