This is a well written article and easy to digest, worth a skim.
In summary he figured out how to reflash arbitrary firmware on a Creative Sound Blaster Katana V2X soundbar via Bluetooth, without requiring any effective authentication or user interaction.
The soundbar is plugged directly into its host computer via USB, so by adding a descriptor to its firmware he made it recognized as a keyboard. From there it was straightforward to have it send keystrokes to the PC. The soundbar is equipped with a mic, so an adversary could turn it into an eavesdropping device.
He reported it to Creative and SingCERT. Neither him or SingCERT got any meaningful response from the company until 2 months later, eventually saying "they do not consider this to be a vulnerability, as it does not present a cybersecurity risk".
He released a firmware patcher that disables the flawed transport protocol. It's a bit of a sledgehammer that likely also breaks functionality of the official Bluetooth app, but seems like the best he could do without cooperation from the manufacturer.
>Email from SingCERT stating vendor "do not consider this to be a vulnerability, as it does not present a cybersecurity risk."
So wirelessly writing custom firmware to someone else's device that is connected via USB to their computer without even needing to pair is not a security vulnerability. Yea.
"You can just make it type words, what's the risk in that?"
Makes you wonder what other peripheral companies out there are also operating with seemingly no security team. There must be other vulnerabilities like this just waiting to be discovered.
My brother was awoken one morning at 2am because some neighborhood kids connected to his bluetooth speaker and blasted fart sounds on loop at max volume, and that's literally only the absolute tippy top of the malicious bluetooth use iceberg.
> "You can just make it type words, what's the risk in that?"
I don't know if it's a useful answer to people saying this kind of stuff, but here are some examples of other attacks arbitrary USB pwn allows.
A USB device can appear as a network adapter and most OS will happily route all your traffic there, so your speaker can know which porn you're looking at!
It can also appear as a DisplayLink dongle, so it can see what's on the screen (it does require those specific drivers installed, and uh yeah, no way in hell it's technically possible on that MCU).
It can also turn it into a mouse jiggler to prevent lock screen (yes it's technically the same thing as your first point, just HID, but different angle).
It can also appear as a USB-storage: You don't trust the cloud, so you're writing those super secret documents to give to your boss on the USB drive you just plugged in? Surprise, you actually sent it to the attacker.
The ability to "type words" is worse than all of that. Just type Win+R, "cmd", Enter and you've got arbitrary code execution on the connected PC. I think that was GP's point. Any competent security team would be aware of such risks.
See also the debacle with Razer gaming mice giving you root access just by plugging in, which I think takes the cake for clownshoe software practices almost rivalling Riot Games (though not with the latter's degree of self-congratulatory Dunning-Kruger gusto.)
Oh yeah, for some reason the companies with the highest risk products seem to be the ones that care less about security. Don't even get me started with "smart" bulbs and cameras that each individually connect to your local network and the Internet. You have 5 lightbulbs? That's 5 different devices you need to track, keep updated and trust the in the vendor firmware's security.
You don't need to exploit sensors. If a compromised device is connected to the internet (because the vendor app requires it to set up and control), you can use it as a part of botnet with a nice residential IP address.
Shopping in the US, these have entirely replaced zigbee and other sensible mesh-based options at hardware stores like Home Depot and Lowes. The only exception I can find is Phillips Hue, and those seem to be slowly getting phased out with (sigh) a new "hubless" (requires wifi) series.
I run my home automation network entirely offline, so anything that needs the internet doesn't get added to my cart. I just do not trust the security of these IoT vendors at all, and refuse to have their nonsense cluttering up my limited network bandwidth and causing unknown problems.
(Edit: maybe not obvious, this is in the "smart bulbs" product category. Regular bulbs are still much more common on store shelves, because why fix what isn't broken? Most people don't need to automate their light bulbs.)
That's assuming the attacker informs Creative of the attack. A malicious actor could go to the showroom, update the firmware on all devices, and simply let them continue on as normal, waiting for a future opportunity to strike.
Let's hope Creative patches things before something like this happens.
