Though you may not expect headphones to pose a cybersecurity risk, German-based security firm Secorvo discovered that Sennheiser headphones could be used as a Trojan horse that potentially opens up your computer to hackers. Fortunately, the problem isn’t hardware related, as the headphones themselves are safe to use. Instead, the security flaw exists within Sennheiser’s HeadSetup software and how it installs and manages encrypted certificates on your PC.
According to researchers, Sennheiser’s desktop software was installing a self-signed root certificate into the Trusted Root CA Certificate store that’s valid until January 13, 2027, as well as an encrypted private key. The problem for Sennheiser is that the certificate uses the same decryption key for every installation of the software. An attacker who’s able to decrypt this key would be able to issue forged certificates that impersonate any HTTPS website. These new certificates would give attackers access to traffic for other domains, allowing hackers to perform man-in-the-middle attacks.
“We found that — caused by a critical implementation flaw — the secret signing key of one of the clandestine planted root certificates can be easily obtained by an attacker,” Secorvo noted in its report. “This allows him or her to sign and issue technically trustworthy certificates. Users affected by this implementation bug can become victim of such a certificate forgery, allowing an attacker to send [for example] trustworthy signed software, or acting as an authority authorized by Sennheiser.”
“With this in place, a hacker could effectively snoop on a persons’ traffic and read and alter the supposedly encrypted traffic to targeted domains,” The Inquirer noted of the danger of the HeadSetup vulnerability. “From there, information could be pilfered, such as data pertaining to log in to web services.”
As a result of Secorvo’s report, Microsoft has also issued security advisory ADV180029, warning users and system administrator that “inadvertently disclosed digital certificates could allow spoofing.” This type of vulnerability isn’t unlike the widely publicized Lenovo Superfish bug from 2015. In the Lenovo case, users became aware that pre-installed bloatware were signed with a weak security certificate that could allow hackers to inject malicious software on Lenovo systems or access data that would have otherwise been encrypted.
Sennheiser claims that is is working on an update to its HeadSetup software to patch the vulnerability. “Sennheiser was informed about this vulnerability in advance, is aware of the vulnerability impact, and started working on an updated version of HeadSetup to resolve the issue,” Secorvo wrote in its report. “According to the developers, this process will take a while.”
In the interim, Sennheiser has implemented a temporary fix to keep users protected by removing the certificate. Users can access the temporary solution through the headphone maker’s support site while the HeadSetup software is being updated.