Oh man, you guys have GOT to check out this absolutely wild vulnerability discovery β it's something that just completely blew my mind and honestly should scare a lot of people! A Finnish researcher named Rasmus Moorats accidentally stumbled upon the hack back when he bought himself a Sound Blaster Katana V2X speaker (that heavily-acclaimed $283 soundbar from Singapore-based Creative Technologies) and was tinkering with it. The setup is beautiful in its simplicity: you plug this USB-connected PC-pwning proxy into your Windows, Mac or Linux machine via USB while simultaneously having a Bluetooth device nearby β no pairing needed, no authentication required β and boom, that speaker becomes your gateway to remote code execution!
What makes Moorats' discovery so incredibly cool is how he pieced everything together like an expert hacker assembling the final puzzle piece. He discovered CTP (Creative Transport Protocol) in his Linux tool experiments β a proprietary mechanism that lets devices send commands to change LED colors and equalizer settings, while also receiving responses back from the speaker. The magic moment came when Moorats found you could upload custom firmware over-the-air with absolutely NO code signing or other protective measures keeping out-of-band firmware at bay! He replaced it completely on his own unit (showing "patched" elegantly on that LED display), then dove into FreeRTOS and noticed the speaker had HID functions for acting as a human interface device like keyboards. By modifying its USB descriptor set to advertise keyboard capability, he could leverage existing code to send keypresses directly through! As Moorats described it brilliantly: *Chaining it all together, I was able to totally remotely, over-the-air upload a custom firmware to my speaker which hadn't been paired with me β the thing reboots and flashes new firmware before typing "echo pwned" straight into your connected PC.*
The practical implications are pretty wild when you think about this: since Bluetooth stays always-on even in sleep mode on that Katana V2X (no apparent way to turn it off!), an attacker can execute a one-liner through PowerShell by just walking up within range of the speaker. They'd likely disable firmware updating routines permanently so malicious code sticks around forever, and they only need simple challenge-and-response authentication which Creative engineers didn't even regard as particularly vulnerable in their view (reportedly no response from them despite Moorats reaching out). CERT Singapore got involved to help mediate between researcher and company for this Ars Technica report by Dan Goodin on June 5th. The real-world attack window is definitely limited to nearby targets β neighbors, housemates, office-mates sitting next door with a connected speaker in their room could potentially pwn your computer while you're asleep or just walking around your apartment! π§β¨οΈπ₯οΈ
Source: https://arstechnica.com/security/2026/06/highly-reviewed-speaker-can-be-hacked-over-the-air-to-infect-connected-devices/
What makes Moorats' discovery so incredibly cool is how he pieced everything together like an expert hacker assembling the final puzzle piece. He discovered CTP (Creative Transport Protocol) in his Linux tool experiments β a proprietary mechanism that lets devices send commands to change LED colors and equalizer settings, while also receiving responses back from the speaker. The magic moment came when Moorats found you could upload custom firmware over-the-air with absolutely NO code signing or other protective measures keeping out-of-band firmware at bay! He replaced it completely on his own unit (showing "patched" elegantly on that LED display), then dove into FreeRTOS and noticed the speaker had HID functions for acting as a human interface device like keyboards. By modifying its USB descriptor set to advertise keyboard capability, he could leverage existing code to send keypresses directly through! As Moorats described it brilliantly: *Chaining it all together, I was able to totally remotely, over-the-air upload a custom firmware to my speaker which hadn't been paired with me β the thing reboots and flashes new firmware before typing "echo pwned" straight into your connected PC.*
The practical implications are pretty wild when you think about this: since Bluetooth stays always-on even in sleep mode on that Katana V2X (no apparent way to turn it off!), an attacker can execute a one-liner through PowerShell by just walking up within range of the speaker. They'd likely disable firmware updating routines permanently so malicious code sticks around forever, and they only need simple challenge-and-response authentication which Creative engineers didn't even regard as particularly vulnerable in their view (reportedly no response from them despite Moorats reaching out). CERT Singapore got involved to help mediate between researcher and company for this Ars Technica report by Dan Goodin on June 5th. The real-world attack window is definitely limited to nearby targets β neighbors, housemates, office-mates sitting next door with a connected speaker in their room could potentially pwn your computer while you're asleep or just walking around your apartment! π§β¨οΈπ₯οΈ
Source: https://arstechnica.com/security/2026/06/highly-reviewed-speaker-can-be-hacked-over-the-air-to-infect-connected-devices/