A recent discovery has revealed a significant security vulnerability in the Sound Blaster Katana V2X, a $283 Bluetooth speaker sold by Creative Technologies. The device, widely praised for its sound and performance, can be hacked over the air to infect connected devices without any authentication or pairing requirements.
Researcher Rasmus Moorats stumbled upon the hack by accident while attempting to create a Linux tool that communicated with his speaker. He discovered that he could use CTP (Creative Transport Protocol), a proprietary mechanism used for sending commands and receiving responses from the device, to connect to the speaker via Bluetooth even when it was connected to a PC via USB.
What’s more alarming is that Moorats found that one of the CTP commands allowed him to replace the official firmware with his own custom image. The firmware reflashing process didn’t use code signing or other measures to prevent the loading of unofficial code, making it possible for an attacker to upload malicious firmware to the device.
The researcher then turned his attention to FreeRTOS, the open-source operating system that ran the Katana V2X. He discovered that he could change the speaker’s USB descriptor set, which informed devices about its capabilities, and augment it with a second one that reported the speaker as a keyboard. This allowed him to use code already included in the firmware to send keypresses to the connected PC.
Moorats demonstrated that he could chain these vulnerabilities together to remotely upload custom firmware to his speaker, which would then reboot, flash the custom firmware, and execute a command on the connected PC. In a real attack scenario, an attacker would likely use this technique to open a PowerShell or similar interface and paste malicious code.
The vulnerability is worsened by the fact that Bluetooth is always on for the speaker, even in sleep mode, with no apparent way to disable it. While authentication is required for devices connected via USB, it’s not necessary for Bluetooth-connected devices, making it possible for an attacker to exploit this vulnerability without any prior knowledge of the device or its configuration.
Creative Technologies was informed of the vulnerability by Moorats but never responded. The researcher then brought in CERT Singapore to intervene, and eventually, the organization received a response from the company. However, the engineers at Creative Technologies didn’t consider the behavior as a vulnerability.
The attack can only be carried out when the attacker is within Bluetooth range of the speaker, limiting attacks to neighbors or people in adjacent offices. Nonetheless, the ability to turn a Bluetooth device into a PC-pwning proxy and remote bugging device raises significant concerns about the security of other Bluetooth devices.
Source: Original article