Popular USB Speaker Can Be Hacked Over Bluetooth to Infect Connected PCs
A newly disclosed hardware vulnerability is raising serious questions about the security of USB-connected peripherals — and it comes from an unlikely source: a highly rated audio speaker. Security researcher Rasmus Moorats has revealed that the Sound Blaster Katana V2X, a $283 soundbar sold by Singapore-based Creative Technologies, contains a flaw that can allow a nearby attacker to infect a connected computer without any physical access, pairing, or user interaction.
The discovery was made almost by accident. Moorats purchased the Katana V2X, curious whether he could build a Linux tool to interface with the speaker over its proprietary Creative Technology Protocol (CTP). While exploring the protocol's Bluetooth capabilities, he realized something alarming: any nearby Bluetooth device could send CTP commands to the speaker without needing to authenticate or pair first.
How the Attack Works
The attack chain exploits the way the Katana V2X manages its USB device descriptor — essentially a configuration file that tells a connected computer what kind of device is plugged in and what it can do. Moorats discovered he could remotely modify this descriptor over Bluetooth, injecting a new device identity into the speaker.
On the next reconnection, the computer sees not a simple audio device but a keyboard or other HID (Human Interface Device) — a trusted input peripheral. The operating system accepts it automatically, and the attacker can then send keystrokes to run malicious commands on the victim's machine. No administrator prompt. No antivirus interception at the USB level. The attack essentially turns a well-regarded audio product into a remote-controlled exploit delivery mechanism.
Moorats also found he could replace the speaker's firmware with a custom image by exploiting FreeRTOS, the real-time operating system embedded in the device. After successfully flashing a proof-of-concept image that simply displayed the word "patched" on the speaker's LED, he recognized the implications for a determined threat actor with more malicious intent.
The Vendor Response
Creative Technologies was informed of the findings but has reportedly declined to classify the behavior as a vulnerability. The company's position, as described by the researcher, is that the CTP protocol operates as designed. This response has frustrated the security community, which generally expects vendors to treat unauthenticated remote access to connected peripherals as a meaningful security risk.
The incident highlights a persistent gap in peripheral security: devices that connect to enterprise and consumer computers via USB are often treated as inherently trusted, even when they have their own wireless interfaces and programmable firmware. That trust model is increasingly difficult to justify.
Why It Matters
Peripheral firmware attacks are notoriously difficult to detect and defend against because they operate below the operating system's visibility. For enterprise security teams, this disclosure is a reminder that device trust cannot stop at the operating system boundary. Any device with wireless capability and programmable firmware represents an attack surface — and shared or open office environments, where someone could walk within Bluetooth range of an employee's desk, increase the practical risk considerably. Organizations should audit which USB-connected peripherals in their environment have wireless radios and consider network-level controls to limit Bluetooth exposure in sensitive areas.