Common Speakers Can Be Remotely Hacked and Used to Take Over Your PC

Ethical hacker Rasmus Moorats in a blog post revealed an exploit in Sound Blaster Katana V2X speakers, dubbed "Pwnd Blaster," that would allow an attacker to remotely take over your PC.

The Katana V2X is a USB-connected soundbar that's advertised as highly customizable. In order to achieve this, you're supposed to install their app to customize the RGB lighting and sound settings etc.

This is achieved through a custom proprietary protocol called CTprotocol. Moorats discovered that in order to communicate with the speaker over CTP, there's only a flimsy challenge-response authentication scheme, where the key is completely static and can be derived from the binaries that ship with the Creative App, a pretty pointless step.

Firmware updates are also performed using CTP, and there is similarly weak authentication for those. Just a "trivial to patch" SHA-256 checksum, there is no other authentication for the firmware. No signature checks or anything, meaning an attacker can flash malicious firmware on your speakers quite easily.

Unfortunately, this attack isn't limited to just USB. The speakers have always-on Bluetooth that's impossible to turn off, and you can flash firmware over Bluetooth just the same as over USB.

You don't even need to pair with the device, you can connect over Bluetooth and immediately start reading and writing data to it. "This means anyone can just connect to any Katana V2X over Bluetooth and start sending CTP commands to it, reading information, changing settings, etc."

The speakers have microphones and could easily be turned into remote surveillance devices and you'd be none the wiser.

Even worse, however, is that the speaker is typically connected over USB, meaning it could trick your computer into thinking it's a keyboard, and then be able to perform any malicious action a keyboard could perform i.e. running commands in the command line.

The speaker already sets itself up as a Human Interface Device for some reason, making it even easier for an attacker to achieve this. Moorats was able to do exactly this and create a remotely executed attack that flashes malicious firmware and runs commands in the terminal.

Creative made it very difficult to get in contact and months later when they did, they said "they do not consider this to be a vulnerability, as it does not present a cybersecurity risk."

As such, the latest firmware is still vulnerable and there are no official patches in sight.

It just goes to show the abysmal state of Bluetooth accessory security, and how little many of these companies care about protecting their own customers.