Sennheiser has disclosed that a vulnerability has been identified in Sennheiser HeadSetup and HeadSetup Pro. It recommends that both PC and Mac users update their software to the latest versions (which have now been made available).
The latest sofware versions are:
HeadSetup Pro: v.2.6.8235
HeadSetup: v.8.1.6114 (for PC) and HeadSetup: v.5.3.7.011 (for Mac)
Users can access the updates from the Sennheiser website. In addition, Mac users and Windows users who are unable to receive automatic updates from Microsoft, or who choose not to update their HeadSetup and HeadSetup Pro software can visit the Sennheiser website for removal instructions.
Updating the software to its latest version will rid the software of vulnerable certificates. Additionally, the invalidation by Windows on November 27th of the former certificates fully eliminate the possibility to exploit the certificates.
What happened? Ars Technica has a detailed explanation. In short, Ars Technica says that Sennheiser has issued a fix for a “monumental software blunder” that allowed hackers to carry out man-in-the-middle attacks that “cryptographically impersonate any big-name website on the internet.”
This vulnerability was apparently discovered by Secorvo security consulting, who published a report about it. Ars Technica reported that anyone who has ever used the app should ensure that the root certificates it installed are removed or blocked.
It is kind of a weird scenario. Sennheiser’s headphone software was designed to let users connect their headphones to other devices. Hackers exploited the headphone software to use it to forge certificates and impersonate websites.