A researcher has shown that the Sound Blaster Katana V2X speaker from Creative Technologies can be used to infect a connected computer with malicious commands over Bluetooth. The attack requires no pairing and works even without physical access to the device.
Rasmus Moorats discovered the issue after buying the $283 speaker, which connects to computers via USB or Bluetooth. He found that an unauthenticated Bluetooth device could upload custom firmware to the speaker without code signing protections.
Moorats then modified the firmware to make the speaker emulate a keyboard. This allowed commands sent over Bluetooth to reach the connected PC, where they could open a terminal and run arbitrary code.
In a proof of concept, Moorats executed the command "echo pwned" on the target machine. He reported the findings to Creative Technologies, which said its engineers did not view the behavior as a vulnerability.
The attack is limited to devices within Bluetooth range, such as those belonging to neighbors or housemates. Bluetooth remains active on the speaker even during sleep mode.