If you’ve ever used a Sennheiser headset or speakerphone device with your Mac (or Windows PC), the accompanying HeadSetup app has left your machine wide open to attack.
In what has been described as a ‘monumental security blunder,’ the app allows a bad actor to successfully impersonate any secure website on the Internet …
ArsTechnica explains.
Although the app encrypted the key with a passphrase, the passphrase itself (SennheiserCC) was stored in plaintext in a configuration file.
The critical HeadSetup vulnerability stems from a self-signed root certificate installed by version 7.3 of the app that kept the private cryptographic key in a format that could be easily extracted. Because the key was identical for all installations of the software, hackers could use the root certificate to generate forged TLS certificates that impersonated any HTTPS website on the Internet. Although the self-signed certificates were blatant forgeries, they will be accepted as authentic on computers that store the poorly secured certificate root. Even worse, a forgery defense known as certificate pinning would do nothing to detect the hack.
Even if you later uninstalled the app, the certificate would still be trusted. All Mac users who have ever used the HeadSetup app should manually uninstall the certificate by following Sennheiser’s instructions. (The instructions leave out the first step, which is to ensure you’re in the Finder.)
If you still use the app, you can download the latest version of HeadSet, which should also delete the vulnerable certificate, but the safest option would be to do it manually as above first.