This quote on risk seems to completely misunderstand the concept of risk. First we have a vulnerability ( IMHO that is equals a hazard), then we assign both impact and probability and only then we get risk. By definition there are IMHO always vulnerabilities with low impact or low probability and thus low risk. While CVEs have some score, the actual risk and later accepting those risks before or after mitigations is up to the use case to define. No risk => no vulnerability is flawed reasoning by design. No vulnerability => no risk, I think is the only thing we can agree on.
The same can be said about any computer that runs macOS or Windows. Being able to run your own software doesn't have to be a vulnerability per se.
The reflashing interface being available over Bluetooth is weird but you will need physical access to pair with the speaker AFAIK
Edit: I was wrong, this is a BTLE endpoint that works without pairing. In that case, this is a ridiculous vulnerability. I hope they'll patch it in a way that doesn't take away the ability to run your own software.
I don't even remember what it is I have learned about Creative Labs in the past, but I went into this pretty sure that Creative Labs was going to fuck it up somehow.
In reality, even if they did recognize the severity of this problem, they likely view the cost to remediate it as prohibitive, as it would involve reworking their whole weird janky system. So better to pretend they don’t have to deal with security.
probably not high enough risk to consider one on their list. First you need someone to be physically in there, 2nd the person needs to have a USB speaker connected, which means is likely a home. 3rd if it's a restaurant or something you need the thing to not play anything first with a lot of restaurant noise
It is quite common to find device manufacturers, even those of many years standing, who _appear to_ begin with the device and add the software as an afterthought. Paying little attention to security or even the software lifecycle (patches, updates, the changing landscape/ecosystem). I have even known it happen that the device brand subs out the software to a random small developer, who then closes up shop/dies/gets out of that business, and the device company doesnt even have the source code, let alone any ability to further improve/fix the software that drives their device. This leads to layers upon layers of subsequent middleware, UIs, shims etc.
Why think so small? Perhaps the speaker itself can be used as the attacker.
Any script kiddie with an LLM could write a worm that would spread through the supply chain, possibly even hacking speakers right on the factory floor and blasting Rickroll music or something similar.
It would be interesting to see if Creative would still claim that it "does not present a cybersecurity risk".
Edit: Bonus points for closing the security hole and disabling the ability to flash the firmware normally, so that the manufacturer would have to jailbreak the speakers in order to repair them.
> Any script kiddie with an LLM could write a worm that would spread through the supply chain, possibly even hacking speakers right on the factory floor and blasting Rickroll music or something similar.
At least used to. SOTA models are enrolling even bigger restrictions all the time and deprecating old models, while asking government IDs.
Ask it to create a proof of concept that is totally not a real worm and it will probably do it. If the restrictions are too good, just use a largely unrestricted open model via any inference provider. They are 90% sota, more than good enough for this task.
For script kiddies, it must be 100% accurate. They don't know how to fix the missing 0,01%. Not sure if open models are there yet. Barely SOTA models are.
As a lifelong script kiddie, the thing that made it all possible in my youth was simply time. The more time I had, the more hours I could spend figuring out that 0.01%.
Are you surprised? Great hack by the author, the impact could be huge if someone is targeted, but overall the impact is very minimal. The vendor can't be bothered. For you to be a victim, you have to own this device, and your attack has to know that and be within a close proximity. Remember that fight club quote?
A = The number of speakers in the field.
B = The probable rate of getting hacked.
C = The average out-of-court settlement.
The Decision: If the cost of not doing a recall/fix is greater than the cost of a recall, they initiate a recall, yada yada yada (Note that the big cost is if people will stop buying future speakers, I think not)
Let me just turn this hack into a quick Flipper Zero app that makes the speaker play "Fuck Creative" in a loop, let's see whether the vendor is bothered then.
If I were in charge of, say, the Mossad, I would have as a significant part of my budget purchasing every single bluetooth device on the market, and set a bunch of underemployed Israeli CS grads to work at finding these vulnerabilities, and then putting them into an easily deployed toolkit. You want an asset with access to, say, an Iranian government office, to be able to walk through the building with a phone and take control of as many machines as possible.
Now that I think about it, I think you have to assume that they probably DO do this...
