USB Speaker Hack Infects PCs Without Physical Contact

▼ Summary
– A Bluetooth-connected speaker, the Creative Sound Blaster Katana V2X, can be exploited for remote code execution on a connected PC.
– Researcher Rasmus Moorats discovered the vulnerability by accident while creating a Linux tool to communicate with his speaker via the proprietary Creative Transport Protocol (CTP).
– CTP allows devices to send commands to the speaker over Bluetooth or USB without any authentication or prior pairing.
– One CTP command, “upload new firmware to device,” lets an attacker replace the speaker’s official firmware with custom code.
– The firmware reflashing process lacks code signing or other security measures to prevent loading unauthorized firmware.
A newly discovered vulnerability shows that remote code execution can sometimes be as straightforward as being in Bluetooth range of a popular gaming speaker. The attack, which requires no physical contact, turns a well-regarded audio device into an unwitting proxy for compromising connected computers.
The flaw resides in the Sound Blaster Katana V2X, a $283 soundbar manufactured by Singapore-based Creative Technologies. This speaker has earned widespread acclaim and numerous positive reviews for its audio performance, particularly as an upgrade from its predecessor, the Sound Blaster V2.
Researcher Rasmus Moorats discovered the exploit by accident after purchasing a Katana V2X. The soundbar connects to PCs, Macs, and Linux machines via USB or Bluetooth. Moorats wanted to build a Linux tool that could communicate with the speaker, and he found he could do so using a proprietary protocol he believes is called Creative Transport Protocol (CTP).
CTP enables connected devices to send commands to the speaker, including instructions for changing LED colors and adjusting equalizer settings. It also allows the speaker to send responses back to those devices. What Moorats found alarming was that his Bluetooth device could connect to the speaker , which was simultaneously connected to a PC via USB , with zero authentication. No pairing was required, and his device did not need to be previously trusted.
Even more concerning, one of the CTP commands is labeled “upload new firmware to device.” Moorats discovered that this command allowed him to replace the official firmware with his own custom code. The firmware reflashing process lacked any code signing or other security measures to prevent the loading of unauthorized software. This effectively turns a vulnerable speaker within Bluetooth range into a gateway for compromising the host PC, bypassing the typical safeguards that operating systems put in place to block remote commands.
(Source: Ars Technica)