Sennheiser Evolution Wireless Digital: Security Configuration Guide for EW-DX Devices

Introduction

In today's digital environments, safeguarding wireless audio systems is critical. Sennheiser EW-DX receivers offer multiple layers of protection to secure communication, data transfer, and device access. This guide outlines how to enable and manage the security features of EW-DX devices (EM 2, EM 2 Dante, EM 4 Dante), using both device interfaces and software tools such as Sennheiser Control Cockpit, Wireless System Manager (WSM), or SoundBase.

Enhanced Security Features with EW-DX

Sennheiser applies the following principles to ensure device security:

• Security by design
• Compliance with international standards, e.g.:
  • ETSI EN 303 645
  • EU RED
  • California SB 327
• Encrypted communication:
  • AES-256 for audio
  • HTTPS for control
  • Device authentication and claiming
  • Secure 3rd party API access

Key Product Security Features

EW-DX devices (EM 2, EM 2 Dante, and EM 4 Dante) support enhanced security measures, ensuring both a secure connection between devices via radio and secure data transfer over Bluetooth® and on the network. The following security features can be activated or deactivated as needed:

• AES-256 Link Encryption: Protects audio and control communication between devices.
• Device Claiming & Authentication: Ensures authorized control access using passwords.
• SSCv2 API Encryption: Secures 3rd party integration via HTTPS.
• Dante® Media Encryption: An optional channel encryption for Dante networks.

Bluetooth® and Security

Bluetooth® is a wireless technology standard enabling data exchange over short distances using radio waves in the 2.4 GHz band. Bluetooth® data is encrypted using various protocols to protect against eavesdropping and other malicious attacks. This includes pairing encryption, which secures the initial pairing process, and link encryption, which protects data during transmission.

Bluetooth® Pairing

Sennheiser EW-DX devices utilize Bluetooth® Low Energy (BLE) for communication between the receiver module (EM) and the Smart Assist App, and for synchronizing transmitters and receivers. BLE ensures an energy-efficient connection and simplifies device configuration.

How to Enable and Use the Security Features

Connection to the Smart Assist App

The security of the connection is ensured by the Numeric Compare procedure, which uses a unique, secret key to authenticate and encrypt the connection between devices.

Synchronization between Transmitter and Receiver

There are two scenarios for connection, depending on whether link encryption is activated:

1. Link Encryption Enabled: The "Just Works" pairing procedure is used, establishing automatic encryption between the EM and other devices (SK, SKM, TS) for a secure connection.
2. Link Encryption Disabled: A standard, unencrypted connection is established, suitable for situations where security is not a primary concern and a faster connection is preferred.

Overall, BLE functionality provides a flexible and secure way to connect and control devices via the Smart Assist app. ℹ️ Bluetooth® encryption (Link Encryption) is deactivated by default.

Link Encryption

You can secure the radio link between the transmitter and receiver by enabling AES-256 encryption. Once activated, all communication will be protected with AES-256. Enabling Link Encryption covers:

• The connection between the transmitter and receiver for audio transmission.
• The connection between the transmitter and receiver for device setting synchronization.
• The connection between the device and the Smart Assist App for smart setup and remote control via iOS and Android devices.

Device Control Encryption and Authentication

As of firmware version 4.0.0, all control communication over the network for EW-DX receiver devices (EM 2, EM 2 Dante, and EM 4 Dante) is encrypted and authenticated. Devices are password-protected and must be claimed in the control software before use. To maintain security, firmware versions cannot be downgraded.

Benefits of Device Claiming

Device claiming is a feature of Sennheiser Control Cockpit Software, Wireless System Manager, and SoundBase that allows users to claim ownership of their devices, providing an extra layer of security and control. It assigns a device to one or more remote installations, preventing unauthenticated device control within the network. Initial configuration involves setting a mandatory device password. Multiple software applications can use this password simultaneously. Once claimed, device settings can only be viewed and modified via an encrypted connection requiring the configuration password. Control Cockpit 9.0+, WSM 4.9.0+, and SoundBase 2.0.23+ allow claiming multiple devices simultaneously.

Claiming Single Device (Control Cockpit)

When connecting a device to a Sennheiser Control Cockpit instance for the first time, it appears as an unclaimed device. If the device is in factory default state, the original password is used. If previously claimed, the existing password is required; a hardware reset can restore the default password ("sennheiser").

To claim a single device:

1. Connect the device's control network port to the network.
2. Open Control Cockpit and navigate to the Device list view.
3. The new device appears as "Not claimed." Add manually via IP address if not listed.
4. Click "Claim device."
5. Read and agree to the software licenses, then click "Next."
6. Enter the device's password if previously set. If not, a new password will be requested.

Password Requirements: At least ten characters, including one lowercase letter, one uppercase letter, one number, and one special character. Maximum length is 64 characters.

After setting the password, the device is claimed and available for use. Passwords can be viewed and changed on the device's Access tab.

Claiming Multiple Devices (Control Cockpit)

To claim multiple devices simultaneously:

1. Connect devices' control network ports to the network.
2. Open Control Cockpit and go to the Device List view.
3. Select the desired devices.
4. Click "Claim devices" at the top right.
5. Follow the prompts for the multi-selection claim process.

