How a Bluetooth speaker hacked a PC without being touched

A researcher has discovered a way to hack a PC using a Bluetooth speaker. The speaker is a Sound Blaster Katana V2X, which Creative Technologies sells. The researcher, Rasmus Moorats, bought the speaker and wanted to create a Linux tool for it. The speaker connects to a PC via USB or Bluetooth. It uses a system called CTP, which stands for Creative Transport Protocol. CTP allows devices to send commands to the speaker, such as changing LED colors and equalizer settings. Moorats connected to the speaker over Bluetooth without pairing his device first. The speaker did not require any authentication. He sent a command to upload new firmware, and the speaker accepted it without code signing. He created a custom firmware that displayed the word "patched" on the speaker's LED display. The speaker runs FreeRTOS, an open source operating system. FreeRTOS includes HID functions, which allow the speaker to act as a human interface device, like a keyboard. Moorats changed the speaker's USB descriptor set, adding a second descriptor that reported the speaker as a keyboard. He then used code in the firmware to send keypresses. By chaining these steps, he was able to remotely upload custom firmware over the air, which rebooted and typed the command "echo pwned" on the connected PC. The PC executed the command. The attack only works when the attacker is within Bluetooth range of the speaker. Moorats reported his findings to Creative Technologies, but the company did not respond. After CERT Singapore intervened, the company said it does not consider the behavior a vulnerability. The speaker has Bluetooth always on, even in sleep mode, with no way to disable it. This makes the attack possible at any time.