Headphones back in the day were largely a plug and play affair, where you’d plugged in your headphones to the device and you’d be good to go. For the most part that is still very true, but companies these days are trying to expand on their offerings by making them more feature-rich by allowing for customization of the sound and other features through software configurations.Unfortunately for Sennheiser, it seems that their attempt at offering more feature-rich headphones resulted in a security vulnerability. This was discovered by security firm Secorvo (via Digital Trends) who noticed the flaw in the company’s desktop software. According to the discovery, it seems that Sennheiser (or whoever designed the software) used the same decryption key for every installation of the software.
This means that in theory, a hacker who can decrypt this key could issue forged certificates to impersonate any HTTPS websites, thus allowing them to potentially conduct man-in-the-middle attacks. Sennheiser is aware of the issue and stated that they are working on a fix. “Sennheiser was informed about this vulnerability in advance, is aware of the vulnerability impact, and started working on an updated version of HeadSetup to resolve the issue.”
In the meantime until the fix can be released, the company has offered up a temporary workaround by removing the certificate which you can find on Sennheiser’s support page.
Filed in . Read more about Hack, Headphones, Security and Sennheiser.