Creative Speaker Flaw Lets Attackers Reflash Firmware From 15 Meters, Hijacking PCs via USB
Updated
Updated · GIGAZINE(ギガジン) · Jun 4
Creative Speaker Flaw Lets Attackers Reflash Firmware From 15 Meters, Hijacking PCs via USB
3 articles · Updated · GIGAZINE(ギガジン) · Jun 4
Summary
A 15-meter Bluetooth attack on Creative's Katana V2X let researcher Rasmus Moorats install modified firmware in about 10 minutes and make the soundbar reboot showing "PATCHED."
The exploit works because Creative's CTP protocol accepts Bluetooth commands without authentication, while firmware integrity checks rely only on a SHA-256 checksum that can be recomputed.
Once reflashed, the USB-connected speaker can impersonate a trusted HID keyboard; Moorats' proof of concept waited about 20 seconds after boot, then typed and executed "echo pwned" while normal audio functions continued.
Speakers with microphones could also be turned into listening devices, and Moorats said fixing the design is difficult because source code is unavailable; his temporary patch blocks CTP over Bluetooth but may break Creative's mobile apps.
Creative had not issued a fix as of publication: after Moorats escalated the report through SingCERT, the company replied roughly two months later that the report did not indicate a cybersecurity risk.