nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes

back to article
Oh my chord! Sennheiser hits bum note with major HTTPS certificate cock-up

Anonymous Coward
Anonymous Coward

Developers, developers, developers

Lame, lame, lame! Enough said.

Yet Another Anonymous coward
Silver badge

Not a problem

None of them are online, they are all waiting for $500 unidirectional gold ethernet cables

Someone Else
Silver badge


A man in the MIDI, sorry, middle attack could [...]

Shaun? Stop that now, young man!

Dan 55
Silver badge

We're told Headsetup is a tool that connects voice chat websites to posh Sennheiser headsets.

Why did Sennheiser think Bluetooth or a USB dongle were so lacking that they had to do this nonsense?

Silver badge

Why? Because they aren't gold plated, of course. The Sennheiser software gold plates every data packet it handles for the ultimate digital audio experience.

the spectacularly refined chap

To be fair Sennheiser make some genuinely decent kit, it isn't bling and flash for the sake of it. Look at their product range and the kind of accessories you cite are conspicuous by their absence, they're not the same as e.g. Beats, charging a premium for stuff that is at best mid-range.

Yes, a lot of the premium priced brands are simply marketing with nothing of substance to back it up, but genuine high-end audio gear commands a fair price too. You need to distinguish between the two.

Pascal Monett
Silver badge

Re: Why did Sennheiser [..] do this nonsense?

My question exactly. I've had radio headphones plugged into the TV for years, they didn't need no stinkin' app to work.

My current headphones are a not-too-pricey Sony model that work fine and plug in like every other kind I've ever had. I fail to see what is the point in having an app at all. You have an app for the sound card (or chip these days), that is where the tweaking should take place.

But headphones are for listening to the output, not for fiddling with it.


Maybe they had been drinking the same kool-aid as the IOT tat merchants - everything must connect back to the manufacturers site.

Think of the data slurping opportunities...

Martin an gof
Silver badge

Sennheiser does other stuff too

The question is whether they have done this trick with other kit too - Sennheiaer not only makes consumer products, but also professional kit such as near-ubiquitous radio microphones and medical kit such as hearing aids used by large numbers of NHS and private clinjcs. These days everything is set up by computer so if they have used a similar technique on the software, there could be hundreds of vulnerable computers sitting in clinics (ane TV studios) around the country.

How would we find out?


Dan 55
Silver badge

Re: Sennheiser does other stuff too

Checking if there's a Sennheiser root certificate in the certificate store.

Silver badge

Re: Sennheiser does other stuff too

Thanks for the Headsetup

Anonymous Coward
Silver badge

Re: Sennheiser does other stuff too

But those other things don't need a HTTP proxy to work. The software in question was to link scripts on arbitrary websites to the local hardware and is only required because the browsers are reluctant to do cross-domain stuff like that.

Radio mics don't tend to transmit over HTTP.

Not saying that they haven't bundled the crap with other installers, or made similar SNAFUs, just saying that this particular cockup is unlikely to affect other devices.

Silver badge

Re: Sennheiser does other stuff too

I agree that this is unlikely to affect their other kit, but it does highlight the fact they don't "get" security and the focus was 100% on just making their kit work regardless.

Which isn't brilliant.

bombastic bob
Silver badge

Re: Sennheiser does other stuff too

their headphones are really good. But yeah, good at headphones. not so much at network security.


The fix is just as bad

Now the software relies on a key that only Sennheiser privately keeps a copy of.

So they've just appointed themselves as a root CA. Wait until that key leaks and...

What would be better in this case would be to generate a unique key on install. If it's only to authenticate 'localhost' then no-one else needs access to that key or to trust it. Plus if an attacker manages to steal a key off someone's installation, it will affect .. no-one else. If they have access to be stealing private keys, your system is already hosed without Sennheiser's help.

Silver badge

Maybe they do get security

But work for, dunno, Amber Rudd or perhaps some .gov entity in Oz or the US?

The list of those who want backdoors isn't a short one.

Silver badge


Great value headphones.

Yet people would still buy fashion brands of low quality. Simply due to a peer pressure.

Why do people still buy say Beats junk?

Version 1.0
Silver badge

Re: Sennheiser

I was happy paying $$$ for a Sennheiser HD280PRO without any damn internet connection at all - and everyone who listens with them just sits there stunned because they have never heard sounds that realistic, or that clear.

I keep them away from Fat Freddies cat though.

Silver badge

My Marshalls headphones work fine without any sort of software or root certificates. What could a headphone possibly do that requires anything other than the standard operating system audio stack?

Silver badge


CDs. Conventional Stereo. Wired headphones.

aka "Air Gapped Music".

T'would seem I am immune to this dastardly exploit. Suck on it, net-aware fadyoofs.

Anonymous Coward
Anonymous Coward

Certificate Security played with a private key of F major

bombastic bob
Silver badge

Just 'A minor' setback. It will 'B sharp' soon enough. Enough to 'C major' improvements.

Q: what has 17 flats?

A: An 18-wheeler with one good tire

coat, please

Someone Else
Silver badge


Certificate Security played with a private key of F major

Bah! iI they were really that good, their private key would be F# minor.


Re: @AC

Was the code written in C#?


I bet that, for such an attacker, this will be music to their ears


They made a pig's ear of that

Other than amazing sound quality, the best thing about (some) Sennheisers is that you can replace any part when it fails. After years of having to throw away great headphones from other manufacturers because of a mysteriously located cable break, or sonically obliterated driver, broken headband, lost and inexplicable tiny plastic part etc... I got some HD600s and haven't looked back.

Chairman of the Bored
Silver badge

Life ain't fair

Now that I've worked long and hard enough to afford network connected, software infested, high-end audio tat... hearing is shot from decades of exposure to cooling fans, screaming managers, pleading customers, and so forth. Maybe the whole 'go to war' thing might not have helped, either.

But, that's why I've got a 100W stack with an ominous subwoofer. To paraphrase Trump, "Crank her up! Crank her up!"

Mines the one with the hearing aids and Metallica tickets in the pocket...

Chairman of the Bored
Silver badge

Gold plated tat ... and star employees

A two part story about some great employees...

Part 1:

An engineer working for me was in a Best Buy (for right pondians, think of an ironically named version of Currys). In this Best Buy he observed a salesman foisting gold-plated HDMI cables on an unsuspecting elderly lady, "Ma'am, you see, the gold plating prevents the audio from having hiss and crackle..." As this was a bridge too far, he engaged the salesman and saved her a load of cash. Actually, after his analog/digital explanation she was so pissed she abandoned her multi-thousand dollar TV order. Our hero got ejected from the store, told he would be arrested (for what?) if he ever re-entered, and called some things I'm not going to repeat here.

Part 2:

He never re-entered. But morale around the office suddenly became extremely high. It turns out that somebody bought some TV-B-Gones ( and clandestinely installed in the store so that the TVs on display would turn off. My people set up a seemingly random succession of "customers" who would rotate out the TV B Gones as they ran out of batteries. Hard to sell overpriced crap when it keeps shutting off, and your employees are running around with their hair ablaze.

I'm proud of these people but a little upset I wasn't invited to participate.


Certificate pinning won't help

Certificate pinning won't help with this at all. At least with Chrome, certificate pinning accepts any certificate signed by a locally installed root cert (as opposed to one which is distributed with the operating system). This is so that businesses who use a TLS decryption/encryption device to scan all outgoing TLS can continue to do so.

(I suspect the commentards here will have definite views on the desirability of such devices, but I can see why Chrome would decide not to fight that battle.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing