- A cybersecurity researcher has discovered a major vulnerability in a popular PC speaker
- The Creative Sound Blaster Katana V2X speakers can reportedly be used to hack users' PCs via Bluetooth
- Creative won't provide a patch as it's not viewed as a vulnerability, but a temporary third-party fix is available
Discovering potential PC vulnerabilities is undoubtedly of high importance for any user, especially with hackers finding new and easier ways of exploiting systems — and unfortunately, there's one way a popular peripheral can apparently lead attackers to hit PCs.
As reported by Notebookcheck, a cybersecurity researcher, Rasmus Moorats, has discovered that the Creative Sound Blaster Katana V2X speakers can reportedly be used to hack a user's PC via a Bluetooth Low Energy exploit, which has been dubbed Pwnd Blaster.
All that is required, according to the researcher, is for a PC user to have the Katana V2X connected to their PC via USB, and anybody within 15 meters (and with the know-how) can use Bluetooth and the Creative app to connect to the speaker.
All is possible, it seems, without having to ever pair beforehand, and ultimately turn the speaker into a covert keystroke injector by flashing the speaker's firmware, allowing changes to be made to the HID descriptor.
Effectively, what this does is allow a potential hacker to use the speaker as a keyboard and, therefore, execute malicious code — and in a real-world scenario, this would likely be done via PowerShell, serving as a significant threat to PC security.
Comment from r/netsec
What makes matters worse is that there is no dedicated way to disable Bluetooth functionality on the Katana V2X, essentially leaving it open and vulnerable to any nearby attackers who know how to execute this exploit.
Moorats reached out to Creative to see if this could be patched, but reports he was told it wasn't considered a vulnerability, as it "does not present a cybersecurity risk", so no patch will arrive to stop this from occurring.
Fortunately, the handicap of Bluetooth is involved here, where an attacker would need to be close by up to 15 meters, and most importantly, Moorats has already created a partial fix via a tool available on GitHub. So, it's not the end of the world, especially because the chances of a hacker being within 15 meters (at least at home) are slim.
Perhaps the bigger concern is the potential vulnerabilities that may be present among many other peripherals, particularly those that are connected via Bluetooth and USB — and that's a scary thought for any PC user.
.png?w=600)
