Your PC Speaker Can Hack You Without Being Touched

Key Takeaways

• The Katana V2X exposes its control protocol over Bluetooth without authentication, allowing remote attacks from 15 meters
• Firmware lacks cryptographic signing, so attackers can flash malicious code that turns the speaker into a keyboard or microphone
• Creative has not released a patch, but the researcher has published an unofficial fix

What happens when a security researcher just wants to control their new speaker from Linux? Sometimes, they find a way for anyone within Bluetooth range to turn that speaker into a spying device.

Rasmus Moorats bought a Creative Sound Blaster Katana V2X, a USB-connected PC soundbar popular with gamers and home office workers. He wanted to build a Linux tool to configure it. Instead, he discovered a chain of vulnerabilities that allows any attacker within about 15 meters to remotely hijack the device, turning it into either a covert microphone or a "Rubber Ducky" that can type malicious commands into a locked PC.

“What initially started as simply wanting to write a Linux tool for communicating with my speaker ended up with me discovering vulnerabilities which allow any attacker... to turn it into a covert spying tool and Rubber Ducky.”

— Rasmus Moorats, Security Researcher

How the Attack Works

The Katana V2X uses a proprietary protocol called Creative Transport Protocol (CTP) to handle settings changes, LED configuration, and firmware updates. Over USB, the device requires challenge-response authentication before accepting commands. The authentication key is static and can be extracted from Creative's own software, but at least the barrier exists.

Here's the problem: CTP is also exposed over Bluetooth Low Energy. And over BLE, there's no authentication at all.

An attacker doesn't need to pair with the device. They don't need physical access. They just need to be within roughly 15 meters, the typical range of BLE. From there, they can send CTP commands directly to the speaker.

Unsigned Firmware Makes It Worse

Sending commands to change speaker settings would be bad enough. But firmware updates also travel over CTP. And the firmware has almost no protection.

Moorats found that the firmware container is essentially a primitive Zip file with three key parts: FBOOT (a bootloader with recovery mode), FMAIN (the main operating system), and CHK2 (a SHA-256 checksum). Both FBOOT and FMAIN run on a modified version of FreeRTOS.

The checksum is trivial to patch. There's no cryptographic signature verification. Nothing stops an attacker from writing their own firmware, calculating a valid checksum, and flashing it to the device over BLE.

Once an attacker controls the firmware, the Katana V2X becomes whatever they want it to be. It's already a USB device connected to your PC. Malicious firmware can make it enumerate as a keyboard and start typing commands. Or it can use the built-in microphone to record audio.

The "Pwnd Blaster" Attack Chain

The researcher calls this the "Pwnd Blaster" attack. It chains two critical flaws:

1. Unauthenticated BLE access to the CTP protocol
2. Unsigned firmware updates with only a trivially-patchable checksum

Together, these flaws mean an attacker in a coffee shop, coworking space, or apartment building could scan for nearby Katana V2X devices, flash malicious firmware without any user interaction, and gain a persistent foothold on the victim's PC.

Why This Matters for Your Office

USB speakers aren't typically on anyone's threat model. They sit on desks, plugged in permanently, trusted implicitly by the operating system. The Katana V2X isn't some obscure device. It's sold at major retailers and marketed to gamers and remote workers who want better audio for calls and entertainment.

The attack surface is significant. An attacker doesn't need to get into your building. They don't need to send you a phishing email. They just need to be close enough for Bluetooth, which could mean a parking lot, a neighboring office, or a shared apartment wall.

The Rubber Ducky capability is especially dangerous. Keyboards are trusted input devices. When the compromised speaker sends keystrokes, your PC accepts them as legitimate user input. This works even on a locked screen in some scenarios, depending on the payload.

Creative's Response: Nothing

Creative has released zero patches for this vulnerability. The researcher disclosed the flaws through standard responsible disclosure channels. As of publication, Creative has not announced any plans to fix the issues.

This has sparked frustration in the security community. On Hacker News, discussions have turned toward vendor accountability for IoT firmware security and the challenges of "right to repair" when manufacturers abandon devices.

Moorats has published an unofficial patch tool. Users comfortable with flashing firmware can apply it themselves. But most Katana V2X owners don't know the vulnerability exists, let alone how to fix it.

What You Can Do Right Now

If you own a Katana V2X, your options are limited but not nonexistent:

• Apply the unofficial patch if you're comfortable with firmware flashing
• Keep the speaker powered off when not in active use
• Consider whether the device needs to stay connected to your primary work machine
• Monitor for any official Creative response or firmware update

For organizations, this is a reminder that every USB device is a potential attack vector. Asset inventories should include peripherals. Security policies should address which devices can connect to work machines.

Frequently Asked Questions

Can this attack work on other Creative speakers?

The researcher only tested the Katana V2X. Other Creative devices using CTP over BLE may have similar vulnerabilities, but this hasn't been confirmed.

Does the attacker need to pair with my speaker?

No. That's what makes this attack dangerous. The BLE protocol is exposed without any pairing or authentication.

Will turning off Bluetooth on my PC protect me?

No. The vulnerability is in the speaker's own Bluetooth radio, not your PC's. The speaker accepts BLE connections independently.

How would I know if my speaker has been compromised?

You likely wouldn't. Malicious firmware can be designed to behave normally while exfiltrating data or waiting for commands.

Is the unofficial patch safe to use?

The patch is published by the researcher who found the vulnerability. Review the source code and documentation before applying it to production hardware.

Source: Hacker News: Best