Sennheiser users hit by root certificate flaw

Security specialists have discovered a vulnerability in software provided with selected Sennheiser headsets which allows for man-in-the-middle (MITM) attacks against any website, through the same mechanism as plagued Lenovo's Superfish software.

Every operating system capable of connecting to the internet includes a root certificate store: A list of encryption certificates which are to be trusted. When you visit your bank, it's those certificates that confirm it's actually your bank and not a fake website. When something fiddles with that root certificate store, then, you have problems - as Lenovo discovered when it bundled software on its machines which installed an insecure certificate allowing for attackers to impersonate supposedly-encrypted websites and monitor private traffic.

Sadly, it appears that audio specialist Sennheiser has repeated the same mistakes: Security specialist Secorvo has confirmed a flaw in the company's HeadSetup software, bundled with selected headsets, which does exactly what Superfish did and installs a pair of insecure certificates into the root store - rendering the entire operating system wholly vulnerable to man-in-the-middle attacks.

The flaw, the company's report explains, was discovered back in July, and reported privately to Sennheiser. While the Secorvo made public reference to the flaw in September, it held back full details - including a proof-of-concept exploit it developed attacking the flaw - until late October, despite Sennheiser not having released an update for the flawed software until late November.

'We decided to publish information about the vulnerability and recommended mitigations as scheduled,' the company explains in defence of releasing the information before the fix was finalised and released, 'because an attacker looking at the right spot may find and exploit it.'

The flaw is fixable in two ways: Users can install the latest HeadSetup or HeadSetup Pro software, which deals with the root cause of the issue, or they can allow Windows to update its certificate information which, as of earlier this week, automatically removes the certificates from trust in order that they cannot be exploited to attack a target system.

Full details on the vulnerability are available in the Secorvo report (PDF warning).