It’s open mic night for Creative’s Katana V2X – and no laughing matter for anyone within Bluetooth range.
Researcher Rasmus Moorats says the soundbar accepts unauthenticated firmware over the air, letting an attacker eavesdrop through its mics or type commands straight into the connected PC.
Research published Wednesday describes how the niche line of PC soundbars can be hijacked from accross the room, no password required.
In a statement to Security Point Break Thursday, the company said “Creative has launched a thorough investigation involving all stakeholders.” Creative’s Low Shek Chian told SPB an update to our inquiry is forthcoming.
Moorats, of nns.ee, found that the Creative Sound Blaster Katana V2X can be remotely compromised over Bluetooth, turning the speaker into both a covert listening device and a way to seize control of the PC it’s plugged into — all with zero authentication and no need to ever touch the hardware.
The Katana V2X is a roughly $280 gaming soundbar built to sit under a monitor, and is a well-reviewed fixture of Creative’s long-running Katana line — though Creative remains a niche player in PC and gaming audio.
According to Moorats, a noted pen tester whose earlier Hikvision research was cited by SANS’ Internet Storm Center, the trouble starts with how the soundbar handles commands over the air.
Like most speakers these days, the Katana V2X takes commands over a local Bluetooth connection, normally so a phone app can tweak settings like the LED lighting or volume. To do that, it uses a proprietary protocol Creative calls CTP.
“Basically, it seems to be a fairly simple proprietary protocol for sending various commands and reading the responses to that,” Moorats wrote.
The problem is what’s missing. Over USB, those commands require a handshake first. Over Bluetooth, Moorats found, they don’t. Any device within roughly 50 feet can connect and start firing off CTP commands, reading data and changing settings, with no pairing and no authentication.
Worse, firmware updates ride on that same protocol, and the firmware itself is barely guarded. Instead of a cryptographic signature, the device checks only a SHA-256 checksum that Moorats says is trivial to patch. So a stranger nearby can craft custom firmware, push it over Bluetooth, and the speaker will happily install it.
From there, the speaker becomes whatever the attacker wants. The Katana V2X ships with built-in microphones, which makes the eavesdropping scenario the obvious one.
“The speaker has a microphone,” Moorats wrote. “An attacker could, theoretically, upload a custom firmware that effectively turns the speaker into a covert monitoring device, listening in on conversations and forwarding them to a receiver over Bluetooth.”
Because the soundbar sits on a USB connection, the host treats it as a trusted device. Moorats rewrote the firmware so the speaker also registers as a keyboard, then had it type commands into the machine on boot — a remote, wireless spin on the classic “Rubber Ducky” attack, in which a gadget masquerading as a keyboard fires off its own keystrokes. His proof of concept just types “echo pwned” into a terminal; a real intruder would reach for something far nastier, like a malicious PowerShell one-liner.
A couple of details make it stickier. The Bluetooth radio has no off switch and stays awake even in sleep mode, so the attack surface never fully closes. And a determined attacker could disable the update routine on the way out, leaving the rogue firmware all but impossible to remove.
Back in 2016, researchers at Bastille Networks demonstrated MouseJack, a set of flaws in scores of wireless keyboards and mice that let an attacker inject keystrokes into a victim’s PC from as far as 100 meters away using about $15 of radio gear — again because vendors had rolled their own wireless protocols and skipped the encryption. The Katana V2X is the same story: a homegrown protocol, trusted by the host, with the security left out.
None of this is push-button easy. The reverse-engineering took real effort, and your average hacker likely wont bother. But once the attack is built, running it takes no pairing, no physical access, and no special skill.
Creative, for its part, isn’t biting, according to Moorats. After he failed to reach the company directly, Singapore’s SingCERT stepped in as a go-between. He said roughly two months later, Creative responded that it does not consider the issue a vulnerability, on the grounds that it presents no cybersecurity risk, and SingCERT dropped the case. No official patch is coming, and Moorats says the latest firmware remains exposed.
Owners who’d rather not wait can grab Moorats’ home-brewed fix — a tool that patches the firmware to block CTP over Bluetooth, though it will likely break Creative’s mobile app in the process.
Shaun Nichols is an IT news journalist. He has spent nearly 20 years covering the industry with a specialty in cybersecurity.
UPDATE: This article was updated at 7am ET, 6/4 with a comment from Creative.
