A security researcher has discovered a critical vulnerability in the Katana V2X Bluetooth speaker, allowing a remote attacker to infect connected computers without any user interaction.
Researcher Rasmus Moorats demonstrated a proof-of-concept attack: he sent malicious commands over Bluetooth to a speaker, which then executed keystrokes on a connected PC. The attack exploits the speaker's HID (Human Interface Device) capabilities, normally used for volume control. By rewriting the speaker's firmware and augmenting its USB descriptor set, Moorats turned the speaker into a keyboard that could type commands, including opening PowerShell and running malicious scripts.
The vulnerability is worsened by the fact that the speaker's Bluetooth radio remains active even in sleep mode, with no user-accessible way to disable it. In a real-world attack, an adversary could disable the firmware update mechanism, making the malicious firmware persistent.
While the speaker and PC require an initial automatic authentication handshake, this is not a significant barrier if the attacker can pair with the device.
