I was able to totally remotely, over the air, upload a custom firmware to my speaker which I hadn’t paired with, which would reboot, flash the custom firmware, and after rebooting type in the command echo pwned and execute it.
So an attacker can hack someone else’s speaker, turn it into a keyboard to the paired PC, and from there attack the paired PC.
IIRC long ago I read that this is a flaw/feature of the USB protocol itself.
Maybe “Seller (…) doesn’t consider the behavior a vulnerability” … ah wait, I’m gonna read the article now.
Right, the real culprit isn’t the USB connection but Creative’s proprietary but totally unprotected transfer protocol that allows third parties to communicate with the device both ways, even load new firmware. No code signing there, either.
I find both headline and first half of the article misleading; this is not restricted to a specific device. Possibly not even to one manufacturer.
But at least it ends with
It also raises the question: What other Bluetooth devices open users to the same attacks?
Right. The common one is an initially malicious device given to an unsuspecting user. This is a stock device that a user already has and trusts. It’s a huge vulnerability that an unauthenticated user can completely take it over. This is a 9.3 CVE, without even considering pivoting to the PC.
Will we see random speakers in parking lot of bussines instead of USB sticks?
