When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works .
The Katana V2X communicates with Creative's desktop app via a proprietary protocol that Moorats refers to as the Creative Transfer Protocol (CTP). Over USB, the speaker requires a challenge-response handshake before accepting any command, but over Bluetooth Low Energy, the same protocol accepts the same commands without authentication or pairing, so any device in range could read settings, change them, or push firmware. The firmware itself carries no cryptographic signature, only a SHA-256 checksum that Moorats recomputed after editing the image.
To weaponize that, he edited the speaker's USB descriptor set so that the device reported itself as a keyboard, on top of the limited media controls it already provided. The firmware ran a modified build of FreeRTOS, and instead of writing fresh keystroke-injection code, Moorats overwrote an unused diagnostic task with one that waits for the USB subsystem to come up, then types and runs a command on every boot. His proof of concept printed "echo pwned," but the same routine could open PowerShell and paste a malicious one-liner.
Reprogramming a trusted USB peripheral into a keyboard is how BadUSB works, which is the technique Karsten Nohl and Jakob Lell presented at Black Hat back in 2014, when they warned that most USB controllers shipped without firmware authenticity checks.
Microsoft BitLocker-protected drives can now be opened with just some files on a USB stick
Bluetooth tracker hidden in a postcard and mailed to a warship exposed its location
90-day vulnerability disclosure may be dead due to AI, leaving systems exposed to zero-day attacks
Getting in touch with the speaker’s manufacturer, Creative, was the harder part of the work, Moorats wrote, because the only way to contact the company is via its support web form. After two failed attempts, he instead reported the company via the Singapore Cyber Emergency Response Team (SingCERT), which itself struggled to get a response.
Creative's eventual reply, according to his account, was that they “do not consider this to be a vulnerability, as it does not present a cybersecurity risk.” Moorats ultimately ended up doing Creative’s work for it, releasing a tool that downloads Creative's official firmware, patches out CTP-over-Bluetooth, and reflashes the speaker over USB. Doing so likely breaks Creative's mobile app, however, and Moorats noted that adding proper authentication is hard without the company's source code. Bluetooth on the speaker stays on even in sleep mode, with no obvious way to disable it.
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Key considerations
- Investor positioning can change fast
- Volatility remains possible near catalysts
- Macro rates and liquidity can dominate flows
Reference reading
- https://www.tomshardware.com/tech-industry/cyber-security/SPONSORED_LINK_URL
- https://www.tomshardware.com/tech-industry/cyber-security/creatives-sound-blaster-katana-v2x-can-be-hijacked-over-bluetooth#main
- https://www.tomshardware.com/subscription
- Developer gets Half-Life running at 30 FPS on a Nokia N95 — proves 2007 phones can just about match 1998 PCs
- NVIDIA Factory Operations Blueprint Gives Factories a New AI Brain
- Secretlab Atlas review: The one you’ve been waiting for
- Razer Seiren V3 Pro Review: USB, XLR, and 32-bit float
- NVIDIA Jetson Brings Agentic AI to the Physical World
Informational only. No financial advice. Do your own research.