How a USB-connected speaker can infect a PC without even touching it


After successfully replacing the firmware with a replacement image that did nothing more than display the word “patched” on the speaker’s LED screen, the researcher wondered what else a hacker could do. He then turned his attention to FreeRTOS, the open source operating system that ran Katana V2X. It contained a set of HID functions to allow the speaker to act as a human interface device, a classification that includes keyboards, mice, and webcams. The speaker implemented a limited HID that allowed things like changing the volume and playing or pausing the sound, but little else.

The researcher discovered that he could change the speaker’s USB descriptor set, which is essentially a report that informs devices about the capabilities of a USB or Bluetooth-connected peripheral. He was able to augment the existing set of descriptors with a second one that reported that the speaker was a keyboard. It then used code already included in the firmware to streamline the process of sending keystrokes.

All of this gave Moorats an idea: What if he used his device to send commands to the speaker that uses the HID to pass them on to the connected PC? After some trial and error, he discovered he could do it. on a blog mail Posted on Wednesday, he wrote:

By chaining it all together, I was able to completely remotely upload, over the air, a custom firmware to my speaker that I hadn’t paired with, which would reboot, flash the custom firmware, and after rebooting, type the echo pwned command and run it.

In a real attack scenario, I would run the keystrokes to open powershell.exe or similar and paste a really malicious phrase into it, but as a proof of concept, this was more than enough for me. A real attacker would also likely disable the routine for updating firmware in both normal and recovery mode, making it impossible to erase malicious firmware from the device or patch it in the future.

This is compounded by the fact that Bluetooth is always on for the speaker, even in sleep mode, with no apparent way to disable it.

Before the speaker and the USB-connected device can interact, they must successfully complete a challenge and response authentication procedure. Since devices perform this handshake automatically each time the software is started, this is usually not a problem for the hacker. However, in certain cases, such as when the Katana V2X app is not open on the connected device, it is a requirement.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending now

Oh, happy day: Samsung might have started testing One UI 9 on the Galaxy S25
Google just gave Sundar Pichai a $692 million pay package
How to watch the F1 2026 Australian GP live stream for free
On the hunt for elusive “ghost elephants”