2 min read

Sennheiser Software Could Validate Legitimacy of Any Website

Ionut ILASCU

December 12, 2018

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Sennheiser Software Could Validate Legitimacy of Any Website

Even if you’re careful about what you install on the computer, you still face the risk that legitimate software will punch a security hole that could be exploited by hackers. Case in point, Sennheiser’s HeadSetup software installed on Windows and macOS systems has a self-signed root certificate that could be used to intercept traffic from any web page you loaded in a browser.

HeadSetup’s purpose is to make Sennheiser headphones and speaker phones work seamlessly with computers by creating an encrypted communication channel between the two devices. All this sounds great in theory, but in practice Sennheiser used the same TLS (transport layer security) root certificate for every software installation and left unprotected the associated decryption key, also called private key.

TLS certificates, like those used by websites to encrypt communication, rely on a chain of trust to establish the authenticity of the source and integrity of the message. Each certificate is signed by another one higher in the hierarchy until they reach a root TLS certificate, which comes preloaded on operating systems and in web browsers.

By installing its own root certificate, HeadSetup could be used to validate any website as authentic, allowing anyone with the private key to issue a fraudulent certificate for any domain they wanted and make it look legitimate. This opened the door to impersonating any website on the internet and intercepting and manipulating traffic containing sensitive information in a classic man-in-the-middle (MitM) attack.

Secorvo discovered the problem by reverse engineering Sennheiser’s software. The consulting firm was able to find the private key encrypted in the HeadSetup software and the password to unlock it. Armed with this information, an attacker could set up a fake website that imitates popular online services (email, social media, banking), and trick victims into passing on credentials and other sensitive data like temporary login codes; malware could also be distributed this way.

The issue has been reported to Sennheiser, who took action by releasing new versions for HeadSetup and HeadSetup Pro (Windows and macOS). Additionally, Microsoft invalidated the dangerous certificate. Users are strongly recommended to update their Sennheiser software and install the latest Windows updates; uninstalling the software does not remove the troublesome certificate.

If neither option is possible, the audio device maker provides step-by-step instructions for macOS and Windows on how to remove the certificate from the computer.

Image credit: Sennheiser

tags


Author



You might also like

Bookmarks


loader