PSA: If you’ve ever used a Sennheiser headset with your Mac, it is wide open to attack

If you’ve ever used a Sennheiser headset or speakerphone device with your Mac (or Windows PC), the accompanying HeadSetup app has left your machine wide open to attack.

In what has been described as a ‘monumental security blunder,’ the app allows a bad actor to successfully impersonate any secure website on the Internet …

ArsTechnica explains.

To allow Sennheiser headphones and speaker phones to work seamlessly with computers, HeadSetup establishes an encrypted Websocket with a browser. It does this by installing a self-signed TLS certificate in the central place an operating system reserves for storing browser-trusted certificate authority roots. In Windows, this location is called the Trusted Root CA certificate store. On Macs, it’s known as the macOS Trust Store.

The critical HeadSetup vulnerability stems from a self-signed root certificate installed by version 7.3 of the app that kept the private cryptographic key in a format that could be easily extracted. Because the key was identical for all installations of the software, hackers could use the root certificate to generate forged TLS certificates that impersonated any HTTPS website on the Internet. Although the self-signed certificates were blatant forgeries, they will be accepted as authentic on computers that store the poorly secured certificate root. Even worse, a forgery defense known as certificate pinning would do nothing to detect the hack.

Although the app encrypted the key with a passphrase, the passphrase itself (SennheiserCC) was stored in plaintext in a configuration file.

“It took us a few minutes to extract the passphrase from the binary,” Secorvo researcher André Domnick told Ars. From then on, he effectively had control of a certificate authority that any computer that had installed the vulnerable Sennheiser app would trust until 2027, when the root certificate was set to expire. Dominick created a proof-of-concept attack that created a single certificate […] that spoofed Google, Sennheiser, and three of Sennheiser’s competitors.

Even if you later uninstalled the app, the certificate would still be trusted. All Mac users who have ever used the HeadSetup app should manually uninstall the certificate by following Sennheiser’s instructions. (The instructions leave out the first step, which is to ensure you’re in the Finder.)

If you still use the app, you can download the latest version of HeadSet, which should also delete the vulnerable certificate, but the safest option would be to do it manually as above first


Antlion ModMic 5 review: The best headset mic you can get, but is it worth it?

Antlion Modmic 5

“Why buy a headset when you could just buy a great pair of headphones and a good microphone for the same price?” So goes the conventional wisdom in comment sections around the world, every time someone dares to suggest that a gaming headset might not be so bad a purchase.

But what if the self-professed audiophiles are right? And what if you could get the same form factor as a headset, but with any top-tier pair of headphones? Wouldn’t that be a better deal?

We went hands on with the ModMic to find out.

(See our roundup of best gaming headsets for a thorough comparison of headset solutions.)

Hand in hand

ModMic isn’t new by any means. Since 2011, Antlion Audio has done one thing and done it well: It’s allowed gamers to take their high-end headphones, attach a microphone on the side, and thus get great sound with (most of) the convenience of a dedicated gaming headset.

It works exactly as you’d expect, basically. The ModMic costs $69.95 on Amazon and arrives in a tiny little box. After all, it’s just a microphone. Nothing too surprising here. Inside the box is a padded carrying case, and inside the case is the mic itself, along with a bundle of cables.

Antlion Modmic 5

IDG / Hayden Dingman

You then take the ModMic and affix it to the side of your headphones, probably the left ear as is standard. A bit of 3M double-sided tape holds it in place, and…that’s it. Your headphones are now a headset.

It’s a somewhat permanent installation, which can be a bit hair-raising when you’re talking about audiophile headphones. The Sennheiser HD 280s I had lying around aren’t even that nice, but I did hesitate as I affixed the ModMic to the outside. “Am I okay with this? Forever?”

The good news is that it’s somewhat permanent. The ModMic is actually two pieces. The larger piece is the mic itself, along with the boom arm. But the part that’s actually affixed to your headphones is just a small disc, about the size of a dime. The microphone attaches magnetically to the disc, so you’re free to remove the bulk whenever you’d like. All that’s left over is the weird magnetic rivet on the outside (as seen in the image below).

Antlion Modmic 5

IDG / Hayden Dingman

The next challenge is cable routing. With a headset, you usually have both your audio and mic cables combined into one, at least until they reach the PC. With the ModMic, you obviously don’t have that luxury. Instead you run a second 3.5mm cable from the ModMic to your computer, with the option to insert a mute toggle in the middle.

Our ModMic review unit came supplied with some cable sheathes, in order to wrapthe ModMic and headphone cables together. The problem is that the HD 280s use a coiled, telephone-style cable for most of their length, so I was only able to wrap the top section effectively. The result was a bit of a mess, aesthetically. With other headphones that use conventional cables, you’d probably achieve a relatively sleek result.

Still, overall, a dedicated headset is going to win out aesthetically. No surprise there—that’s why they exist. Combining headphones and a microphone into a single device allows for a more elegant and efficient design.

Testing, testing

But what about performance? After all, that’s what people are talking about when they say you should separate your headphone and microphone purchases. The theory is that you could buy audiophile-grade equipment in both categories for the price of a single, middling headset.

Antlion Modmic 5