Unsigned, Unauthenticated Firmware Updates Aren’t A Great Feature
The Sound Blaster Katana V2X is getting great reviews compared to the previous V2 model when it comes to the audio quality it offers. Security minded folks are not quite so impressed. Rasmus Moorats is a security researcher who picked up a Katana V2X and when seeing if he could create a custom Linux tool to connect and control the USB/Bluetooth speaker. Along the way he discovered it speaks something called CTP, which is likely Creative Transfer Protocol, the FreeRTOS operating system the speaker users and some rather disquieting details.
Once he had figured out the protocol he discovered he could connect to the Katana V2X over Bluetooth without any authentication or even needing to pair the device. That means someone could connect to your Katana V2X without your knowledge, which is only somewhat concerning as long as that person can’t do anything awful to it or any devices connected to it. Unfortunately, that was not the case.
One of the commands offered by CTP is the ability to update the firmware on the Katana V2X, and when he created a custom firmware image he was able to upload and install it without it being signed, nor needing any sort of elevated privileges to do so. To make things even better, Moorats discovered he could change the speaker’s USB descriptor set and convince any device which connected to the Katana V2X that is was also a keyboard. Once he did that, he could send keypresses to connected devices. That is a very bad thing, as you could launch Powershell on that device and feed it commands via the speaker, as long as you are in Bluetooth range.
About the Author
