Jun 04, 2026 16:00:00

An exploit called 'Pwnd Blaster' has been discovered that uses Creative's Bluetooth speakers to attack PCs without the user having to touch them.

Security researcher Rasmus Moorats, through his analysis of Creative's

Katana V2X sound system, demonstrated that an attacker could potentially write malicious firmware to the device via Bluetooth from a range of approximately 15 meters. He explained that if exploited, the Katana V2X's USB-connected soundbar could potentially behave like a listening device or keyboard input device.

Pwnd Blaster: Hacking your PC using your speaker without ever touching it | nns.ee
https://blog.nns.ee/2026/06/03/katana-badusb/

Moorats initially looked into Creative's proprietary communication protocol called 'CTP' with the goal of creating a tool to communicate with speakers for Linux. CTP is also used for changing speaker settings and updating firmware, and requires challenge/response authentication via USB.

Furthermore, firmware updates are also performed via CTP, and Moorats succeeded in extracting the firmware image from data captured by intercepting USB communications.

Analysis of the firmware revealed that the container contained three key elements: FBOOT, FMAIN, and CHK2. FBOOT included the recovery mode, and FMAIN was the main firmware for normal boot-up; both were based on a heavily modified

FreeRTOS .

However, it turned out that the protection during firmware updates was limited to SHA-256 checksums using CHK2. So, Moorats created modified firmware that replaced the string 'WELCOME' displayed at startup with 'PATCHED,' and confirmed that the device would accept it if CHK2 was corrected.

Furthermore, Moorats noticed that the internal CTP processing was bridged not only to USB but also to Bluetooth. With Bluetooth, it is sometimes possible to connect to

GATT communication and read/write without pairing, and Katana V2X can send CTP commands without authentication.

Moorats created a Python script to update the firmware via Bluetooth and successfully wrote the modified firmware. Although it took about 10 minutes to complete due to the slow speed of BLE, the device displayed 'PATCHED' after restarting. Moorats pointed out that this behavior could allow attackers to misuse speakers equipped with microphones as conversation monitoring devices.

Furthermore, since the speaker is a trusted USB device from the perspective of a USB-connected PC, an attack that makes it function as a HID keyboard was also investigated. Moorats added a keyboard element to the USB device descriptor and successfully demonstrated a proof of concept by using existing HID transmission processing to input and execute 'echo pwned'.

According to Moorats, the attack was carried out by waiting about 20 seconds after the speaker started up before sending key inputs, and then maintaining normal functionality. The data was small, consisting of 83 bytes for a USB report, 102 bytes of handwritten ARM/Thumb assembly, and 2 bytes for each key input sent.

Moorats attempted to contact Creative about the vulnerability he discovered, but could not find a publicly available security contact point. He ultimately reported it through Singapore's security authority, SingCERT . However, the response he received from Creative about two months later was that 'the report does not indicate a cybersecurity risk,' and as of the time of writing, Creative has not provided a fix.

Moorats has created a firmware patch to block CTP via Bluetooth as a temporary solution, but he notes that applying this patch may render Creative's mobile apps unusable, and that it is difficult to fix the issue by adding proper authentication because the source code is unavailable.