Security researchers have issued a warning that two pieces of support software for Sennheiser headphones contain a severe vulnerability that leaves systems open to man-in-the-middle attacks. But Sennheiser has a fix.
In July, researchers from Secorvo found that the HeadSetup and HeadSetup Pro software was configured in a way that makes it incredibly simple for an attacker to spoof the security certificates used for browsing. The screwup is being compared to Lenovo’s notorious Superfish bug that was packaged with adware on some of its laptops in 2014 and 2015. In this case, the potential damage would appear to be smaller because Sennheiser’s software is only used to support a specific set of products that enable headsets and speakerphones to communicate with softphone applications like Skype.
The software installs a self-signed root certificate in the space a user’s operating system stores trusted certificates for web browsing. It creates an encrypted Websocket with a browser that allows the headphones to easily communicate with a range of softphone products and continuously runs in the background. According to Secorvo’s report, the passphrase that’s needed to utilise the decrypted certificate was stored in plain text in an easily locatable file. And even if it wasn’t, “SennheiserCC” isn’t a great password.
Ars Technica reports:
“It took us a few minutes to extract the passphrase from the binary,” Secorvo researcher André Domnick told Ars. From then on, he effectively had control of a certificate authority that any computer that had installed the vulnerable Sennheiser app would trust until 2027, when the root certificate was set to expire. Dominick created a proof-of-concept attack that created a single certificate, shown below, that spoofed Google, Sennheiser, and three of Sennheiser’s competitors.
To put it simply, an attacker could use this method to intercept and read secure communications with any number of sites. Rather than securely transmitting a users’ credit card info to Amazon or password login to a bank, a hacker would be able to see the unencrypted data.
Sennheiser did not immediately respond to a request for comment but Secorvo says it has worked with the company since it discovered the problem. In conjunction with the release of the report, the headphone manufacturer has issued an update for the software that it claims “will rid the software of vulnerable certificates.” Simply uninstalling the programs will not solve the issue; however, the company also said that Microsoft invalidated the bad certificates on 27 November, a move that “fully eliminate[s] the possibility to exploit the certificates.” And for the extra cautious, a clean re-install of the operating system wouldn’t hurt. [Secorvo via Ars Technica]