Rasmus Moorats, a cybersecurity expert, recently posted on their blog about their successful attempt to hijack a Creative gaming soundbar by simply reverse engineering its firmware. More to the point, they did that without even having to physically interact with or wirelessly pair their device to it.
The Creative soundbar in question is the Katana V2X, and Moorats says that he was able to gain access to the Creative soundbar by specifically exploiting an unauthenticated Bluetooth interface, sans any firmware signing. Basically, a threat actor would be able to hack into the audio device using custom firmware over the air and transform it into a keyboard that types commands into the host PC that it is connected to via its required USB port.
Moorats further explains that he also managed to weaponise the hack by editing the speaker’s USB descriptor set so that it would effectively become a keyboard, in addition to the media controls that it comes with by default. To do this, their firmware ran a modified build of FreeRTOS with an unused diagnostic task that waits for the USB subsystem to come up, then types and runs a command on every boot.
To provide some cursory knowledge of hacking and programming, and to borrow the explanation from Tom’s Hardware: programming a trusted USB peripheral into a keyboard is how BadUSB works, which is the technique Karsten Nohl and Jakob Lell presented at Black Hat back in 2014, when they warned that most USB controllers shipped without firmware authenticity checks.
As mentioned, Moorats managed to circumvent the need to physically connect to the soundbar, seeing how the tainted hardware is something that the victim already owns and trusts.
But perhaps the most egregious part, at least to Moorats, was the response he got from Creative, and understandably so. Unless you have direct contact with its folks, the Singapore-based company isn’t easy to get in touch with. They contacted the company through the brand’s support web form, and after two failed attempts at getting a response, they took the drastic measure of reporting their findings to the Singapore Cyber Emergency Response Team (SingCERT), which was also a struggle.
Creative eventually responded, telling them that it “did not consider this to be a vulnerability, as it does not present a cybersecurity risk”. Ultimately, Moorats decided to release a tool that patches the CTP-over-Bluetooth flaw, as well as reflashes the speaker over USB. Mind you, this fix isn’t official, as Moorats doesn’t have the official source code, so doing this may break its function with Creative’s own mobile app.
(Source: Moorats, Tom’s Hardware)
