GitHub

Operating system manufacturers take many steps to prevent their products from accepting commands from remote devices. Protective measures, designed to thwart malicious attacks, typically require hackers to jump through all sorts of hoops to circumvent the measures. But what if remote code execution was as simple as being within Bluetooth range of a speaker connected to the targeted device?

Turns out it's possible, at least when the speaker is a Sound Blaster Katana V2X sold by Singapore-based Creative Technologies. The speaker, which retails for $283, is widely acclaimed with many reviews praising its sound and performance as well as its predecessor, the Sound Blaster V2.

A proxy for PC

Researcher Rasmus Moorats stumbled upon this hack by accident, after purchasing a Katana V2X, a soundbar that connects to PCs, Macs and Linux devices via USB or Bluetooth. Moorats was curious if he could create a Linux tool that communicated with his speaker. He discovered he could do this via CTP, a proprietary mechanism which he says is short for Creative Transport Protocol.

CTP allows devices connected via Bluetooth or USB to send commands to the speaker, such as changing LED colors and equalizer settings. CTP also allows connected devices to receive responses from the speaker.

To Moorat's surprise, his Bluetooth device was able to connect to the speaker, which was connected to a PC via USB, without any authentication. Plus, his Bluetooth device didn't need to be paired first. Also surprising: one of the CTP commands, titled "Download new firmware to device", allowed him to replace the official firmware with his own custom firmware. The firmware reflash did not use code signing or other measures to prevent unofficial code from loading.