Sennheiser Headphone Software Installs Root Certificates, Exposes Computers to Spoofing Attacks

A security firm has discovered that Sennheiser headphones could be used as a Trojan horse that potentially opens up one’s computer to hackers.

According to a new report from Ars Technica, Microsoft on Tuesday warned users that digital certificates were disclosed in two Sennheiser apps, which could allow a bad actor to remotely spoof websites or content.

Apparently, Sennheiser’s HeadSetup and HeadSetup Pro applications added two Certification Authority (CA) certificates into the local system’s Trusted Root CA store which exposed the users to spoofing attacks.

“Microsoft is publishing this advisory to notify customers of two inadvertently disclosed digital certificates that could be used to spoof content and to provide an update to the Certificate Trust List (CTL) to remove user-mode trust for the certificates,” the tech giant said in its advisory. “The disclosed root certificates were unrestricted and could be used to issue additional certificates for uses such as code signing and server authentication.”

In a report published today, Secorvo researchers published proof-of-concept code showing how trivial would be for an attacker to analyze the installers for both apps and extract the private keys.

“Upon such a rare inspection of the Trusted Root CA store, we stumbled across two unexpected root certificates,” stated Secorvo’s report, by Hans-Joachim Knobloch and André Domnick. “The issuer names in these two certificates indicated that they have a connection to the Sennheiser HeadSetup utility software installed on our systems in conjunction with the connected headsets of this manufacturer.”



“The victim would have to inspect the HTTPS server certificate respectively code signing certificate in a detail level that shows the root certificate to which the certificate in question is linked,” the report continues.

Making matters worse, the certificates are also installed for Mac users, via HeadSetup macOS app versions, and they aren’t removed from the operating system’s Trusted Root Certificate Store during current HeadSetup updates or uninstall operations.

In HeadSetup and HeadSetup Pro, the vulnerable certificates will no longer be installed. Sennheiser has published a script that will remove affected certificates from affected computers as well as a guide using Active Directory and Group Policy Editor to achieve the same result.