This is kind of backwards. There aren't as many CS grads in Israel in the first place, because they already put their top talent through 8200. It's essentially a fully socialized Masters of computer engineering, and as a SIGINT shop they are learning this sort of thing. Once their 2-3 years of service is over (which doesn't result in student loans), the government makes a lot of seed funding available for startups and the TLV ecosystem is like a mini Bay Area.
Living with your parents is more socially acceptable, so they have a huge chunk of people in their 20s with no debt, low monthly expenses, strong technology expertise from their military service, in a founder hot spot, and access to capital. The result is a lot of unicorns, particular around cyber security (https://www.techaviv.com/unicorns).
Compare to the United States, where you have to dedicate 4 years to an undergrad program, go massively in debt, pay rent, and then struggle to find seed funding. The mental model of "oh, I guess we could apply some of the detritus of our failed system" misses the idea of having a successful system in the first place.
An exercise like this sounds like it would be a rounding error in any country's national security or intelligence budgets. And now with AI you could probably automate the initial screening of devices for promising candidates for further manual exploration.
I would be kind of surprised if this wasn't standard practice, unless it's not nearly as productive as one might imagine it to be, and thus maybe not worth the effort. But cases like this show it could be pretty fruitful, but I suppose that depends on how it compares to whatever other methods intelligence agencies have that we may not know about.
Pretty sure that's what NSO Group (https://en.wikipedia.org/wiki/NSO_Group) is. Israeli intelligence could also just insert vulnerabilities in cheap garbage (or even more expensive garbage like this) for NSO or NSO-like Israeli orgs to take advantage of. We know they sell pagers.
People who love tech buy superdupersmart loudspeaker that will connect to every computer in their house; and also somehow control their superdupersmart coffee maker so they can have a fresh coffee brewed when some Miles Davis play.
People who understand tech keep an axe next to their toaster.
Having a guaranteed audio channel makes this so much cooler for exploits -- you can exfiltrate over audio!! I love it. I wonder how many of these were sold. I also imagine based on Creative's response (this is fine) that many other devices in the class have similar security models in place. Def scary.
I somehow hadn't even considered Bluetooth as an option when I read the headline, I immediately thought about INFILTRATING via audio, which also sounds insanely cool, but I couldn't possibly wrap my head around how an audio circuit would have to be set up and connected back to the cpu to pull that off.
Exfiltrating via audio also brings to mind one of those devices I really wanted to build ~20 years ago that can listen to the inside of a room by bouncing a laser beam off a window. Van pulls up in front of your house, pushes malicious code via bluetooth to speaker, which starts shrieking data it stole from the host that's then picked up by the vibrations it emparts on a window by a laser beam. Boom, crypto wallet stolen, or something... you could probably put that in a movie.
I'm old enough to have visually parsed the headline as "PC speaker" at first, and wondered what kind of amazing phreaking was going to drive the built-in speaker as a microphone and somehow get ingress into the computer. :-)
Yeah the headline isn't as interesting when truthful. I've never owned a "speaker" that plugs into USB. Only the good old analog audio jack, or a USB to toslink adapter that is purely a one-way stream.
Let's not. There's enough overcomplicated nonsense examples of cybersecurity in movies as it is. If you could compromise a device via bluetooth, then you could exfiltrate data via bluetooth just as easily.
It's not completely unrealistic angle, you could pwn the speaker when someone is traveling with it in public and then exfiltrate data when it's plugged in a secure environment and you can't connect anymore
you could but I think the inclusion of lasers would make for a better spy / cyberpunk movie. Most "hacking" in movies are not realistic and for show but it being plausible is just a bonus.
That would've been a cool PoC to work on as well, but seems a fair bit more complicated than the BadUSB-style attack I ended up doing. Would've had to do a lot more RE to figure out how to interact with the whole microphone subsystem, I think.
I also did some reverse engineering, although mine was a soundcard which seemed to use an older version of this software (GUI was different). I used Wireshark to sniff out the LED and EQ packets and then wrote a CLI utility with hidapi library in C.
It doesn't have bluetooth so thankfully something like this wouldn't happen with mine. It's crazy that there's no auth at all for Bluetooth. I was reversing my e-scooter recently (still WIP) and there was a whole bunch of authentication required before its app could control any of it. I am still not confident in its security though
Inexistent security, absent security contacts/hard to get in touch with, denial/delay/won’t patch, most functionality to deploy a backdoor is already present, to me equals bugdoor. This is wanted behavior, not an accident, and is a widespread pattern..
