Creative Katana V2X Speaker Vulnerability Lets Attackers Hack PCs Via Bluetooth
The vulnerability turns a trusted USB peripheral into an attack vector, and Creative's refusal to treat it as a security risk leaves users exposed with no fix in sight.
Reporting from 1 sources: GIGAZINE.
Security researcher Rasmus Moorats discovered that Creative's Katana V2X sound system can be attacked via Bluetooth from up to 15 meters away, allowing malicious firmware to be written to the device. The exploit, called Pwnd Blaster, could turn the speaker into an eavesdropping device or a keyboard input tool. Creative did not patch the vulnerability.
Security researcher Rasmus Moorats demonstrated that Creative's Katana V2X sound system is vulnerable to a Bluetooth-based attack he calls Pwnd Blaster. An attacker within about 15 meters can write malicious firmware to the device without pairing. Because the speaker connects to a PC via USB, the compromised speaker can act as a keyboard input device or, if it has a microphone, as an eavesdropping tool.
Moorats reverse-engineered Creative's proprietary CTP protocol, which handles firmware updates over both USB and Bluetooth. He found that Bluetooth GATT commands require no authentication, and the firmware update only checks a SHA-256 hash. After creating a proof-of-concept firmware that replaced the boot string, he succeeded in writing it over Bluetooth in about 10 minutes. He also added a keyboard descriptor to the USB device and made the speaker type 'echo pwned' after boot.
Moorats reported the vulnerability to Creative via Singapore's SingCERT. Creative responded that the report did not indicate a cybersecurity risk and has not issued a patch. Moorats released a firmware patch that blocks CTP over Bluetooth, but it breaks Creative's mobile app.
Synthesized by Yomimono from the 1 cited source below, including Japanese-language reporting where cited, then editorially reviewed before publishing.