Hacking your PC using your speaker without ever touching it
Researcher remotely hacks Creative Sound Blaster Katana V2X speaker via Bluetooth to inject custom firmware and execute arbitrary commands as keyboard.
A researcher reverse-engineered the Creative Sound Blaster Katana V2X firmware and discovered that the device accepts unauthenticated CTP (Creative Transport Protocol) commands over Bluetooth without pairing. The speaker's firmware uses only a SHA-256 checksum for integrity protection with no cryptographic signature verification. By modifying the firmware to add keyboard HID functionality, the researcher demonstrated uploading custom firmware over-the-air to execute keystroke injection attacks on the connected PC, turning the speaker into a remote BadUSB device. The attack requires no physical access and works within approximately 15 meters. Creative dismissed the report as not a cybersecurity risk and declined to patch it after a two-month response delay via SingCERT. The researcher published a third-party firmware patcher to block CTP-over-Bluetooth as a mitigation.
What HN community is saying
Commenters criticized Creative's security stance and vendor response. The consensus is that the claim of no cybersecurity risk is nonsensical: arbitrary firmware execution enabling keystroke injection grants full PC compromise, allowing credential theft, malware installation, and data exfiltration. Multiple commenters noted that USB HID devices with keyboard capability present severe risk despite "just typing words." One commenter outlined additional attack vectors from arbitrary USB control: network adapter spoofing, USB storage emulation for data theft, and device lockscreen bypass. Concerns surfaced that similar vulnerabilities likely exist in other IoT devices. Some questioned the attack surface as narrow (requires proximity and device ownership), but acknowledged Bluetooth range negates proximity as a meaningful barrier.