Security News

Got a Sennheiser headset? You could be vulnerable.

Avast Security News Team, 30 November 2018

Sennheiser headsets are vulnerable to phishing, data stealing, and malware infection due to security flaw.

When you put on a world-class brand headset before using your computer, you’re probably not worried that it will open your world to hackers. But according to this new report, if you own headsets from Sennheiser, you need to think again.  

The HeadSetup software that accompanies the expensive Sennheiser headsets is needed to enable the headphones and speaker phones to connect and work with computers — both PCs and Macs. Once connected, the security flaw identified in the HeadSetup program makes it possible for hackers to impersonate or spoof a website. If a user types in any information — including passwords, site login information, personal data or even credit card numbers — to one of these fake sites, it could easily be stolen and used for nefarious purposes.

Hans-Joachim Knobloch and Andre Domnick, the security researchers from Germany’s Secorvo Security Consulting who discovered the vulnerability, said it would be difficult for the user to identify the issue. “The victim would have to inspect the HTTPS server certificate respectively code signing certificate in a detail level that shows the root certificate to which the certificate in question is linked.  Depending on the application, this requires anything from two to five additional, supposedly unnecessary clicks on buttons and options that are not commonly well-known. Hence, it is safe to assume that an overwhelming percentage of users will not perform such an inspection.”

Avast Security Evangelist Luis Corrons notes, “Unfortunately, hackers know that most consumers aren’t conditioned to pay attention to small telltale signs of a breach. As more and more devices are connected, it is important for IoT device users to proactively seek and implement measures to protect themselves from these malicious actors.”

While Sennheiser claims to be working on a patch to the HeadSetup vulnerability, the Secorvo report says that, in the meantime, users should be advised they are still at risk.

“Since the certificate is not removed from the trusted root certificate store during update or removal of the software, every system on which HeadSetup 7.3 was installed at any time in the past – and every user on such a system – remains vulnerable,” the report says.

Until the patch is available, Sennheiser has implemented a temporary fix that users can access via the headphone maker’s support site.