Sennheiser's headphone software could allow attackers to intercept data

The company has issued a fix for the flawed apps.

Sponsored Links

Sennheiser
Sennheiser

Sennheiser's HeadSetup and HeadSetup Pro software poses a cybersecurity risk, according to a vulnerability disclosure from Germany's Secorvo Security Consulting. The headphone-maker is now urging users to update to new versions of the software after researchers revealed it was installing a root certificate, along with an encrypted private key, into the Trusted Root CA Certificate store, which could enable man-in-the-middle (MITM) attacks.

Sennheiser says its update rids HeadSetup of vulnerable certificates. You can download it from the company's support site. To be clear, the problem doesn't lie with the company's hardware -- which ranges from wireless headphones to office headsets.

In the wake of Secorvo's report, Microsoft also warned users that digital certificates were disclosed in Sennheiser's apps, which could allow bad actors to remotely spoof websites or content. The flaw is being compared to the Lenovo Superfish bug from 2015: a preloaded adware on Lenovo's laptops that installed a man-in-the-middle certificate, allowing hackers to spy on secure websites users were visiting.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Popular on Engadget