Creative declines to classify Katana V2X speaker vulnerability as security risk

A security researcher has demonstrated a critical vulnerability in the Creative Sound Blaster Katana V2X speaker that allows an attacker to remotely compromise a connected personal computer. The exploit relies on an unauthenticated Bluetooth Low Energy interface, enabling the device to be transformed into a "Rubber Ducky" style attack tool without the need for physical access or Bluetooth pairing.

The researcher identified that the Creative Transport Protocol, used for device configuration, is bridged to the Bluetooth Low Energy interface without requiring authentication. Firmware updates are performed over this protocol and lack signature verification, relying only on a trivial SHA-256 checksum that can be easily patched. By exploiting these flaws, an attacker can upload custom firmware to the speaker.

The custom firmware modifies the USB report descriptor to present the device as a keyboard and injects ARM assembly code to emulate keystrokes. This allows the execution of arbitrary commands on the host machine. The attack vector involves uploading the modified firmware over Bluetooth, a process that takes approximately 10 minutes due to the speed limitations of the protocol.

Creative Technology has declined to classify the issue as a security vulnerability, stating it does not present a cybersecurity risk. The company did not respond to direct contact attempts from the researcher. The issue was escalated via SingCERT, Singapore’s cybersecurity incident response team, which received a response from Creative nearly two months after the initial disclosure.

No official patch has been released by the manufacturer. A community-developed patch exists that blocks the Creative Transport Protocol over Bluetooth, though this likely breaks functionality with the official Creative mobile app. The researcher noted that the latest firmware version remains vulnerable to the demonstrated attack.