Sennheiser HeadSetup Pro Vulnerability Leaked Private Keys


Fully [H]
Apr 10, 2003
Sennheiser HeadSetup and HeadSetup Pro were recently updated because the softphone applications installed root certificates and then leaked the private keys. Malicious actors could extract the private keys and use them to spoof other websites and software publishers. To fix the issue, Microsoft recommends that users update their HeadSetup and HeadSetup Pro software to the latest version.

Upon such a rare inspection of the Trusted Root CA store, we stumbled across two unexpected root certificates. The issuer names in these two certificates indicated that they have a connection to the Sennheiser HeadSetup utility software installed on our systems in conjunction with the connected headsets of this manufacturer. We found that - caused by a critical implementation flaw - the secret signing key of one of the clandestine planted root certificates can be easily obtained by an attacker. This allows him or her to sign and issue technically trustworthy certificates. Users affected by this implementation bug can become victim of such a certificate forgery, allowing an attacker to send e.g. trustworthy signed software or acting as an authority authorised by Sennheiser.