Skip to main content
  1. Home
  2. Computing
  3. News

Sennheiser’s flawed headphone software is a Trojan horse hackers could exploit

Add as a preferred source on Google
Bill Roberson/Digital Trends

Though you may not expect headphones to pose a cybersecurity risk, German-based security firm Secorvo discovered that Sennheiser headphones could be used as a Trojan horse that potentially opens up your computer to hackers. Fortunately, the problem isn’t hardware related, as the headphones themselves are safe to use. Instead, the security flaw exists within Sennheiser’s HeadSetup software and how it installs and manages encrypted certificates on your PC.

According to researchers, Sennheiser’s desktop software was installing a self-signed root certificate into the Trusted Root CA Certificate store that’s valid until January 13, 2027, as well as an encrypted private key. The problem for Sennheiser is that the certificate uses the same decryption key for every installation of the software. An attacker who’s able to decrypt this key would be able to issue forged certificates that impersonate any HTTPS website. These new certificates would give attackers access to traffic for other domains, allowing hackers to perform man-in-the-middle attacks.

Recommended Videos

“We found that — caused by a critical implementation flaw — the secret signing key of one of the clandestine planted root certificates can be easily obtained by an attacker,” Secorvo noted in its report. “This allows him or her to sign and issue technically trustworthy certificates. Users affected by this implementation bug can become victim of such a certificate forgery, allowing an attacker to send [for example] trustworthy signed software, or acting as an authority authorized by Sennheiser.”

“With this in place, a hacker could effectively snoop on a persons’ traffic and read and alter the supposedly encrypted traffic to targeted domains,” The Inquirer noted of the danger of the HeadSetup vulnerability. “From there, information could be pilfered, such as data pertaining to log in to web services.”

As a result of Secorvo’s report, Microsoft has also issued security advisory ADV180029, warning users and system administrator that “inadvertently disclosed digital certificates could allow spoofing.” This type of vulnerability isn’t unlike the widely publicized Lenovo Superfish bug from 2015. In the Lenovo case, users became aware that pre-installed bloatware were signed with a weak security certificate that could allow hackers to inject malicious software on Lenovo systems or access data that would have otherwise been encrypted.

Sennheiser claims that is is working on an update to its HeadSetup software to patch the vulnerability. “Sennheiser was informed about this vulnerability in advance, is aware of the vulnerability impact, and started working on an updated version of HeadSetup to resolve the issue,” Secorvo wrote in its report. “According to the developers, this process will take a while.”

In the interim, Sennheiser has implemented a temporary fix to keep users protected by removing the certificate. Users can access the temporary solution through the headphone maker’s support site while the HeadSetup software is being updated.

Chuong Nguyen
Silicon Valley-based technology reporter and Giants baseball fan who splits his time between Northern California and Southern…
I hope Apple keeps the MacBook Neo away from the AI hype and preserves its true identity
The cheapest MacBook beats the cheapest AI MacBook.
Computer, Electronics, Laptop

If there's one thing that has disrupted consumer tech economics over the last year while changing how we understand and recommend products, it's the ever-rising cost of memory and chips. 

The desperate need to scale up AI infrastructure has pushed major manufacturers to prioritize enterprise demand, leaving everyday consumers with far fewer choices. Those available cost significantly more than they did a year ago.

Read more
I let Radial menu take over my Mac, and I’m never going back
One mouse jiggle, endless shortcuts. My Mac has never felt this fast.
Radial app running on Mac

I have been testing Radial for the past week, and it's quickly become one of those apps I didn’t know how I could live without. It's a radial menu for macOS that puts your shortcuts, scripts, and automations right where your cursor is, so you never have to go hunting through menus to find what you need.

The app just received its 5.0 update, adding AI actions powered by Claude, window layouts, variables, a redesigned settings interface, a new Atmosphere background effect, and a squircle menu shape. I got to try most of these, and here's what I found.

Read more
Android desktop mode made me miss my laptop in record time
I tried writing and publishing from Google’s phone-to-monitor setup, and the future of mobile computing immediately started sweating.
Computer, Electronics, Laptop

Android 17 desktop mode has a very simple pitch. Plug your phone into a monitor, add a keyboard and mouse, and watch the slab in your pocket pretend to be a computer. I wanted to give that pitch a fair shot, so I tried using it for an actual workday instead of a cute demo.

The goal was boring on purpose: write an article, edit it, build the page in WordPress, upload whatever needed uploading, and publish the thing without running back to my laptop like a coward.

Read more