Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Major Flaw In Sennheiser Headset Software
Quote:You would not expect software for your headphones to seriously impair your computer’s security, but that’s exactly what Sennheiser managed to do. The desktop application for its headsets, called HeadSetup and HeadSetup Pro, included a botched root certificate, allowing anyone aware of the flaw to impersonate websites without detection. Sennheiser has issued a patch for the software, but it doesn’t seem to grasp the gravity of the screw-up.
Perhaps the worst aspect of Sennheiser’s error is that uninstalling HeadSetup won’t fix the vulnerability. Even after clearing all the software, the certificate remains in place and valid. The company has released a patch that replaces that certificate with one that doesn’t leak its private key, but there’s no way to force people to update or even to make sure they know there’s a problem.

The flaw has been compared with Lenovo’s Superfish bug, which affected PCs back in 2015. Superfish was a sketchy adware program bundled on Lenovo’s PCs, and like Sennheiser HeadSetup, it contained a flawed root certificate that allowed third-parties to spoof websites. That was arguably worse because the bug was preloaded on new PCs. There will be fewer systems affected by Sennheiser’s vulnerability, but the risk is very much the same for those with the bugged software.

Lenovo was eventually fined $3.5 million by the FTC over Superfish. Sennheiser might want to start setting some cash aside.

Forum Jump:

Users browsing this thread: 1 Guest(s)