This popular $300 PC speaker can be used to hack your PC, and no patch is coming

A security researcher has published a fully remote exploit for the Creative Sound Blaster Katana V2X that needs no physical access or pairing. It turns the popular PC soundbar into a covert keystroke injector, all from up to 15 meters away.

The research was published earlier today (June 3) by a researcher known as Rasmus Moorats, and it chains two critical flaws. First, the speaker's Bluetooth Low Energy interface exposes its entire command protocol to any nearby device without authentication — commands that require a handshake over USB go through completely unchallenged and unchecked over BLE. Second, the speaker accepts firmware updates with no cryptographic signing. It is protected only by a SHA-256 checksum that is trivial to patch.

Combined, these flaws can let an attacker silently flash custom firmware to the speaker over the air, without pairing or touching the device. That custom firmware then abuses the fact that the Katana V2X is a trusted USB peripheral on the host PC. It then appends a keyboard entry to its existing HID descriptor and injects arbitrary keystrokes after reboot. The proof-of-concept types echo pwned into a terminal (see below). A real attacker would probably run something far worse.

The speaker's Bluetooth radio has no off switch and stays active even in sleep mode, which keeps the attack surface permanently open. Creative was notified via SingCERT after the researcher's direct contact attempts went nowhere. Creative's eventual response: this is not a vulnerability. No patch is coming.

A third-party mitigation tool, v2x-patcher, is available from the researcher's Gitea page and blocks CTP-over-Bluetooth at the firmware level, at the cost of (likely) breaking the Creative mobile app.

As per Moorats, the latest official firmware is still very much vulnerable.