GaitherNews Escape the Algorithm
Today --°
Updated
Categories
DIY 1 source 0 views

Bypassing the Sound Blaster’s new firmware signature check

Article excerpt

Rasmus Moorats recently demonstrated a few vulnerabilities in the Sound Blaster Katana V2/V2X/SE which allowed one to hijack the device over Bluetooth and turn it into an attacker-controlled keyboard peripheral, injecting keystrokes into the connected machine. One of the flaws I highlighted in my previous post was that CTP, which the mobile and desktop applications use to […]

Rasmus Moorats recently demonstrated a few vulnerabilities in the Sound Blaster Katana V2/V2X/SE which allowed one to hijack the device over Bluetooth and turn it into an attacker-controlled keyboard peripheral, injecting keystrokes into the connected machine.

One of the flaws I highlighted in my previous post was that CTP, which the mobile and desktop applications use to communicate with the device, require no authentication to use over Bluetooth, which means any attacker can connect to the device over Bluetooth and start changing the device’s settings or even upload malicious firmware to the device. What’s worse is that Bluetooth was always enabled with no way to turn it off, even if the device is in sleep mode.

Creative addressed the last part of the issue: users can now turn BLE off by holding the Power and Mode buttons for two seconds, with the caveat that the Creative mobile app will no longer work. BLE is, however, enabled by default and this is not obvious in any way as there’s no indication that Bluetooth is turned on or that you have to hold those two specific buttons unless you read the firmware release notes.

The unauthenticated protocol, however, was not addressed in any way. If BLE is enabled, anyone within Bluetooth range can still connect to the device and start issuing commands to the device.

See the details and Creative’s firmware changes in the post here.