Security researcher Rasmus Moorats has demonstrated that Creative’s Sound Blaster Katana V2X gaming soundbar can be hijacked over Bluetooth from roughly 16 yards (15 meters) away, with no pairing or physical contact, in a blog post published on June 3. By exploiting an unauthenticated Bluetooth interface and the absence of firmware signing, an attacker can flash custom firmware onto the speaker over the air, turning the USB-connected device into a keyboard that types commands into the host PC. Creative, which was contacted through Singapore’s national cyber response team, took close to two months to reply and concluded the behavior was not a security risk, leaving owners of the ~$280 soundbar without an official patch.
The Katana V2X communicates with Creative’s desktop app via a proprietary protocol that Moorats refers to as the Creative Transfer Protocol (CTP). Over USB, the speaker requires a challenge-response handshake before accepting any command, but over Bluetooth Low Energy, the same protocol accepts the same commands without authentication or pairing, so any device in range could read settings, change them, or push firmware. The firmware itself carries no cryptographic signature, only a SHA-256 checksum that Moorats recomputed after editing the image.
To weaponize that, he edited the speaker’s USB descriptor set so that the device reported itself as a keyboard, on top of the limited media controls it already provided. The firmware ran a modified build of FreeRTOS, and instead of writing fresh keystroke-injection code, Moorats overwrote an unused diagnostic task with one that waits for the USB subsystem to come up, then types and runs a command on every boot. His proof of concept printed “echo pwned,” but the same routine could open PowerShell and paste a malicious one-liner.
Reprogramming a trusted USB peripheral into a keyboard is how BadUSB works, which is the technique Karsten Nohl and Jakob Lell presented at Black Hat back in 2014, when they warned that most USB controllers shipped without firmware authenticity checks.
Those attacks required someone to plug in a doctored device, but Moorats managed to remove that step, since the malicious peripheral here is hardware the victim already owns and trusts, rewritten from across a room. We’ve seen similar patterns in other consumer gear over the years, including an internet-connected bed whose firmware exposed the owner’s home network and the BlueBorne flaws that handed attackers control of Bluetooth devices without pairing.
Getting in touch with the speaker’s manufacturer, Creative, was the harder part of the work, Moorats wrote, because the only way to contact the company is via its support web form. After two failed attempts, he instead reported the company via the Singapore Cyber Emergency Response Team (SingCERT), which itself struggled to get a response.
Creative’s eventual reply, according to his account, was that they “do not consider this to be a vulnerability, as it does not present a cybersecurity risk.” Moorats ultimately ended up doing Creative’s work for it, releasing a tool that downloads Creative’s official firmware, patches out CTP-over-Bluetooth, and reflashes the speaker over USB. Doing so likely breaks Creative’s mobile app, however, and Moorats noted that adding proper authentication is hard without the company’s source code. Bluetooth on the speaker stays on even in sleep mode, with no obvious way to disable it.
Follow Tom’s Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
