If you have ever used a Sennheiser headset or speakerphone with your Mac (or Windows PC), the supplied HeadSetup app has left your machine open to attack.
In what is described as a "monumental security blunder," the app allows a bad actor to succeed in imitating a secure website on the Internet …
To allow Sennheiser headphones and speakerphones to work seamlessly with computers, HeadSetup establishes an encrypted web site with a browser. To do this, install a self-signed TLS certificate in the central location, an operating system server to store web-based certification authority roots. In Windows, this location is called the CA certificate store for reliable root. On Mac's it is known as the MacOS Trust Store.
The critical HeadSetup vulnerability stems from a self-rooted root certificate installed by version 7.3 of the app that held the private encryption key in an easily retrieved format. Because the key was identical to all software installations, hackers could use the root certificate to generate forged TLS certificates that mimicked some HTTPS websites on the Internet. Although the self-signed certificates were blatant fakes, they will be accepted as authentic on computers that store the badly-secured certificate root. Even worse, a fake defense, known as a certificate stick, would not do anything to detect the hack.
Although the app encrypted the password with a password phrase, the passphrase (SennheiserCC) was stored in plain text in a configuration file.
"It took us a few minutes to extract the password from the binary," says Secorvo Researcher André Domnick to Ars. From then on, he had effective control over a certificate authority that any computer that had installed the vulnerable Sennheiser app would trust until 2027 Dominic created a proof-of-concept attack that created a single certificate […] that spoofed Google, Sennheiser and three of Sennheiser's competitors.
Although you later uninstalled the app, the certificate would still be be trusted. All Mac users who have ever used the HeadSetup app should manually uninstall the certificate by following Sennheiser's instructions. (The instructions exclude the first step to make sure you are in Finder.)
If You are still using the app, you can download the latest version of HeadSet, which will also delete the vulnerable certificate, but the best option would be to do it manually as above first.
Check out 9to5Mac on YouTube for more Apple news: