SmackerNews

Pwnd Blaster: Hacking your PC using your speaker without ever touching it

699 points · 122 comments · 8 days ago · xx_ns

blog.nns.ee

hootz8 days ago
Email from SingCERT stating vendor "do not consider this to be a vulnerability, as it does not present a cybersecurity risk."
So wirelessly writing custom firmware to someone else's device that is connected via USB to their computer without even needing to pair is not a security vulnerability. Yea.
rkagerer7 days ago
This is a well written article and easy to digest, worth a skim.
In summary he figured out how to reflash arbitrary firmware on a Creative Sound Blaster Katana V2X soundbar via Bluetooth, without requiring any effective authentication or user interaction.
The soundbar is plugged directly into its host computer via USB, so by adding a descriptor to its firmware he made it recognized as a keyboard. From there it was straightforward to have it send keystrokes to the PC. The soundbar is equipped with a mic, so an adversary could turn it into an eavesdropping device.
He reported it to Creative and SingCERT. Neither him or SingCERT got any meaningful response from the company until 2 months later, eventually saying "they do not consider this to be a vulnerability, as it does not present a cybersecurity risk".
He released a firmware patcher that disables the flawed transport protocol. It's a bit of a sledgehammer that likely also breaks functionality of the official Bluetooth app, but seems like the best he could do without cooperation from the manufacturer.
nickdothutton8 days ago
It is quite common to find device manufacturers, even those of many years standing, who _appear to_ begin with the device and add the software as an afterthought. Paying little attention to security or even the software lifecycle (patches, updates, the changing landscape/ecosystem). I have even known it happen that the device brand subs out the software to a random small developer, who then closes up shop/dies/gets out of that business, and the device company doesnt even have the source code, let alone any ability to further improve/fix the software that drives their device. This leads to layers upon layers of subsequent middleware, UIs, shims etc.
Klaus238 days ago
Why think so small? Perhaps the speaker itself can be used as the attacker.
Any script kiddie with an LLM could write a worm that would spread through the supply chain, possibly even hacking speakers right on the factory floor and blasting Rickroll music or something similar.
It would be interesting to see if Creative would still claim that it "does not present a cybersecurity risk".
Edit: Bonus points for closing the security hole and disabling the ability to flash the firmware normally, so that the manufacturer would have to jailbreak the speakers in order to repair them.
KurSix8 days ago
The fact that the author had to publish a third-party patch because the vendor didn't consider it a vulnerability is not a great look
smithkl428 days ago
If I were in charge of, say, the Mossad, I would have as a significant part of my budget purchasing every single bluetooth device on the market, and set a bunch of underemployed Israeli CS grads to work at finding these vulnerabilities, and then putting them into an easily deployed toolkit. You want an asset with access to, say, an Iranian government office, to be able to walk through the building with a phone and take control of as many machines as possible.
Now that I think about it, I think you have to assume that they probably DO do this...
fusslo8 days ago
I write firmware (specifically bluetooth enabled device firmware) and my work has blocked this website.
2178 days ago
Can't wait to see a video from a half sloppy channel about this on my youtube front page in roughly 4 business days
vessenes8 days ago
Having a guaranteed audio channel makes this so much cooler for exploits -- you can exfiltrate over audio!! I love it. I wonder how many of these were sold. I also imagine based on Creative's response (this is fine) that many other devices in the class have similar security models in place. Def scary.
antran227 days ago
People who love tech buy superdupersmart loudspeaker that will connect to every computer in their house; and also somehow control their superdupersmart coffee maker so they can have a fresh coffee brewed when some Miles Davis play.
People who understand tech keep an axe next to their toaster.
evilos7 days ago
