>Email from SingCERT stating vendor "do not consider this to be a vulnerability, as it does not present a cybersecurity risk."

So wirelessly writing custom firmware to someone else's device that is connected via USB to their computer without even needing to pair is not a security vulnerability. Yea.

It is quite common to find device manufacturers, even those of many years standing, who _appear to_ begin with the device and add the software as an afterthought. Paying little attention to security or even the software lifecycle (patches, updates, the changing landscape/ecosystem). I have even known it happen that the device brand subs out the software to a random small developer, who then closes up shop/dies/gets out of that business, and the device company doesnt even have the source code, let alone any ability to further improve/fix the software that drives their device. This leads to layers upon layers of subsequent middleware, UIs, shims etc.

Why think so small? Perhaps the speaker itself can be used as the attacker.

Any script kiddie with an LLM could write a worm that would spread through the supply chain, possibly even hacking speakers right on the factory floor and blasting Rickroll music or something similar.

It would be interesting to see if Creative would still claim that it "does not present a cybersecurity risk".

Edit: Bonus points for closing the security hole and disabling the ability to flash the firmware normally, so that the manufacturer would have to jailbreak the speakers in order to repair them.

> in order to do anything with CTP over USB, you first have to do challenge-response authentication with the device. The key is static [... ]

Is this some legal thing so they can claim that a protection was circumvented? E.g. to void warranty or be able to sue?

People who love tech buy superdupersmart loudspeaker that will connect to every computer in their house; and also somehow control their superdupersmart coffee maker so they can have a fresh coffee brewed when some Miles Davis play.

People who understand tech keep an axe next to their toaster.

The fact that the author had to publish a third-party patch because the vendor didn't consider it a vulnerability is not a great look

I write firmware (specifically bluetooth enabled device firmware) and my work has blocked this website.

If I were in charge of, say, the Mossad, I would have as a significant part of my budget purchasing every single bluetooth device on the market, and set a bunch of underemployed Israeli CS grads to work at finding these vulnerabilities, and then putting them into an easily deployed toolkit. You want an asset with access to, say, an Iranian government office, to be able to walk through the building with a phone and take control of as many machines as possible.

Now that I think about it, I think you have to assume that they probably DO do this...

Can't wait to see a video from a half sloppy channel about this on my youtube front page in roughly 4 business days

Having a guaranteed audio channel makes this so much cooler for exploits -- you can exfiltrate over audio!! I love it. I wonder how many of these were sold. I also imagine based on Creative's response (this is fine) that many other devices in the class have similar security models in place. Def scary.

I also did some reverse engineering, although mine was a soundcard which seemed to use an older version of this software (GUI was different). I used Wireshark to sniff out the LED and EQ packets and then wrote a CLI utility with hidapi library in C.

It doesn't have bluetooth so thankfully something like this wouldn't happen with mine. It's crazy that there's no auth at all for Bluetooth. I was reversing my e-scooter recently (still WIP) and there was a whole bunch of authentication required before its app could control any of it. I am still not confident in its security though

This is so refreshing to read. A true throwback in style and content. Makes me nostalgic

This is a cool infection vector for the ai virus from earlier today to use. It could be like NDS feature that it greeted a passerby but now for spreading stuff digitally.

Air-gapped attacks are the most fascinating. Change my mind

While the article only talks about using this as a USB HID keyboard to send attacks, surely if you spent more time creating an evil firmware from scratch you could do much more than this? You could bridge any information from USB -> Bluetooth.

what ways are there to protect from malicious HID device?

ebpf usb sniffer you may find useful.

https://github.com/yeet-src/usbsnoop

Great research. Thanks for sharing

What an amazing write-up and exploit. Love it!

The real question remains: with this hack, did the OP gain full control of Dr. Sbaitso?

Good work, and fun to read.

It's crazy that companies just stick their head in the sand, when confronted with serious security issues.

Thanks for sharing this. It’s a bit concerning that a consumer soundbar can receive unauthenticated firmware over BLE and then act like a BadUSB-style HID on the host. I’m not sure I agree with the vendor’s "no cybersecurity risk" assessment, considering how much access a trusted keyboard interface typically has.

Wow, that's very creative! /couldn't resist the pun/

Haha, I dont have one, only headphones Jokes on you xD

Way cool. Thank you for sharing

[flagged]

[dead]

[dead]

[dead]

[dead]

[flagged]

This sounds super cool

Side-channel attacks are getting wild. Every time I think we've completely air-gapped a device, someone finds a way to use acoustic frequencies or hardware resonance to leak data.