Gaming audio just got scary. Security researcher Rasmus Moorats discovered that Creative’s Sound Blaster Katana V2X soundbar can be completely hijacked over Bluetooth without any pairing process, then reprogrammed to act as a malicious USB keyboard that types commands directly into your PC. Your gaming setup, designed to deliver crisp headshots and immersive soundscapes, can now deliver keystrokes that install malware.
The exploit chain transforms audio gear into attack hardware
Unauthenticated Bluetooth access leads to firmware replacement and USB keyboard impersonation.
The vulnerability centers on Creative’s proprietary Transfer Protocol, which handles settings and firmware updates. Over USB, this protocol requires authentication challenges. Over Bluetooth, it doesn’t. Moorats found he could connect to any Katana V2X from roughly 15 meters away and upload custom firmware without any security checks—just a basic SHA-256 checksum that’s trivially bypassed.
The modified firmware then makes the soundbar enumerate as both an audio device and a USB keyboard simultaneously. The device runs FreeRTOS internally and already includes USB Human Interface Device support for basic controls, making the transition to full keyboard functionality surprisingly straightforward.
Attack scenarios exploit the stealth factor
No pairing prompts mean your computer accepts the rogue keyboard as legitimate hardware.
Picture this: you’re gaming late at night when your soundbar quietly receives new firmware from someone parked outside. After a brief reboot, it starts typing echo pwned into your system, then downloads actual malware that could lead to various computer problems. Your computer sees a trusted USB peripheral that’s been used before, not a hijacked device.
The soundbar’s Bluetooth radio stays active even in sleep mode, creating persistent exposure. This mirrors recent discoveries affecting dozens of Bluetooth headphones and speakers built on Airoha chips, where similar factory protocols leaked onto wireless interfaces without authentication. ERNW researchers warned that “any vulnerable device can be compromised if the attacker is in Bluetooth range.”
Creative denies this constitutes a vulnerability
Vendor response through CERT Singapore dismisses the findings despite demonstrated remote code execution.
After initial non-response, Creative reportedly told CERT Singapore they don’t consider this behavior a security vulnerability—a stance that raises serious questions about vendor security culture. Meanwhile, you’re left with limited mitigation options:
- Switch to optical or analog connections when possible to avoid USB entirely
- Consider device placement carefully, since attackers need Bluetooth proximity
- For enterprise environments, configure OS-level controls that prompt before accepting new USB HID devices
The broader lesson extends beyond Creative’s denial. Audio peripherals increasingly run complex, updatable firmware with factory-level control interfaces exposed over Bluetooth. Until vendors embrace proper authentication and code signing, your innocent soundbar might be someone else’s backdoor.