While the article only talks about using this as a USB HID keyboard to send attacks, surely if you spent more time creating an evil firmware from scratch you could do much more than this? You could bridge any information from USB -> Bluetooth.
This is a cool infection vector for the ai virus from earlier today to use. It could be like NDS feature that it greeted a passerby but now for spreading stuff digitally.
But I remember that on Linux changing some /etc/udev file helped me with some naggy bug long ago. I worked temporary in an office with several wonky USB keyboards. Whenever someone disconnected their tablet or laptop from their KB (ie shut the lid), my linux would pick it up and suddenly connect to this KB. A little googling and some trial-error and I had my linux set-up that it would only connect to whitelisted USB devices.
Which, months later, caused me insane headaches when I could not find why a new USB microphone wasn't working, despite it being advertised as "works on linux"....
My computers ignore USB HIDs other than the ones that I have explicitly permitted. Unfortunately, this is a major architectural revamp for many operating systems. The idea that every HID is automatically added to a keyboard/mouse 'multiplexer', that provides a single combined input stream, is a pervasive one.
Side-channel attacks are getting wild. Every time I think we've completely air-gapped a device, someone finds a way to use acoustic frequencies or hardware resonance to leak data.
Good job reading the actual article. It's not a audio or RF side chain attack where data is exfiltrated at a handful of bits per second, it's an attack on an unsecured BLE endpoint that can be converted into a rubber ducky.
Thanks for sharing this. It’s a bit concerning that a consumer soundbar can receive unauthenticated firmware over BLE and then act like a BadUSB-style HID on the host. I’m not sure I agree with the vendor’s "no cybersecurity risk" assessment, considering how much access a trusted keyboard interface typically has.
The point is this is a speaker, not a keyboard. A keyboard usually takes manual input from a human or from a cat. This is a speaker that, after an unauthenticated connection, can act as if it’s a keyboard, which is an unintended functionality from the factory.
If you can "just type stuff", it is absolutely trivial to download absolutely any payload you want as long as you have network access and your antivirus doesn't stop it.
95 comments:
This is a well written article and easy to digest, worth a skim.
In summary he figured out how to reflash arbitrary firmware on a Creative Sound Blaster Katana V2X soundbar via Bluetooth, without requiring any effective authentication or user interaction.
The soundbar is plugged directly into its host computer via USB, so by adding a descriptor to its firmware he made it recognized as a keyboard. From there it was straightforward to have it send keystrokes to the PC. The soundbar is equipped with a mic, so an adversary could turn it into an eavesdropping device.
He reported it to Creative and SingCERT. Neither him or SingCERT got any meaningful response from the company until 2 months later, eventually saying "they do not consider this to be a vulnerability, as it does not present a cybersecurity risk".
He released a firmware patcher that disables the flawed transport protocol. It's a bit of a sledgehammer that likely also breaks functionality of the official Bluetooth app, but seems like the best he could do without cooperation from the manufacturer.
>Email from SingCERT stating vendor "do not consider this to be a vulnerability, as it does not present a cybersecurity risk."
So wirelessly writing custom firmware to someone else's device that is connected via USB to their computer without even needing to pair is not a security vulnerability. Yea.
"You can just make it type words, what's the risk in that?"
Makes you wonder what other peripheral companies out there are also operating with seemingly no security team. There must be other vulnerabilities like this just waiting to be discovered.
My brother was awoken one morning at 2am because some neighborhood kids connected to his bluetooth speaker and blasted fart sounds on loop at max volume, and that's literally only the absolute tippy top of the malicious bluetooth use iceberg.
> "You can just make it type words, what's the risk in that?"
I don't know if it's a useful answer to people saying this kind of stuff, but here are some examples of other attacks arbitrary USB pwn allows.
A USB device can appear as a network adapter and most OS will happily route all your traffic there, so your speaker can know which porn you're looking at!
It can also appear as a DisplayLink dongle, so it can see what's on the screen (it does require those specific drivers installed, and uh yeah, no way in hell it's technically possible on that MCU).
