If You Want to Hack Me, Come in Through the Speaker
Some security hacks require someone to have physical access to your computer. In many cases, that’s easy to mitigate. Other attack vectors can put you at risk from anywhere via the network. That’s what firewalls are for. But there is an in-between risk where an attacker just has to be “around” your computer. [Rasmus Moorats] found out that a Creative Sound Blaster sound bar could open up just such an attack.
[Rasmus] was poking around the firmware just to write custom software to control it. The possibility of an attack was just an accidental find.
The soundbar connects to USB, but it also has Bluetooth, which, for some reason, is always on. There’s an app that can communicate with the speaker using BLE, and Creative has a special protocol to control it. The same protocol works on USB or Bluetooth, but with an important difference.
On USB, you have to authenticate to send commands. However, you can easily decompile the provided apps and learn the authentication key. But on BLE, it doesn’t require authentication at all for some reason. You can simply send commands via BLE, and the speaker obeys. No pairing. No physical access. Just be close enough for a Bluetooth connection.
The worst of the commands lets you reflash the device firmware. So, if you were a bad actor, you could flash firmware to act as a USB keyboard and then inject lots of bad commands into the host system.
BLE seems to be a common vector in consumer electronics. Maybe now you have to air-gap your speakers, too.