Most computers refuse to take orders from devices they don’t already trust. Operating system makers pile on safeguards so that running code on someone else’s machine takes real effort. So it stings to learn that one popular soundbar throws all of that away — and that an attacker only needs to be within Bluetooth range to walk right in.
Key Takeaways:
- A flaw in Creative’s Sound Blaster Katana V2X lets anyone roughly 15 meters away push malicious firmware to the speaker over Bluetooth, with no pairing and no physical contact.
- Once reprogrammed, the speaker pretends to be a keyboard and types the attacker’s commands straight into the connected PC.
- Creative declined to treat the behavior as a vulnerability and has shipped no fix; the speaker’s Bluetooth radio stays on even in sleep mode.
The device in question is the Sound Blaster Katana V2X, a soundbar from Singapore-based Creative Technologies that sells for $283 and earns warm reviews for its sound. It connects to Windows, macOS, and Linux machines over USB or Bluetooth.
A speaker that becomes a keyboard
Researcher Rasmus Moorats found the hole by accident. He bought a Katana V2X, wanted to write a Linux tool to talk to it, and worked out how through CTP, a proprietary channel he figures stands for Creative Transport Protocol. CTP lets a connected device adjust things like LED colors and equalizer settings, and lets the speaker answer back.
Then came the surprise. His Bluetooth device reached the speaker — itself plugged into a PC over USB — with no authentication and no pairing first. One CTP command, labeled “upload new firmware to device,” let him swap the official firmware for his own. Nothing checked code signatures or blocked unofficial images.
After loading a harmless test build that flashed the word “patched” on the LED display, Moorats kept digging. The Katana V2X runs FreeRTOS, the open source operating system, which carried a set of HID functions so the speaker could behave as a human interface device — the category that covers keyboards, mice, and webcams. The stock build only handled volume and play-pause.
So he rewrote the speaker’s USB descriptor set, the report that tells a computer what a peripheral can do. He bolted on a second descriptor that announced the speaker as a keyboard, then reused code already in the firmware to fire off keypresses. The next question was obvious: could he relay his own commands through the speaker and into the PC? He could. In a blog post published on Wednesday, he wrote:
“Chaining it all together, I was able to totally remotely, over the air, upload a custom firmware to my speaker which I hadn’t paired with, which would reboot, flash the custom firmware, and after rebooting type in the command echo pwned and execute it.”
He added what a real attacker would do with the same trick:
“In a real attack scenario, I would execute the keystrokes for opening powershell.exe or similar and paste an actually malicious one-liner into that, but as a proof of concept, this was more than enough for me. A real attacker would also likely disable the routine for updating the firmware in both normal and recovery mode, making it impossible to wipe the malicious firmware from the device or patch it in the future.”
Always listening
The problem gets sharper because Bluetooth never switches off on this speaker, not even in sleep mode, with no apparent way to turn it off. Before the speaker and the USB-connected machine talk, they run a challenge-and-response handshake. The software performs it automatically at boot, so it rarely slows an attacker down. In a few cases — for instance, when the Katana V2X app isn’t running — the handshake is required, yet the correct answer can be pulled straight from the app binary that ships with the speaker. For Bluetooth-connected devices, no challenge and response is needed at all.
Moorats took his findings to Creative and heard nothing. He then pulled in CERT Singapore to push the matter along, and the company eventually replied through them. Creative engineers said they do not consider this to be a vulnerability, as it does not present a cybersecurity risk. He tested the attack against a connected Windows machine. As of June 7, Creative also pulled the firmware download links for the Katana V2/V2X/SE, which broke a third-party mitigation tool that had relied on those files for clean firmware.
It is worth stressing that all of this works only when the attacker sits within Bluetooth range. That is a real limit — it narrows the threat to neighbors, housemates, or people in an office next door. Even so, the idea of a Bluetooth gadget quietly serving as a relay into your PC and a listening device is not comforting, and it opens a wider question: which other Bluetooth peripherals leave their owners exposed the same way?
Why this fits a bigger pattern
The keyboard-impersonation trick is not new in spirit. Security researchers first demonstrated BadUSB at Black Hat in 2014, showing that a peripheral’s firmware could be rewritten to pose as a keyboard and inject commands the operating system trusts by default. Tools like the Rubber Ducky later turned the technique into a point-and-click gadget. What changes here is the delivery: earlier attacks needed someone to physically plug in a doctored device, while this one weaponizes hardware the victim already owns and trusts, reachable from across a room. Anyone curious about the lineage can read up on the BadUSB technique and how it sidesteps antivirus by operating below the software layer.
The deeper issue is the trust we hand to consumer gadgets that ship with networked radios and rewritable firmware but skimp on code signing. We have seen wireless flaws hand attackers control of devices without pairing before, including the BlueBorne set of Bluetooth bugs disclosed in 2017. When a manufacturer decides an over-the-air firmware swap is not a security concern, owners are left to mitigate it themselves — by isolating the device on the network, watching USB activity, or simply unplugging the speaker when it is not in use. For a $283 soundbar that keeps its radio awake around the clock, that is an awkward bargain.
Written by Alius Noreika
