Security researcher Rasmus Moorats has uncovered a vulnerability in a USB-connected soundbar that allows nearby attackers to hijack a Windows PC over Bluetooth by pushing malicious firmware to the speaker.
Moorats analyzed Creative's Katana V2X sound system and found that its internal control protocol, known as CTP, is exposed not only over the device's USB connection but also over Bluetooth Low Energy (BLE).
While CTP is intended for changing settings and updating firmware via an authenticated USB link, the researcher discovered that the same commands can be sent over BLE without any pairing or authentication, meaning any device in range can talk to the speaker's control interface, according to ArsTechnica.
Speaker Bug Raises Risk of PC Hijacking
By intercepting USB traffic during a legitimate firmware update, Moorats extracted the Katana V2X firmware image and identified three main components: a recovery bootloader (FBOOT), the main firmware (FMAIN), and a checksum section (CHK2) used for integrity checks.
He found that the only protection on firmware updates was a SHA-256 checksum in CHK2, with no cryptographic signature, allowing an attacker who can modify the firmware and recompute the checksum to load arbitrary code onto the device.
The researcher then wrote a proof-of-concept Python script that sends firmware update commands over BLE, demonstrating that he could upload a modified image to the soundbar from up to around 15 meters away without user interaction.
The test firmware replaced the "WELCOME" startup string with "PATCHED," confirming that the device accepted and ran untrusted code delivered entirely over Bluetooth.
Once compromised, the USB-connected soundbar can act as a so-called BadUSB device, because the host PC trusts it as a legitimate USB peripheral.
Moorats showed that by altering the USB descriptor to add a keyboard interface and reusing the device's existing HID report handling, the hacked speaker could silently type and execute commands such as "echo pwned" on a connected Windows machine shortly after boot, while continuing to function as a normal audio device.
The same access could, in principle, allow more damaging payloads, including downloading malware, opening a remote shell, or disabling security tools, all triggered from a Bluetooth attacker with physical proximity but no direct contact with the PC or speaker, Gigazine reported.
Because the device can also include a microphone, the researcher warned that a malicious firmware image could turn it into a covert listening device controlled over BLE.
Raising Concern to the Security Threat
Moorats attempted to disclose the issue to Creative but reported that he could not find a dedicated security contact and eventually went through Singapore's SingCERT, the national computer emergency response team.
According to his account, Creative later replied that the report "does not indicate a cybersecurity risk," and as of early June 2026, no vendor firmware fix has been released for the Katana V2X.
As an interim measure, the researcher published his own firmware patch that blocks CTP commands over Bluetooth, effectively closing off the remote update channel but potentially breaking Creative's companion mobile apps that rely on BLE control.
Moorats also noted that adding proper authentication to CTP is difficult without access to the vendor's source code, leaving users dependent on third-party mitigations or physical measures like disabling Bluetooth when not in use.
The case highlights broader concerns raised by other researchers about Bluetooth audio security, including recent findings that flaws in Google's Fast Pair protocol and in various Bluetooth audio chipsets can let attackers hijack headphones, track users, or activate microphones from a distance.
Security experts recommend that users keep firmware updated where possible, limit Bluetooth usage in public or high-risk environments, and treat even everyday audio hardware as potential entry points into larger systems, as per CNET.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
