How a USB-connected speaker can infect a PC without ever being touched
TL;DR · AI Summary
本文主要展示了Ars Technica网站的隐私与Cookie设置说明,未包含技术细节或安全案例。
Key Takeaways
- 本文主要展示了Ars Technica网站的隐私与Cookie设置说明,未包含技术细节或安全案例
Mindmap
See how the topics connect at a glance.
查看大纲文本(无障碍 / 无 JS 友好)
- Cookie & Privacy Notice
How a USB-connected speaker can infect a PC without ever being touched - Ars Technica
Manage your consent preferences
If you are a resident of Colorado, Connecticut, Virginia, Utah, Oregon, Texas, Montana, Delaware, Iowa, Nebraska, New Hampshire, and New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, or Rhode Island you have the right to opt-out of Targeted Advertising, including our “sale” and/or “sharing” of your Personal Information (“Opt-Out”). We and our third-party business partners use Personal Information in accordance with our Privacy Policy to serve advertising believed to be of interest to you (“Targeted Advertising”). If you are a California resident, you also have the right to limit the use and disclosure of your Sensitive Personal information in particular circumstances. Please note that you may need to Opt-Out on each website, mobile app, browser, and device you use, and if you clear your browser cookies, you may need to repeat this process. However, if you have created an account to log in across several of our websites and/or mobile apps, we will make reasonable efforts to apply your Opt-Out request to each of those websites and apps. ◦ To Opt-Out of Targeted Advertising on this site: Move the “Allow Targeted Advertising" toggle below to the left and press “Confirm My Choices”◦ To Opt-Out of other “sales”, including for list rentals, data co-ops, and to limit the use and disclosure of your Sensitive Personal Information: Please provide information on the privacy center and press “submit.” You can also submit this request by calling 1-877-241-4999. This information will not be used or disclosed for any purpose other than for processing this request.
Essential
- [x] On
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
- * *
Performance
- [x] On
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
- * *
Audience Measurement
- [x] On
We use audience measurement cookies in order to carry out aggregated traffic measurement and generate performance statistics essential for the proper functioning of the site and the provision of its content (for example to measure performance, to detect navigation problems, to optimization technical performance or ergonomics, to estimate server power needed and to analyse content performance). The use of these cookies is strictly limited to measuring the site's audience. These cookies do not allow the tracking of navigation on other websites and the data collected is not combined or shared with third parties. You can refuse the use of this cookie by switching off the slider to the right.
- * *
Functional
- [x] On
This website uses functional cookies and services to remember your preferences and choices, such as language preferences, font sizes, region selections, and customized layouts. They enable this website to offer enhanced and personalized functionalities.
- * *
Social Media
- [x] Off
These cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.
- * *
Allow Sale/Targeted Advertising?
- [x] On
We may transfer or share your personal information to third parties for the purposes of targeted advertising. You can learn more about what information is used for this purpose in our privacy notice.
Confirm My Choices Reject All Accept All
Skip to contentArs Technica home
Sections
Story text
Size Width * Links
- Subscribers only
Pin to story
Theme
- HyperLight
- Day & Night
- Dark
- System
[Search](https://arstechnica.com/search/ "Search")
Sign In
Sign in dialog...
Sign in
ATTACK OF THE BLUETOOTH DEVICES
How a USB-connected speaker can infect a PC without ever being touched
Seller of the Sound Blaster Katana V2X doesn’t consider the behavior a vulnerability.
Dan Goodin – Jun 5, 2026 9:00 PM|[98](https://arstechnica.com/security/2026/06/highly-reviewed-speaker-can-be-hacked-over-the-air-to-infect-connected-devices/#comments "98 comments")
](https://cdn.arstechnica.net/wp-content/uploads/2026/06/sound-blaster-katana-v2x.jpg)
Credit: Creative Technologies
Credit: Creative Technologies
Text settings
Story text
Size Width * Links
- Subscribers only
Minimize to nav
Operating system makers take many steps to prevent their wares from accepting commands from remote devices. The safeguards, designed to thwart malicious attacks, typically require hackers to jump through all kinds of hoops to bypass the measures. But what if remote code execution were as simple as being within Bluetooth range of a speaker connected to the targeted device?
It turns out it can, at least when the speaker is a Sound Blaster Katana V2X sold by Singapore-based Creative Technologies. The speaker, which sells for $283, is widely acclaimed with numerous reviews showering praise on the sound and performance of it and its predecessor, the Sound Blaster V2.
A PC-pwning proxy
Researcher Rasmus Moorats stumbled on the hack by accident, after he purchased a Katana V2X, a soundbar that connects to PCs, Macs, and Linux devices over USB or Bluetooth. Moorats was curious if he could create a Linux tool that communicated with his speaker. He discovered he could do so through CTP, a proprietary mechanism he guesses is short for Creative Transport Protocol.
CTP allows devices connected via Bluetooth or USB to send commands to the speaker, such as changing LED colors and equalizer settings. CTP also allows the connected devices to receive responses from the speaker.
