It turns out that if you use Sennheiser headphones with a Mac, you’re opening yourself up to an attack. The company has already sent out a fix, but let’s find out what happened (via ArsTechnica).
[People Can Buy Apple Hacking Tools on the Dark Web]
Sennheiser Headphones Hack
Sennheiser has a software tool called HeadSetup for Windows and macOS. To make sure that Sennheiser headphones work seamlessly, the tool creates an encrypted Websocket with a browser. To do this on a Mac it installs a self-signed TLS certificate in the macOS Trust Store.
The critical HeadSetup vulnerability stems from a self-signed root certificate installed by version 7.3 of the app that kept the private cryptographic key in a format that could be easily extracted. Because the key was identical for all installations of the software, hackers could use the root certificate to generate forged TLS certificates that impersonated any HTTPS website on the Internet.
Although the self-signed certificates were blatant forgeries, they will be accepted as authentic on computers that store the poorly secured certificate root. Even worse, a forgery defense known as certificate pinning would do nothing to detect the hack.
The app was encrypted with a passcode but it was stored in plaintext in a configuration file. Even if you uninstalled the app the certificate it created would still be trusted. Sennheiser has instructions [PDF] to delete the certificate manually if you no longer use HeadSetup.