Creative Speaker Vulnerability Allows PC Hacking Via Bluetooth

A security researcher has uncovered a significant vulnerability in the widely praised Creative Sound Blaster Katana V2X speaker, enabling attackers within Bluetooth range to remotely compromise a connected computer. The exploit, discovered by researcher Rasmus Moorats, bypasses standard security protocols by leveraging the speaker's firmware and its ability to act as a Human Interface Device (HID) proxy.

Moorats stumbled upon the flaw while experimenting with his new Katana V2X, which connects to PCs, Macs, and Linux devices via USB or Bluetooth. He found that the speaker uses a proprietary mechanism, possibly named Creative Transport Protocol (CTP), to allow connected devices to send commands and receive responses. Crucially, his Bluetooth-enabled device could connect to the speaker, which was itself connected to a PC via USB, without any prior pairing or authentication. This allowed him to upload custom firmware to the speaker.

The speaker's firmware lacked code signing or other security measures to prevent the loading of unofficial code. Once Moorats replaced the official firmware with his own, he discovered the speaker ran on FreeRTOS, an open-source operating system. This operating system included HID functions that allowed the speaker to emulate devices like keyboards and mice. By modifying the speaker's USB descriptor set, Moorats was able to make it identify itself as a keyboard to the connected PC.

Exploiting Firmware and HID Capabilities

Using existing firmware code, Moorats then sent commands through the speaker, which translated them into keystrokes delivered to the PC. This allowed him to execute arbitrary commands on the target machine. "Chaining it all together, I was able to totally remotely, over the air, upload a custom firmware to my speaker which I hadn’t paired with, which would reboot, flash the custom firmware, and after rebooting type in the command echo pwned and execute it," Moorats stated in a blog post detailing his findings. He elaborated that in a realistic attack, a malicious actor could open a command prompt and inject harmful code snippets, effectively taking control of the computer.

A further complication is that the speaker's Bluetooth remains active even in sleep mode, with no apparent way to disable it. While a challenge-and-response authentication procedure is typically required for USB-connected devices to interact, Moorats found this could be circumvented by extracting the correct response from the speaker's companion application binary. Surprisingly, no such authentication is required for Bluetooth connections.

Moorats reported the vulnerability to Creative Technologies, but initially received no response. After involving CERT Singapore, the company eventually responded, stating that engineers did not consider the behavior a vulnerability. The attack requires the perpetrator to be within Bluetooth range, limiting potential targets to individuals in close proximity, such as colleagues in adjacent offices or housemates. However, the ability to turn a consumer audio device into a potent hacking tool raises concerns about the security of other connected peripherals and the potential for widespread exploitation of similar vulnerabilities.