GitHub

According to a blog post published by Security Fellow Rasmus Morats on June 7, he confirmed that there was a security gap in the sound wall of the Sound Blaster Katana V2X game of Creative: the attackers could seize the device through Bluetooth, within a distance of approximately 15 metres, without having to match and physically contact.

The Bluetooth interface for the device did not set up an identification and the solids were not signed. The attackers can use these two points to draw a self-defined solid device remotely, using it as a keyboard to automatically enter the command to the host computer, using the sound of the USB connection. After contacting the Singapore National Cyber Security Emergency Team, it took nearly two months to respond and conclude that the problem was not a security risk, and that the return wall, which was sold for approximately $280 (IT House Note: the current exchange rate is approximately RMB 1902), had not yet received official restoration patches.

Katana V2X uses a set of self-study protocols to communicate with the desktop client for innovation, which Moraz named the Innovation Transfer Protocol (CTP). When the sound is received through USB, the question is first performed - the handshake is verified; however, in a low-capacity bluetooth mode, the same set of protocols bypasses the identification and matching process and receives the instructions directly. This means that any device within the range can read, modify, or push solids. In addition, the firmware of this device is accompanied only by a SHA-256 verification value, without an encrypted signature, and Morats can regenerate the validation values by bypassing the test by modifying the solid mirror.

To achieve malicious exploitation, he modified the U.S.B. description of sound. The device would have supported only basic media control and would have been modified to disguise the computer as a keyboard. The solidware is based on a modified real-time operating system, FreeRTOS, which does not create additional key injection codes, but rewriting an inactive diagnostic task in the system: the command is automatically entered and executed every time the device is activated and the USB module is activated. The concept validation program he created would output echo pwned and, using the same set of logic, the assailant could also pull out Microsoft PowerShell and paste the malicious single-line code.

Transposing normal USB externals into keyboards is the very core of BadUSB attacks. As early as 2014, Carsten Norr and Jacob Lyle showed the attack at the Black Hat Safety Congress and warned that the majority of USB controllers had left the plant without opening the solids for authentication.

The traditional BadusB attack required active access by the user to the altered equipment, and Morats broke the limit: the victim was still using hardware of his own trust, and the attackers simply had to tamper with the equipment remotely at the other end of the room. Over the years, a number of civilian digital products have experienced similar security problems, such as a hole in the solids of a networked bed, which leaks user family network information, and a Blue Borne, which allows the attackers to control all types of bluetooth equipment without matching.

Morats states that the most difficult part of the entire research process is to connect equipment manufacturers to innovation technology - a channel of communication that only provides online passenger service forms. On both occasions, he turned to the Singapore Cybersecurity Emergency Response Centre (SingCERT), which had also been slow to receive a response from the manufacturer, after he had failed to respond.

According to Morats, the ultimate answer given by innovation technology is: “We do not think that this is a security loophole, and the problem does not pose a cybersecurity risk”. Unnecessaryly, Morats can only launch its own tool: it can download official solids, block innovative transmission protocol holes at the Bluetooth end, and rewrite the device solids through USB. However, it is likely that this set of restoration options will result in the non-functional use of the technology mobile end of the APP, while Morats mentioned that it is difficult to replace the Bluetooth agreement with a formal identification mechanism without the manufacturer ' s source code. In addition, even if the sound goes into hibernation mode, the Bluetooth function will continue to function and there are no obvious options for manual closure.

Advertising statements: The external jump links (including not limited to hyperlinks, 2D codes, passwords, etc.) contained in the text are used to convey more information and save time for selection purposes only for reference purposes, which are included in all IT House articles.