A Bluetooth speaker hacked a PC without touch

A researcher found a way to hack a PC using a speaker. The speaker is a Sound Blaster Katana V2X. Creative Technologies sells it. The researcher is Rasmus Moorats. He bought the speaker. He wanted to create a Linux tool for it. The speaker connects to a PC with USB. It also uses Bluetooth. The speaker has a system called CTP. CTP stands for Creative Transport Protocol. CTP sends commands to the speaker. It changes LED colors and equalizer settings. The researcher connected to the speaker with Bluetooth. He did not need to pair his device first. The speaker did not ask for authentication. He sent a command to upload new firmware. The speaker accepted the new firmware. It did not use code signing. The researcher made a custom firmware. It showed the word "patched" on the speaker's display. The speaker runs FreeRTOS. FreeRTOS has HID functions. HID stands for Human Interface Device. Keyboards and mice are HID devices. The speaker can act like a keyboard. The researcher changed the USB descriptor. The speaker now reported itself as a keyboard. Then the speaker sent keypresses to the PC. The researcher used his device to send commands. The speaker typed "echo pwned" on the PC. The PC executed the command. The attack works over Bluetooth. The attacker must be within Bluetooth range. The researcher reported the problem to Creative Technologies. The company did not answer. CERT Singapore helped. The company said it is not a vulnerability. The speaker has Bluetooth always on. There is no way to disable it. This makes the attack possible.