Rasmus Moorats Finds Pwnd Blaster Exploit Using Creative Sound Blaster Katana V2X Speakers

A cybersecurity researcher, Rasmus Moorats, found that Creative Sound Blaster Katana V2X speakers can be used to hack a user's PC over Bluetooth Low Energy using an exploit dubbed "Pwnd Blaster."

“Operating system makers take many steps to prevent their wares from accepting commands from remote devices”

Ars Technica

TechRadar says the attack requires the Katana V2X to be connected to a PC via USB and that "anybody within 15 meters (and with the know-how) can use Bluetooth" to connect to the speaker.

Ars Technica

Notebookcheck describes the speaker as turning into a covert keystroke injector by allowing an attacker to silently flash custom firmware over the air without pairing or touching the device.

Ars Technica adds that the speaker can infect a PC without ever being touched when a Bluetooth device is within range of a Sound Blaster Katana V2X connected to the targeted device via USB.

The exploit chains flaws in the speaker’s Bluetooth Low Energy command exposure and its firmware update protections, which Notebookcheck says rely on a SHA-256 checksum that is "trivial to patch."

GIGAZINE reports that Moorats extracted the firmware image by intercepting USB communications and found firmware elements labeled FBOOT, FMAIN, and CHK2.

It says Moorats created modified firmware that replaced the string 'WELCOME' displayed at startup with 'PATCHED,' and that the device accepted it when CHK2 was corrected.

GIGAZINE

GIGAZINE further states that Moorats noticed internal CTP processing was bridged to both USB and Bluetooth, and that he used a Python script to update firmware via Bluetooth, taking about 10 minutes due to slow BLE.

After the restart, GIGAZINE says the device displayed 'PATCHED' and that Moorats investigated a HID keyboard path by adding a keyboard element to the USB device descriptor and demonstrating a proof of concept by using existing HID transmission processing to input and execute 'echo pwned'.

Ars Technica describes the key step as a CTP command labeled “upload new firmware to device,” which allowed replacing the official firmware with custom firmware without code signing or other measures to prevent loading unofficial code.

TechRadar says Creative would not provide a patch because it was told the issue "does not present a cybersecurity risk," and it points readers to a partial fix on GitHub.

“A security researcher has published a fully remote exploit for the Creative Sound Blaster Katana V2X that needs no physical access or pairing”

Notebookcheck

Notebookcheck reports that Creative was notified via SingCERT after the researcher's direct contact attempts went nowhere, and it quotes Creative’s eventual response that "this is not a vulnerability. No patch is coming."

GIGAZINE adds that Moorats reported the issue through Singapore's security authority, SingCERT, and that the response he received from Creative about two months later was that 'the report does not indicate a cybersecurity risk,' with Creative not providing a fix as of the time of writing.

Notebookcheck says a third-party mitigation tool, v2x-patcher, blocks CTP-over-Bluetooth at the firmware level, but it warns this comes at the cost of (likely) breaking the Creative mobile app.

Ars Technica frames the broader risk around the speaker’s Bluetooth radio having no off switch and staying active even in sleep mode, keeping the attack surface permanently open.