When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works .
The Katana V2X communicates with Creative's desktop app via a proprietary protocol that Moorats refers to as the Creative Transfer Protocol (CTP). Over USB, the speaker requires a challenge-response handshake before accepting any command, but over Bluetooth Low Energy, the same protocol accepts the same commands without authentication or pairing, so any device in range could read settings, change them, or push firmware. The firmware itself carries no cryptographic signature, only a SHA-256 checksum that Moorats recomputed after editing the image.
To weaponize that, he edited the speaker's USB descriptor set so that the device reported itself as a keyboard, on top of the limited media controls it already provided. The firmware ran a modified build of FreeRTOS, and instead of writing fresh keystroke-injection code, Moorats overwrote an unused diagnostic task with one that waits for the USB subsystem to come up, then types and runs a command on every boot. His proof of concept printed "echo pwned," but the same routine could open PowerShell and paste a malicious one-liner.
Reprogramming a trusted USB peripheral into a keyboard is how BadUSB works, which is the technique Karsten Nohl and Jakob Lell presented at Black Hat back in 2014, when they warned that most USB controllers shipped without firmware authenticity checks.
Microsoft BitLocker-protected drives can now be opened with just some files on a USB stick
Bluetooth tracker hidden in a postcard and mailed to a warship exposed its location
90-day vulnerability disclosure may be dead due to AI, leaving systems exposed to zero-day attacks
Getting in touch with the speaker’s manufacturer, Creative, was the harder part of the work, Moorats wrote, because the only way to contact the company is via its support web form. After two failed attempts, he instead reported the company via the Singapore Cyber Emergency Response Team (SingCERT), which itself struggled to get a response.
Creative's eventual reply, according to his account, was that they “do not consider this to be a vulnerability, as it does not present a cybersecurity risk.” Moorats ultimately ended up doing Creative’s work for it, releasing a tool that downloads Creative's official firmware, patches out CTP-over-Bluetooth, and reflashes the speaker over USB. Doing so likely breaks Creative's mobile app, however, and Moorats noted that adding proper authentication is hard without the company's source code. Bluetooth on the speaker stays on even in sleep mode, with no obvious way to disable it.
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Key considerations
- Investor positioning can change fast
- Volatility remains possible near catalysts
- Macro rates and liquidity can dominate flows
Reference reading
- https://www.tomshardware.com/tech-industry/cyber-security/SPONSORED_LINK_URL
- https://www.tomshardware.com/tech-industry/cyber-security/creatives-sound-blaster-katana-v2x-can-be-hijacked-over-bluetooth#main
- https://www.tomshardware.com/subscription
- Bag a huge $308 saving on a two-year ExpressVPN Advanced sub and get four bonus months on top for free — 78% discount gets you this fast no-logs VPN service wit
- Taiwanese startup FormulaV Line wants to break into US market with two new unique cases — company expects products to become available on Newegg later this year
- Industrial Software Leaders Build Secure, Autonomous AI Engineers With NVIDIA NemoClaw
- NVIDIA AI Cloud Ecosystem Expands Worldwide to Meet Global AI Compute Demand
- Demand for data center CPUs has surged, and AI agents are responsible – why the CPU to GPU ratio is more important than ever for hyperscalers
Informational only. No financial advice. Do your own research.