It can also turn it into a mouse jiggler to prevent lock screen (yes it's technically the same thing as your first point, just HID, but different angle).
It can also appear as a USB-storage: You don't trust the cloud, so you're writing those super secret documents to give to your boss on the USB drive you just plugged in? Surprise, you actually sent it to the attacker.
The ability to "type words" is worse than all of that. Just type Win+R, "cmd", Enter and you've got arbitrary code execution on the connected PC. I think that was GP's point. Any competent security team would be aware of such risks.
See also the debacle with Razer gaming mice giving you root access just by plugging in, which I think takes the cake for clownshoe software practices almost rivalling Riot Games (though not with the latter's degree of self-congratulatory Dunning-Kruger gusto.)
Oh yeah, for some reason the companies with the highest risk products seem to be the ones that care less about security. Don't even get me started with "smart" bulbs and cameras that each individually connect to your local network and the Internet. You have 5 lightbulbs? That's 5 different devices you need to track, keep updated and trust the in the vendor firmware's security.
> "smart" bulbs
Thankfully I don't think I've seen these for sale.
What sensors would they have that could be exploited by an attacker?
You don't need to exploit sensors. If a compromised device is connected to the internet (because the vendor app requires it to set up and control), you can use it as a part of botnet with a nice residential IP address.
Shopping in the US, these have entirely replaced zigbee and other sensible mesh-based options at hardware stores like Home Depot and Lowes. The only exception I can find is Phillips Hue, and those seem to be slowly getting phased out with (sigh) a new "hubless" (requires wifi) series.
I run my home automation network entirely offline, so anything that needs the internet doesn't get added to my cart. I just do not trust the security of these IoT vendors at all, and refuse to have their nonsense cluttering up my limited network bandwidth and causing unknown problems.
(Edit: maybe not obvious, this is in the "smart bulbs" product category. Regular bulbs are still much more common on store shelves, because why fix what isn't broken? Most people don't need to automate their light bulbs.)
> Regular bulbs are still much more common on store shelves, because why fix what isn't broken?
TV manufacturers might want to differ.
Probably most of them. It's not exactly an area with a great focus on quality, let alone security.
That answer will change very quickly, if someone marches to a Creative show room, sales event or CES and "patches" all of their devices.
That's assuming the attacker informs Creative of the attack. A malicious actor could go to the showroom, update the firmware on all devices, and simply let them continue on as normal, waiting for a future opportunity to strike.
Let's hope Creative patches things before something like this happens.
This quote on risk seems to completely misunderstand the concept of risk. First we have a vulnerability ( IMHO that is equals a hazard), then we assign both impact and probability and only then we get risk. By definition there are IMHO always vulnerabilities with low impact or low probability and thus low risk. While CVEs have some score, the actual risk and later accepting those risks before or after mitigations is up to the use case to define. No risk => no vulnerability is flawed reasoning by design. No vulnerability => no risk, I think is the only thing we can agree on.
The same can be said about any computer that runs macOS or Windows. Being able to run your own software doesn't have to be a vulnerability per se.
The reflashing interface being available over Bluetooth is weird but you will need physical access to pair with the speaker AFAIK
Edit: I was wrong, this is a BTLE endpoint that works without pairing. In that case, this is a ridiculous vulnerability. I hope they'll patch it in a way that doesn't take away the ability to run your own software.
I don't even remember what it is I have learned about Creative Labs in the past, but I went into this pretty sure that Creative Labs was going to fuck it up somehow.
Yeah, but we already sold the device, so it's someone else's problem. Now if they were paying us a subscription fee..
It still wouldn’t be our problem because the ToS says the customer accepts all risk and liability.
AND being able to further reprogram the device to gain control of the PC.
This is negligence of the highest kind.
In reality, even if they did recognize the severity of this problem, they likely view the cost to remediate it as prohibitive, as it would involve reworking their whole weird janky system. So better to pretend they don’t have to deal with security.
This is why governments need to — and are — stepping in with things loke Cyber Resilience Act in EU.
If this product continues to sell in EU after Dec 2027, they will have an obligation to update.