Ars Video
[How Lighting Design In The Callisto Protocol Elevates The Horror](https://www.arstechnica.com/video/watch/how-lighting-design-in-the-callisto-protocol-elevates-the-horror)
To Moorats’ surprise, his Bluetooth device was able to connect to the speaker, which was connected to a PC via USB, without any authentication. Not only that, but his Bluetooth device didn’t have to be paired first. Also surprising: One of the CTP commands, labeled “upload new firmware to device,” allowed him to replace the official firmware with his own custom one. The firmware reflashing didn’t use code signing or other measures to prevent the loading of unofficial code.
After successfully replacing the firmware with a replacement image that did nothing more than display the word “patched” on the speaker’s LED display, the researcher got to wondering what else a hacker might do. So he turned his attention to FreeRTOS, the open source operating system that ran the Katana V2X. It contained a set of HID functions for allowing the speaker to act as a human interface device, a classification that includes keyboards, mice, and webcams. The speaker implemented a limited HID that allowed for things like changing the volume and playing or pausing sound, but little else.
The researcher discovered that he could change the speaker’s USB descriptor set, which is essentially a report that informs devices about the capabilities of a USB- or Bluetooth-connected peripheral. He was able to augment the existing descriptor set with a second one that reported the speaker being a keyboard. Then he used code already included in the firmware to streamline the process of sending keypresses.
All of this gave Moorats an idea: What if he used his device to send commands to the speaker that used the HID to pass them along to the connected PC? After some trial and error, he found that he could. In a blog post published on Wednesday, he wrote:
Chaining it all together, I was able to totally remotely, over the air, upload a custom firmware to my speaker which I hadn’t paired with, which would reboot, flash the custom firmware, and after rebooting type in the command echo pwned and execute it.
Credit: Rasmus Moorats
Credit: Rasmus Moorats
In a real attack scenario, I would execute the keystrokes for opening powershell.exe or similar and paste an actually malicious one-liner into that, but as a proof of concept, this was more than enough for me. A real attacker would also likely disable the routine for updating the firmware in both normal and recovery mode, making it impossible to wipe the malicious firmware from the device or patch it in the future.
This is worsened by the fact that Bluetooth is always on for the speaker, even in sleep mode, with no apparent way to disable it.
Before the speaker and USB-connected device can interact, they must successfully complete a challenge-and-response authentication procedure. Since the devices perform this handshake automatically each time the software boots, this isn’t usually a problem for the hacker. In certain cases, however, such as when the Katana V2X app isn’t open on the connected device, it’s a requirement.
Nonetheless, the authentication is a simple enough hurdle to clear, because the correct response can be extracted from the app binary that ships with the speaker. Surprisingly, no such challenge and response is required for Bluetooth-connected devices.
Moorats reported his findings to Creative Technologies, but never received a response. He then brought in CERT Singapore to intervene. Eventually, the organization got a response from the company. It said company engineers didn’t regard the behavior as a vulnerability. The researcher tested the attack against a connected Windows machine.
It bears repeating that the hacks described can be carried out only when the attacker is within Bluetooth range of the speaker. That’s a significant requirement that limits attacks to neighbors, housemates, or people in offices that are adjacent to the speaker.
Still, the ability to turn a Bluetooth device into a PC-pwning proxy and remote bugging device doesn’t exactly evoke warm and fuzzy feelings. It also raises the question: What other Bluetooth devices open users to the same attacks?
Dan GoodinSenior Security Editor
Dan GoodinSenior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
[98 Comments](https://arstechnica.com/security/2026/06/highly-reviewed-speaker-can-be-hacked-over-the-air-to-infect-connected-devices/#comments "98 comments")
Comments
Loading comments...
[Prev story](https://arstechnica.com/science/2026/06/first-us-test-of-modular-reactor-reaches-criticality/ "Go to: Small modular nuclear reactor reaches criticality in first test")
[Next story](https://arstechnica.com/health/2026/06/baby-botulism-outbreak-fda-still-doesnt-know-cause-or-how-to-prevent-it/ "Go to: Baby botulism outbreak: FDA still doesn't know cause—or how to prevent it")
Most Read
-  1.S&P 500 rejects SpaceX, also blocking entry for OpenAI and Anthropic
- 2.Small modular nuclear reactor reaches criticality in first test
- 3.Scientists ejected from diabetes conference for distributing journal reprints
- 4.Safety officials finally have a good idea of what a big rocket explosion can do
- 5.How a USB-connected speaker can infect a PC without ever being touched
Customize
[](https://arstechnica.com/) Ars Technica has been separating the signal from the noise for over 25 years. With our unique combination of technical savvy and wide-ranging interest in the technological arts and sciences, Ars is the trusted source in a sea of information. After all, you don’t need to know everything, only what’s important.
[](https://bsky.app/profile/arstechnica.com)[](https://mastodon.social/@arstechnica)[](https://www.facebook.com/arstechnica)[](https://www.youtube.com/@arstechnica)[](https://www.instagram.com/arstechnica/)
More from Ars
Contact
- Contact us
- [Advertise with us](mailto:adinquiries@condenast.com)
- Reprints
Manage Preferences
© 2026 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement and Privacy Policy and Cookie Statement and Ars Technica Addendum and Your California Privacy Rights. Ars Technica may earn compensation on sales from links on this site. Read our affiliate link policy. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices
Sign in dialog...
Sign in
