Are USB speakers safe? A virus could infiltrate your PC without a single click! Research reveals a threat.

USB: According to media reports, cybersecurity researcher Rasmus Moorats discovered this vulnerability after purchasing a Katana V2X soundbar for himself.

USB: Companies that manufacture computers and operating systems typically implement various security measures to prevent external devices from gaining unauthorized control over the system. Usually, a hacker must bypass multiple security layers to execute an attack like Remote Code Execution. However, new research shows that in some cases, simply being within Bluetooth range is enough to put a computer at risk.

The researcher found flaws in the Sound Blaster Katana V2X speaker—made by the Singapore-based company Creative Technologies—that could allow an attacker to gain access to the connected computer without ever touching the speaker itself.

A discovery born from a simple investigation

According to media reports, cybersecurity researcher Rasmus Moorats discovered this vulnerability after purchasing a Katana V2X soundbar. This device can connect to Windows, Mac, and Linux systems via both USB and Bluetooth.

Moorats was attempting to develop Linux tools for the speaker when he discovered that it utilized a specialized communication system known as the Creative Transport Protocol (CTP). Through this protocol, connected devices could control the speaker’s LED lights, equalizer settings, and other features.

Connection established without pairing or authentication

The most surprising finding during the investigation was that a Bluetooth device could connect directly to the speaker without any authentication or pairing process, even while the speaker was already connected to a PC via USB.

Furthermore, a command within the CTP allowed for the modification of the speaker’s firmware. Typically, security measures such as digital signatures or code signing are employed during firmware updates to ensure that only official software is installed. However, no such security measures were in place here.

As a test, the researcher installed custom firmware on the speaker, which simply displayed the word “patched” on the LED display. This successful experiment demonstrated that unauthorized firmware could easily be loaded onto the device.

Turning the Speaker into a Keyboard

Next, the researcher examined the FreeRTOS operating system used by the speaker. The investigation revealed that the device possessed capabilities associated with Human Interface Devices (HID). The HID category includes peripherals such as keyboards, mice, and webcams.

Muurats discovered that the speaker’s USB descriptor could be modified. A USB descriptor contains information that tells a computer about the capabilities of a connected device.

By altering this information, he made the computer recognize the speaker as an additional keyboard. Consequently, the speaker became capable of sending keyboard-like commands to the computer.

Commands Sent Over the Air

Following this discovery, the researcher conducted another experiment. He sent commands to the speaker via Bluetooth, and the speaker relayed those commands to the computer using its HID functionality. During the test, he successfully uploaded firmware that would automatically type and execute commands on the computer after a reboot.

In a real-world attack scenario, an attacker could open PowerShell or other system tools to execute malicious scripts, potentially compromising the entire system.

Even more concerning is the fact that the speaker’s Bluetooth mode remains active even in sleep mode, with no apparent option to turn it off completely.

Security Exists but Is Easily Circumvented

Typically, a “challenge-response” authentication process takes place between a USB-connected device and the host. However, according to the researcher, this security measure is not robust, as the necessary information can be extracted from the software bundled with the speaker.

Conversely, no such challenge or verification process was found to be required for Bluetooth connections, making an attack even easier.

Company Dismisses Security Risk

Rasmus Muurats reported his findings to Creative Technologies but received no response. Assistance was subsequently sought from CERT Singapore, following which the company responded.

According to the report, the company’s engineers refused to classify this behavior as a security vulnerability. The researcher conducted tests on Windows systems, where the attack proved successful.

Should all users be concerned?

However, there is a significant limitation to this attack: the attacker must be within the speaker’s Bluetooth range. This means that only a neighbor, colleague, roommate, or someone nearby could carry out such an attack.

Nevertheless, this case highlights that smart Bluetooth devices are not merely for audio or convenience; if they harbor security flaws, they can also serve as a gateway to access computers. It also raises the question of whether similar, as-yet-undiscovered vulnerabilities exist in other Bluetooth devices.