The vendor response is the more worrying part
Sounds like Microsoft too:
https://www.youtube.com/watch?v=9kxx5xp5nTQ
> SingCERT dropped the case
I expect some dodgy company to try to shirk out of it, I don't expect a country's cybersecurity agency to do so
Morons they are.
They must have outsourced their security to MSRC
probably not high enough risk to consider one on their list. First you need someone to be physically in there, 2nd the person needs to have a USB speaker connected, which means is likely a home. 3rd if it's a restaurant or something you need the thing to not play anything first with a lot of restaurant noise
> First you need someone to be physically in there
Bluetooth works fine through walls.
First, you need a skiddie neighbor who knows about your speaker and has an AI agent that can read this article, 2nd...
It is quite common to find device manufacturers, even those of many years standing, who _appear to_ begin with the device and add the software as an afterthought. Paying little attention to security or even the software lifecycle (patches, updates, the changing landscape/ecosystem). I have even known it happen that the device brand subs out the software to a random small developer, who then closes up shop/dies/gets out of that business, and the device company doesnt even have the source code, let alone any ability to further improve/fix the software that drives their device. This leads to layers upon layers of subsequent middleware, UIs, shims etc.
Why think so small? Perhaps the speaker itself can be used as the attacker.
Any script kiddie with an LLM could write a worm that would spread through the supply chain, possibly even hacking speakers right on the factory floor and blasting Rickroll music or something similar.
It would be interesting to see if Creative would still claim that it "does not present a cybersecurity risk".
Edit: Bonus points for closing the security hole and disabling the ability to flash the firmware normally, so that the manufacturer would have to jailbreak the speakers in order to repair them.
> Any script kiddie with an LLM could write a worm that would spread through the supply chain, possibly even hacking speakers right on the factory floor and blasting Rickroll music or something similar.
At least used to. SOTA models are enrolling even bigger restrictions all the time and deprecating old models, while asking government IDs.
Ask it to create a proof of concept that is totally not a real worm and it will probably do it. If the restrictions are too good, just use a largely unrestricted open model via any inference provider. They are 90% sota, more than good enough for this task.
For script kiddies, it must be 100% accurate. They don't know how to fix the missing 0,01%. Not sure if open models are there yet. Barely SOTA models are.
As a lifelong script kiddie, the thing that made it all possible in my youth was simply time. The more time I had, the more hours I could spend figuring out that 0.01%.
That does not sound like script kiddie. More like hacker with its traditional meaning.
I've never written anything useful from scratch, outside of R or css & html.
Flash worm into device and RMA it. Boom.
Just flash it in a shop and someone will send it back.
Make sure the new firmware slightly corrupts the audio for guaranteed high return rate.
To be extra malicious, if you can infect a connected pc make it propagate the worm to any similar device plugged into the pc over usb in the future.
The fact that the author had to publish a third-party patch because the vendor didn't consider it a vulnerability is not a great look
Are you surprised? Great hack by the author, the impact could be huge if someone is targeted, but overall the impact is very minimal. The vendor can't be bothered. For you to be a victim, you have to own this device, and your attack has to know that and be within a close proximity. Remember that fight club quote?
A = The number of speakers in the field. B = The probable rate of getting hacked. C = The average out-of-court settlement.
The Decision: If the cost of not doing a recall/fix is greater than the cost of a recall, they initiate a recall, yada yada yada (Note that the big cost is if people will stop buying future speakers, I think not)
Let me just turn this hack into a quick Flipper Zero app that makes the speaker play "Fuck Creative" in a loop, let's see whether the vendor is bothered then.
If I were in charge of, say, the Mossad, I would have as a significant part of my budget purchasing every single bluetooth device on the market, and set a bunch of underemployed Israeli CS grads to work at finding these vulnerabilities, and then putting them into an easily deployed toolkit. You want an asset with access to, say, an Iranian government office, to be able to walk through the building with a phone and take control of as many machines as possible.
Now that I think about it, I think you have to assume that they probably DO do this...
This is kind of backwards. There aren't as many CS grads in Israel in the first place, because they already put their top talent through 8200. It's essentially a fully socialized Masters of computer engineering, and as a SIGINT shop they are learning this sort of thing. Once their 2-3 years of service is over (which doesn't result in student loans), the government makes a lot of seed funding available for startups and the TLV ecosystem is like a mini Bay Area.