It's funny to see all the commenters who didn't read the article closely enough or at all. This is basically the bluetooth device equivalent of "left S3 bucket open to public".
That said, really cool work. I honestly thought it would be harder to turn a usb connected device into an exploit vector.
That it's as easy as emulating a keyboard that pops a local terminal and runs a malicious command is actually pretty funny. Though it will be a non-admin terminal so the damage should be somewhat limited. And on Windows, users often just click through any UAC prompt so I bet you'd get full access on many windows boxes.
asimovDev8 days ago
I also did some reverse engineering, although mine was a soundcard which seemed to use an older version of this software (GUI was different). I used Wireshark to sniff out the LED and EQ packets and then wrote a CLI utility with hidapi library in C.
It doesn't have bluetooth so thankfully something like this wouldn't happen with mine. It's crazy that there's no auth at all for Bluetooth. I was reversing my e-scooter recently (still WIP) and there was a whole bunch of authentication required before its app could control any of it. I am still not confident in its security though
glaslong7 days ago
The 'S' in IoT is for 'Security'
pbhjpbhj7 days ago
So presumably this is cured with device permissions, 'this device may only receive audio data; return confirmations', say. And those Lorraine would need to be at BIOS level, like enrolling devices into SecureBoot, because otherwise for keyboards and mouses you're left with a chicken-egg problem.
Or? There's other mitigations that OS already have in place?
cbdevidal8 days ago
Air-gapped attacks are the most fascinating. Change my mind
moktonar7 days ago
Inexistent security, absent security contacts/hard to get in touch with, denial/delay/won’t patch, most functionality to deploy a backdoor is already present, to me equals bugdoor. This is wanted behavior, not an accident, and is a widespread pattern..
smallnix7 days ago
in order to do anything with CTP over USB, you first have to do challenge-response authentication with the device. The key is static [... ]
Is this some legal thing so they can claim that a protection was circumvented? E.g. to void warranty or be able to sue?
rjmunro8 days ago
While the article only talks about using this as a USB HID keyboard to send attacks, surely if you spent more time creating an evil firmware from scratch you could do much more than this? You could bridge any information from USB -> Bluetooth.
sciencejerk8 days ago
Great research. Thanks for sharing
mavleop8 days ago
This is so refreshing to read. A true throwback in style and content. Makes me nostalgic
lostmsu8 days ago
Wow, that's very creative! /couldn't resist the pun/
a1o8 days ago
This is a cool infection vector for the ai virus from earlier today to use. It could be like NDS feature that it greeted a passerby but now for spreading stuff digitally.
NooneAtAll38 days ago
what ways are there to protect from malicious HID device?
hn_acc17 days ago
Creative is still around? They always had great hardware, but their software was never what one would consider "great".
Mangochutney278 days ago
What an amazing write-up and exploit. Love it!
bradley138 days ago
Good work, and fun to read.
It's crazy that companies just stick their head in the sand, when confronted with serious security issues.
SirFatty8 days ago
The real question remains: with this hack, did the OP gain full control of Dr. Sbaitso?
george_max7 days ago
Not sure what would count as a vulnerability if this does not.
r3tr08 days ago
ebpf usb sniffer you may find useful.
https://github.com/yeet-src/usbsnoop
mikekuharuk8 days ago
Haha, I dont have one, only headphones Jokes on you xD
saltcured7 days ago
"Hacking the poorly secured, combination wired/wireless, multi-protocol bridge controller you naively attached to your PC's universal IO bus"
awedisee8 days ago
Way cool. Thank you for sharing
tj_hustler_19668 days ago
This sounds super cool
Avenassh8 days ago
Side-channel attacks are getting wild. Every time I think we've completely air-gapped a device, someone finds a way to use acoustic frequencies or hardware resonance to leak data.
brogapp8 days ago
Thanks for sharing this. It’s a bit concerning that a consumer soundbar can receive unauthenticated firmware over BLE and then act like a BadUSB-style HID on the host. I’m not sure I agree with the vendor’s "no cybersecurity risk" assessment, considering how much access a trusted keyboard interface typically has.

news.ycombinator.com/item?id=48382310