The devices are then claimed by your Control Cockpit instance.

Claiming Single Device (Wireless System Manager)

Unclaimed devices are marked as "unclaimed" in the channel view and appear in yellow in the device list.

To claim a single device for your WSM instance:

1. Connect the device's control network port to the network.
2. Open Wireless System Manager.
3. Right-click the displayed device and select "Claim."

A modal prompts you to set a new password meeting the specified requirements (at least ten characters, including lowercase, uppercase, number, and special character). After setting the password, the device is claimed to WSM.

Claiming Multiple Devices (Wireless System Manager)

To claim multiple devices at once in WSM:

1. Select the devices to be claimed.
2. Right-click and select the "Bulk Claiming" option.
3. Enter new passwords and click "Bulk Claim." Progress is displayed.
4. Click "Finish" to complete the process.

The devices are now claimed to WSM.

Authentication During Operation (Wireless System Manager)

Authentication is required to use a device with another client or reassign it. Unauthenticated channels appear in orange in the device list.

To authenticate:

1. Right-click the unauthenticated device and select "Authenticate."
2. Enter the device's password in the new window.
3. Click "Authenticate."

The device is ready for use.

Claiming Device (SoundBase)

Devices can be discovered using SSCv1 or SSCv2 protocols, ensuring compatibility in mixed environments.

To claim a single device for your SoundBase instance:

1. Connect the device's control network port to the network.
2. Open SoundBase.
3. In the Coordination Area, click "Devices" then "Discover."
4. Click the '+' icon to add discovered devices.

You will be prompted to set a new password for the device, which is stored in the project file. Click "Claim device" after entering the password.

Multiple devices can also be selected and added at once for easy integration of multichannel systems.

Resetting the Device Password (EW-DX Device)

Device passwords can only be reset via a factory reset (on-device or remotely via Control Cockpit/WSM) or a network reset (on-device).

• Factory Reset: Resets the receiver to factory settings, losing all settings and active connections. Accessible on-device and remotely.
• Network Reset: Resets network settings and the claiming password.

To reset to factory settings on the device: Navigate through the device's menu: SET > This Device > Reset > Factory.

To reset network settings on the device: Navigate through the device's menu: SET > This Device > Reset > Network.

Resetting the Device Password (Control Cockpit)

To reset via Control Cockpit Software:

1. Navigate to Devices > your EW-DX device > Device.
2. Under "Factory Reset," toggle the slider to enable it and click "OK."

The device will reset, restoring default values.

Resetting the Device Password (Wireless Systems Manager)

To reset via Wireless Systems Manager:

1. In WSM, right-click your EW-DX device.
2. Select "Reset."

The device will reset, restoring default values.

Secure 3rd Party Access

With firmware version 4.0.0 and higher, 3rd party access is deactivated by default. It can be enabled via Control Cockpit or Wireless Systems Manager. Two API protocols are available:

• Secure API (Recommended): Uses the encrypted Sennheiser Sound Control Protocol v2 (SSCv2) with a username and password.
• Legacy API (Not Recommended): Uses the unsecured Sennheiser Sound Control Protocol v1 (SSCv1) based on UDP/TCP, without password protection. Use at your own risk.

Enabling 3rd Party Access in Control Cockpit

1. Update device firmware (≥4.0.0).
2. In the control software, navigate to Devices > your device > Access > 3rd Party Access.
3. Click "Edit" and activate "Secure" for encrypted connection via SSCv2.
4. Alternatively, choose "Legacy" for unsecured communication (SSCv1).

Enabling 3rd Party Access in WSM

1. Update device firmware (≥4.0.0).
2. Right-click the displayed device and select:
   • "Enable 3rd Party Access" (recommended) for encrypted connection via SSCv2.
   • "Enable Legacy Mode" for unsecured communication (SSCv1).

Dante® Encryption

Dante media encryption secures Dante network communication by concealing media content during transmission using the Advanced Encryption Standard (AES) with a 256-bit key. This prevents unauthorized eavesdropping or interference with Dante media traffic. Refer to Audinate documentation for details.

Resetting the Configuration Parameters of the Dante Controller

All configured parameters in the Dante Controller can be reset to default settings. This includes user-defined names, clock configuration, sample rate, latency, and audio routes. Network configurations (IP settings, mode) are retained.

To reset parameters:

1. In Dante Controller, navigate to the "Device Config" tab.
2. Click "Clear Config" at the bottom.

Parameters are reset to default settings. Further support is available on the Dante Controller website.

Summary

Implementing the security features outlined in this guide ensures that Sennheiser EW-DX devices remain protected in any professional environment. Regular firmware updates, strong password management, and proper configuration of encryption and network access are vital for maintaining a secure audio network. For further assistance or firmware downloads, please visit the Sennheiser Product Security website.

Ports, Protocols, and Services

To enable communication between software and EW-DX devices, specific ports must be enabled, particularly for enterprise firewalls. Consult your local administrator for configuration.

Port Requirements

Dante® Network

Sennheiser Control Cockpit

Wireless Systems Manager

SoundBase