Living with your parents is more socially acceptable, so they have a huge chunk of people in their 20s with no debt, low monthly expenses, strong technology expertise from their military service, in a founder hot spot, and access to capital. The result is a lot of unicorns, particular around cyber security (https://www.techaviv.com/unicorns).
Compare to the United States, where you have to dedicate 4 years to an undergrad program, go massively in debt, pay rent, and then struggle to find seed funding. The mental model of "oh, I guess we could apply some of the detritus of our failed system" misses the idea of having a successful system in the first place.
An exercise like this sounds like it would be a rounding error in any country's national security or intelligence budgets. And now with AI you could probably automate the initial screening of devices for promising candidates for further manual exploration.
I would be kind of surprised if this wasn't standard practice, unless it's not nearly as productive as one might imagine it to be, and thus maybe not worth the effort. But cases like this show it could be pretty fruitful, but I suppose that depends on how it compares to whatever other methods intelligence agencies have that we may not know about.
Just a thought, but: maybe it’s even easier to (as well as do what you suggest, which is a good idea) build and sell buggy (ie backdoored) devices.
What’s easier, marketing or finding bugs :-)
(Not a rhetorical question)
Pretty sure that's what NSO Group (https://en.wikipedia.org/wiki/NSO_Group) is. Israeli intelligence could also just insert vulnerabilities in cheap garbage (or even more expensive garbage like this) for NSO or NSO-like Israeli orgs to take advantage of. We know they sell pagers.
I write firmware (specifically bluetooth enabled device firmware) and my work has blocked this website.
People who love tech buy superdupersmart loudspeaker that will connect to every computer in their house; and also somehow control their superdupersmart coffee maker so they can have a fresh coffee brewed when some Miles Davis play.
People who understand tech keep an axe next to their toaster.
The original meaning of hacker
Can't wait to see a video from a half sloppy channel about this on my youtube front page in roughly 4 business days
Do you know that if you turn off saving YouTube history, you can have no front page at all?
where do you turn that off?
In the mobile app, it’s under Settings -> Manage history
Not that hard to guess, right? ;)
I guess you can still be first to Linkedin and get all of the fame.
Having a guaranteed audio channel makes this so much cooler for exploits -- you can exfiltrate over audio!! I love it. I wonder how many of these were sold. I also imagine based on Creative's response (this is fine) that many other devices in the class have similar security models in place. Def scary.
I somehow hadn't even considered Bluetooth as an option when I read the headline, I immediately thought about INFILTRATING via audio, which also sounds insanely cool, but I couldn't possibly wrap my head around how an audio circuit would have to be set up and connected back to the cpu to pull that off.
Exfiltrating via audio also brings to mind one of those devices I really wanted to build ~20 years ago that can listen to the inside of a room by bouncing a laser beam off a window. Van pulls up in front of your house, pushes malicious code via bluetooth to speaker, which starts shrieking data it stole from the host that's then picked up by the vibrations it emparts on a window by a laser beam. Boom, crypto wallet stolen, or something... you could probably put that in a movie.
I'm old enough to have visually parsed the headline as "PC speaker" at first, and wondered what kind of amazing phreaking was going to drive the built-in speaker as a microphone and somehow get ingress into the computer. :-)
Yeah the headline isn't as interesting when truthful. I've never owned a "speaker" that plugs into USB. Only the good old analog audio jack, or a USB to toslink adapter that is purely a one-way stream.
Let's not. There's enough overcomplicated nonsense examples of cybersecurity in movies as it is. If you could compromise a device via bluetooth, then you could exfiltrate data via bluetooth just as easily.
It's not completely unrealistic angle, you could pwn the speaker when someone is traveling with it in public and then exfiltrate data when it's plugged in a secure environment and you can't connect anymore
you could but I think the inclusion of lasers would make for a better spy / cyberpunk movie. Most "hacking" in movies are not realistic and for show but it being plausible is just a bonus.
That would've been a cool PoC to work on as well, but seems a fair bit more complicated than the BadUSB-style attack I ended up doing. Would've had to do a lot more RE to figure out how to interact with the whole microphone subsystem, I think.
