EXECUTIVE SUMMARY:

Headphones are a common item on Christmas and holiday wish lists. But like most things these days, they could be conduits to phishing and malware attacks. A recent vulnerability with Sennheiser headphones software brought this concern into focus.

Given the prevalence of headphones in office settings—especially in the age of open environments—the software bug is not just a consumer issue.

Sennheiser’s software is intended to help users connect and use their headphones with other devices. Unfortunately, the software included a root certificate that exposed the private key, making it easy for a hacker to impersonate a real website and steal sensitive information such as passwords.

As The Register explains, “an attacker could create a malicious password-stealing website that masquerades as a bank or shopping site, then place a link to the website on a support forum frequented by Sennheiser headset owners. When a Headsetup user visits the fake page, the site presents a HTTPS certificate chained to the Headsetup root cert to pass itself off as a legit secure website. The bogus site would then ask for a username and password – something like ‘please login to continue’ – and swipe the credentials before redirecting to the real site. That would require the fake site to have a carefully crafted domain name like store.amazom.com.”

And while some might be conditioned at this point to simply look for a padlock near the URL, hackers have gotten wise to that. The padlock next to the web address is no longer a trusted way to tell if a website is legitimate. In fact, Brian Krebs reported recently that half of all phishing websites include the padlock and begin with “//.”

Meanwhile, Israeli researchers have created a proof of concept malware that could allow hackers to record conversations through headphones even if the microphone is disabled. That puts business secrets at risk of being exposed.

If your device involves software or connection, be sure to always update to the latest versions.

Get the full story at The Register.