Share this story. Audio device maker Sennheiser has issued a fix for a monumental software blunder that makes it easy for hackers to carry out man-in-the-middle attacks that cryptographically impersonate any big-name website on the Internet. Anyone who has ever used the company’s for Windows or macOS should take action immediately, even if users later uninstalled the app. To allow Sennheiser headphones and speaker phones to work seamlessly with computers, HeadSetup establishes an encrypted with a browser. It does this by installing a self-signed TLS certificate in the central place an operating system reserves for storing browser-trusted certificate authority roots. In Windows, this location is called the.

On Macs, it’s known as the. A few minutes to find, years to exploit The critical HeadSetup vulnerability stems from a self-signed root certificate installed by version 7.3 of the app that kept the private cryptographic key in a format that could be easily extracted. Because the key was identical for all installations of the software, hackers could use the root certificate to generate forged TLS certificates that impersonated any HTTPS website on the Internet.

Although the self-signed certificates were blatant forgeries, they will be accepted as authentic on computers that store the poorly secured certificate root. Even worse, a forgery defense known as would do nothing to detect the hack. Published by security firm Secorvo, the sensitive key was encrypted with the passphrase “SennheiserCC” (minus the quotation marks). That passphrase-protected key was then encrypted by a separate AES key and then base64 encoded.

The passphrase was stored in plaintext in a configuration file. The encryption key was found by reverse-engineering the software binary. Secorvo “As mentioned above several times, every system that ever had HeadSetup 7.3 installed will validate this certificate as trusted until the year 2027,” the Secorvo advisory explained. A later version of the Sennheiser app made a botched attempt to fix the snafu. It too installed a root certificate, but it didn’t include the private key.

But in a major omission, the update failed to remove the older root certificate, a failure that caused anyone who had installed the older version to remain susceptible to the trivial TLS forgeries. Also significant, uninstalling the app didn’t remove the root certificates that made users vulnerable.

Even on computers that didn’t have the older root certificate installed, the newer version was still problematic. That’s because it installed a server certificate for the computer’s localhost, i.e. Not only is it a violation of to issue certificates for non-routable IP addresses, it’s not at all clear that Sennheiser has complied with the same processes that certificate authorities are required to follow in securing their root keys. Remember Superfish? Further ReadingIf all of this sounds familiar, it may be because Lenovo in 2015 was caught selling computers that came that left HTTPS connections vulnerable to the same trivial forgery attacks.

The certificates were installed so that adware known as Superfish could inject ads into encrypted webpages. In the weeks following the revelation, the CEO responsible for the Superfish debacle, despite near unanimity among security professionals that the practice was nothing short of reckless. As noted above, certificate pinning is a technique that’s designed to protect people from forged certificates even when they’re generated by browser-trusted authorities. It works by storing digital fingerprints of certificates for some of the bigger websites on the Internet and comparing them to certificates presented by visited websites. Unfortunately, as, certificate pinning does nothing to flag forged certificates that are chained to a properly installed root certificate.

It’s troubling that three years later, engineers from Sennheiser were still making the same critical error as Lenovo and that Sennheiser fixed the mistake only after researchers from an outside firm pointed it out. Secorvo’s Dominick said he tested his proof-of-concept only against Windows versions of HeadSetup but that he believes the design flaw is present in macOS versions as well. That means anyone who has ever used the app should ensure that the root certificates it installed are removed or blocked.

Microsoft has without requiring any action on the part of end users. Manual removal instructions for Macs and PCs are and respectively. Post updated to report Microsoft has removed trust of the certificates from Windows.

Promoted Comments. It’s troubling that three years later, engineers from Sennheiser were still making the same critical error. I think it's more troubling that the whole security system is apparently vulnerable to a mistake made by any vendor.

It is a reasonable assumption that computer users will connect any number of peripherals and install all kinds of software. It is completely unreasonable to build computer security that only works under the assumption that nobody makes mistakes. What is even the point of the complex certificate infrastructure if it's so easily subverted?

It doesn't seem that a user can do anything to protect themselves against this kind of issue, the vulnerability is part of the 'security' design. Why the fuck do we need an ap for headphones, though? Because people are willing slaves to corporations who regularly accept corporate control and monitoring over their own possessions. Uh, I did it because I thought it might fix the annoying problem the 550s have with Bluetooth sound quality being garbage on windows. It forces the BT drivers to recognize it as a phone instead of headphones and knocks down the audio bitrate accordingly. I thought it'd fix it, but it didn't.

Guess I'm a willing slave because I don't want to do a bunch of reading on BT drivers to work around it (still haven't figured it out) and assumed the software interface would do it without creating an egregious security flaw. Maybe this was sarcastic though. People here are overly inclined to blame users for allowing these security flaws to impact them.

I don't know shit about coding, security protocols, certificates, etc. I'm a damn lawyer who can Google his way out of most daily technical issues. From my experience, that puts me around 98th percentile. Maybe the system that allows some idiot vendor to do this needs some tinkering?

Headsetuptm For Mac

Idiot vendors will likely always exist.