I guess you could just construct a wav file from the shell and then play it. Agreed doing it all on device sounds challenging.
The 'S' in IoT is for 'Security'
I also did some reverse engineering, although mine was a soundcard which seemed to use an older version of this software (GUI was different). I used Wireshark to sniff out the LED and EQ packets and then wrote a CLI utility with hidapi library in C.
It doesn't have bluetooth so thankfully something like this wouldn't happen with mine. It's crazy that there's no auth at all for Bluetooth. I was reversing my e-scooter recently (still WIP) and there was a whole bunch of authentication required before its app could control any of it. I am still not confident in its security though
Inexistent security, absent security contacts/hard to get in touch with, denial/delay/won’t patch, most functionality to deploy a backdoor is already present, to me equals bugdoor. This is wanted behavior, not an accident, and is a widespread pattern..
> in order to do anything with CTP over USB, you first have to do challenge-response authentication with the device. The key is static [... ]
Is this some legal thing so they can claim that a protection was circumvented? E.g. to void warranty or be able to sue?
Air-gapped attacks are the most fascinating. Change my mind
Yes, and aircraft carriers are more fascinating than OTS drones carrying grenades.
Yet...
While the article only talks about using this as a USB HID keyboard to send attacks, surely if you spent more time creating an evil firmware from scratch you could do much more than this? You could bridge any information from USB -> Bluetooth.
What Bluetooth profile would allow "more" than a HID?
This is a cool infection vector for the ai virus from earlier today to use. It could be like NDS feature that it greeted a passerby but now for spreading stuff digitally.
> ai virus from earlier today
curious what this means...
Great research. Thanks for sharing
what ways are there to protect from malicious HID device?
I know of https://usbguard.github.io/
But I remember that on Linux changing some /etc/udev file helped me with some naggy bug long ago. I worked temporary in an office with several wonky USB keyboards. Whenever someone disconnected their tablet or laptop from their KB (ie shut the lid), my linux would pick it up and suddenly connect to this KB. A little googling and some trial-error and I had my linux set-up that it would only connect to whitelisted USB devices.
Which, months later, caused me insane headaches when I could not find why a new USB microphone wasn't working, despite it being advertised as "works on linux"....
My computers ignore USB HIDs other than the ones that I have explicitly permitted. Unfortunately, this is a major architectural revamp for many operating systems. The idea that every HID is automatically added to a keyboard/mouse 'multiplexer', that provides a single combined input stream, is a pervasive one.
Use Qubes OS, https://qubes-os.org.
This is so refreshing to read. A true throwback in style and content. Makes me nostalgic
ebpf usb sniffer you may find useful.
https://github.com/yeet-src/usbsnoop
Good work, and fun to read.
It's crazy that companies just stick their head in the sand, when confronted with serious security issues.
What an amazing write-up and exploit. Love it!
The real question remains: with this hack, did the OP gain full control of Dr. Sbaitso?
"Hacking the poorly secured, combination wired/wireless, multi-protocol bridge controller you naively attached to your PC's universal IO bus"
Wow, that's very creative! /couldn't resist the pun/
Haha, I dont have one, only headphones Jokes on you xD
Way cool. Thank you for sharing
This sounds super cool
Side-channel attacks are getting wild. Every time I think we've completely air-gapped a device, someone finds a way to use acoustic frequencies or hardware resonance to leak data.
Good job reading the actual article. It's not a audio or RF side chain attack where data is exfiltrated at a handful of bits per second, it's an attack on an unsecured BLE endpoint that can be converted into a rubber ducky.
Thanks for sharing this. It’s a bit concerning that a consumer soundbar can receive unauthenticated firmware over BLE and then act like a BadUSB-style HID on the host. I’m not sure I agree with the vendor’s "no cybersecurity risk" assessment, considering how much access a trusted keyboard interface typically has.
The point is this is a speaker, not a keyboard. A keyboard usually takes manual input from a human or from a cat. This is a speaker that, after an unauthenticated connection, can act as if it’s a keyboard, which is an unintended functionality from the factory.
If you can "just type stuff", it is absolutely trivial to download absolutely any payload you want as long as you have network access and your antivirus doesn't stop it.