Creative Technologies disputes vulnerability claims after researcher hacks Sound Blaster speaker
Security researcher Rasmus Moorats demonstrated how the Sound Blaster Katana V2X could be turned into a keyboard proxy to infect connected PCs, but the company maintains the behaviour is by design.
Security researcher Rasmus Moorats has demonstrated a critical security flaw in the Creative Sound Blaster Katana V2X speaker, a widely acclaimed soundbar manufactured by Singapore-based Creative Technologies. The vulnerability allows an attacker within Bluetooth range to upload custom firmware to the device without authentication or prior pairing. Once compromised, the speaker can masquerade as a Human Interface Device, specifically a keyboard, to execute arbitrary commands on a connected PC.
The attack exploits a proprietary mechanism known as the Creative Transport Protocol, which allows devices connected via Bluetooth or USB to send commands to the speaker. Moorats discovered that the protocol’s command to upload new firmware does not use code signing or other measures to verify the authenticity of the code. Consequently, an attacker can replace the official firmware with a custom image without triggering any security warnings.
The speaker runs on FreeRTOS and implements a limited Human Interface Device function. Moorats modified the USB descriptor set to report the speaker as a keyboard, then used existing firmware code to streamline the process of sending keypresses. By chaining these elements, he successfully uploaded custom firmware over the air, rebooted the device, and executed the command "echo pwned" on a host machine. In a real-world scenario, an attacker could open PowerShell or similar applications to execute malicious one-liners.
Creative Technologies has reportedly stated that it does not consider this behaviour a vulnerability. The company’s engineers argued that the functionality is by design, noting that the speaker’s Bluetooth is always on, even in sleep mode, with no apparent way to disable it. While USB connections require a challenge-and-response authentication procedure, Bluetooth connections do not. The authentication key for USB connections can be extracted from the companion app binary, but this hurdle is bypassed entirely in the Bluetooth attack vector.
Moorats initially reported his findings to Creative Technologies but received no response. He subsequently brought in CERT Singapore to intervene, which eventually secured a reply from the manufacturer. The attack requires the attacker to be within Bluetooth range of the device, limiting the threat to neighbours, housemates, or adjacent office workers. Nevertheless, the ability to turn a Bluetooth peripheral into a command execution proxy raises significant concerns about the security of always-on connected devices.
