If you've ever used a Sennheiser headset or a speaker phone with your Mac (or your Windows computer), the corresponding HeadSetup application has left your computer open to attack.
In what has been described as a "monumental security blunder", the application allows a bad actor to pose as a secure website on the Internet …
To enable Sennheiser headphones and speakers to work seamlessly with computers, HeadSetup builds an encrypted Websocket with a browser. To do this, it installs a self-signed TLS certificate in the central location that the operating system reserves to store the roots of the browser-approved certificate authorities. On Windows, this location is called the certificate store of the trusted root certification authority. On Mac, it is known as MacOS Trust Store.
The critical vulnerability of HeadSetup comes from a self-signed root certificate installed by the 7.3 version of the application that kept the private cryptographic key in a format that can be easily extracted. Since the key was identical for all software installations, hackers could use the root certificate to generate counterfeit TLS certificates mimicking the identity of an HTTPS web site on the Internet. Although self-signed certificates are blatant falsifications, they will be accepted as authentic on computers that store the badly secured certificate root. Even worse, a counterfeit defense called certificate pinning would do nothing to detect piracy.
Although the application encrypted the key with a passphrase, this one (SennheiserCC) was stored in plain text in a configuration file.
"It took us a few minutes to extract the passphrase from the binary file," André Domnick, researcher at Secorvo, told Ars. From that point on, he actually had control over a CA that any computer that installed the vulnerable Sennheiser application would trust until 2027, when the root certificate expired. Dominick created a validation attack that created a single certificate. […] Google, Sennheiser and three of Sennheiser's competitors.
Even if you uninstall the application later, the certificate would still be approved. All Mac users who have used the HeadSetup application must manually uninstall the certificate by following Sennheiser's instructions. (The instructions omit the first step, which is to check that you are in the Finder.)
If you still use the application, you can download the latest version of HeadSet, which should also remove the vulnerable certificate, but the safest option would be to do it manually, as before.
Check out 9to5Mac on YouTube for more information on Apple: