Security researcher Rasmus Moorats has demonstrated that Creative’s Sound Blaster Katana V2X gaming soundbar could be hijacked over Bluetooth from roughly 16 yards (15 meters) away, with no pairing or bodily contact, in a blog post printed on June 3. By exploiting an unauthenticated Bluetooth interface and the absence of firmware signing, an attacker can flash customized firmware onto the speaker over the air, turning the USB-connected system right into a keyboard that varieties instructions into the host PC. Creative, which was contacted by way of Singapore’s nationwide cyber response group, took shut to 2 months to answer and concluded the conduct was not a safety threat, leaving house owners of the ~$280 soundbar with out an official patch.
The Katana V2X communicates with Creative’s desktop app through a proprietary protocol that Moorats refers to because the Creative Transfer Protocol (CTP). Over USB, the speaker requires a challenge-response handshake earlier than accepting any command, however over Bluetooth Low Energy, the identical protocol accepts the identical instructions with out authentication or pairing, so any system in vary might learn settings, change them, or push firmware. The firmware itself carries no cryptographic signature, solely a SHA-256 checksum that Moorats recomputed after modifying the picture.
To weaponize that, he edited the speaker’s USB descriptor set in order that the system reported itself as a keyboard, on prime of the restricted media controls it already supplied. The firmware ran a modified construct of FreeRTOS, and as an alternative of writing contemporary keystroke-injection code, Moorats overwrote an unused diagnostic process with one which waits for the USB subsystem to return up, then varieties and runs a command on each boot. His proof of idea printed “echo pwned,” however the identical routine might open PowerShell and paste a malicious one-liner.
Reprogramming a trusted USB peripheral right into a keyboard is how BadUSB works, which is the method Karsten Nohl and Jakob Lell offered at Black Hat again in 2014, once they warned that the majority USB controllers shipped with out firmware authenticity checks.
Those assaults required somebody to plug in a doctored system, however Moorats managed to take away that step, because the malicious peripheral right here is {hardware} the sufferer already owns and trusts, rewritten from throughout a room. We’ve seen related patterns in different shopper gear over time, together with an internet-connected bed whose firmware exposed the owner’s home network and the BlueBorne flaws that handed attackers control of Bluetooth devices without pairing.
Getting in touch with the speaker’s manufacturer, Creative, was the harder part of the work, Moorats wrote, because the only way to contact the company is via its support web form. After two failed attempts, he instead reported the company via the Singapore Cyber Emergency Response Team (SingCERT), which itself struggled to get a response.
Creative’s eventual reply, according to his account, was that they “do not consider this to be a vulnerability, as it does not present a cybersecurity risk.” Moorats ultimately ended up doing Creative’s work for it, releasing a tool that downloads Creative’s official firmware, patches out CTP-over-Bluetooth, and reflashes the speaker over USB. Doing so likely breaks Creative’s mobile app, however, and Moorats noted that adding proper authentication is hard without the company’s source code. Bluetooth on the speaker stays on even in sleep mode, with no obvious way to disable it.
Follow Tom’s Hardware on Google News, or add us as a preferred source, to get our newest information, evaluation, & opinions in your feeds.