After successfully replacing the firmware with a replacement image, which did nothing more than display the word “PATCH” on the speaker’s LED display, the researcher wondered what else a hacker could do. So they turned their attention to FreeRTOS, the open source operating system that runs Katana V2X. It included a set of HID functions to allow speakers to act as human interface devices, an assortment that includes keyboards, mice, and webcams. The speaker implemented a limited HID that allows things like changing the volume and playing or pausing the sound, but nothing else.
The researcher found that he could change the speaker’s USB descriptor set, which is essentially a report that informs devices about the capabilities of a USB- or Bluetooth-connected peripheral. He was able to enhance the existing descriptor set with another one that reported the speaker to be a keyboard. They then used code already included in the firmware to streamline the process of sending keypresses.
All this gave Mourets an idea: What if he used his device to send commands to a speaker that used HID to send them to a connected PC? After some trial and error, he found he could do it. In a blog post published on Wednesday, he wrote:
Tying all this together, I was able to completely remotely, on air, upload a custom firmware to my speaker that I had not paired with it, which would reboot, flash the custom firmware, and after reboot type in the command echo pwned and execute it.
In a real attack scenario, I would execute the keystrokes to open powershell.exe or similar and paste a really malicious one-liner into that, but as a proof of concept, this was more than enough for me. A real attacker would likely disable the firmware updating routine in both normal and recovery modes, making it impossible to erase malicious firmware from the device or patch it in the future.
This is made worse by the fact that Bluetooth is always on for the speaker, even in sleep mode, with no obvious way to disable it.
Before the speaker and the USB-connected device can interact, they must successfully complete a challenge-and-response authentication process. Since devices do this handshake automatically every time the software boots, it usually isn’t a problem for a hacker. However, in some cases, such as when the Katana V2X app is not open on the connected device, this is a requirement.
