The Creative Sound Blaster Katana V2X, a gaming soundbar available for around $300, can be turned into a covert keystroke injector from up to 15 meters away by chaining two design flaws: an unauthenticated Bluetooth command interface and unsigned firmware updates that accept no cryptographic verification. No physical access or pairing is required. Security researcher Rasmus Moorats published a fully working exploit, which he calls Pwnd Blaster, on June 3.
Creative, the Singapore-based audio hardware company behind the Sound Blaster line, was notified of both flaws months before publication through SingCERT (Singapore’s Computer Emergency Response Team). After nearly two months of silence, Creative declined to issue a patch, saying it did not consider the findings a cybersecurity risk.
The Attack Needs No Pairing
Pwnd Blaster chains two independent failures. First, the soundbar exposes its entire CTP (Creative’s proprietary command protocol, used by the companion app to control DSP settings, LED modes, and firmware updates) over BLE (Bluetooth Low Energy) with no authentication. Commands that require a challenge-response handshake when sent over USB travel over Bluetooth completely unchallenged. Second, the speaker accepts firmware updates protected only by a SHA-256 (Secure Hash Algorithm) checksum, with no cryptographic signing. Constructing a valid checksum is straightforward once the firmware container format is reversed, which the researcher documented publicly in his Pwnd Blaster exploit writeup.
- 15 meters: Bluetooth range within which the full attack executes without any physical contact
- 0 patches committed: Creative has not acknowledged either flaw as a security issue
- 2 distinct flaws chained: unauthenticated BLE command protocol plus unsigned firmware
- ~2 months: time Creative took to respond to SingCERT before declining to act
Combined, those two gaps let an attacker push custom firmware to any unit in Bluetooth range without touching the device or appearing on its paired-devices list. The speaker reboots with the hostile code and, from the host PC’s perspective, simply came back online as the same trusted USB peripheral it was before.
How Bluetooth Skips the Handshake
The Katana V2X uses CTP for all configuration. That protocol runs over both the USB connection and the Bluetooth 5.0 radio, with one significant difference. On USB, the Creative companion app must first complete a challenge-response authentication sequence before the device accepts any command. Over Bluetooth, that authentication step does not exist.
Moorats confirmed this by connecting to a Bluetooth characteristic the speaker advertises to all nearby devices without pairing. Reading the characteristic returned the full firmware version string with no credentials involved. CTP commands went through immediately after that: volume adjustments, LED configuration changes, and firmware update triggers all executed as if coming from an authenticated source on the connected PC.
What makes the attack window permanent is that Creative designed the radio to stay active regardless of the speaker’s state. When the device enters sleep mode, the display goes dark but the Bluetooth radio keeps broadcasting. There is no setting in the app and no physical button on the hardware to switch it off. A speaker plugged into a PC in a darkened office is just as reachable at 2 AM as one playing audio at full volume during the workday.
The firmware container the speaker uses holds two main components: FBOOT, a bootloader that also handles a recovery mode accessible by holding SOURCE during power-on, and FMAIN, the primary runtime. Both are built on FreeRTOS, and both process CTP commands. An attacker who flashes a hostile FMAIN over Bluetooth still has FBOOT available on the device, but Moorats noted that a sophisticated attacker would disable the firmware update routine in both modes to prevent remediation.
From Soundbar to Keyboard Injector
The speaker runs FreeRTOS, an open-source real-time operating system built for embedded hardware and used across millions of connected devices. FreeRTOS ships with HID (Human Interface Device) support functions, covering the USB class that includes keyboards, mice, and input peripherals. The soundbar already uses a limited HID implementation to register its volume and playback buttons as media keys with the host PC, a driver-free relationship Windows treats as inherently trusted.
He found that the speaker’s USB descriptor set, the report a peripheral sends to the host on first connection to announce its capabilities, could be extended with a second entry declaring the device was also a keyboard. Windows accepted the multi-function declaration without challenge. The peripheral was already trusted, and keyboard is among the most basic HID device classes. The PC assigned a keyboard device node alongside the speaker’s existing audio and media-key interfaces.
FreeRTOS’s existing key-event code then handled the actual typing. The proof of concept, flashed over Bluetooth and executed after a forced reboot, typed echo pwned into whatever terminal happened to be active on the connected machine. He described the result as flashing custom firmware “totally remotely, over the air” to a device he had never paired with, after which the speaker rebooted and executed the command. In a real attack, opening PowerShell and injecting a malicious one-liner would take the same sequence of keystrokes, delivered silently with no indicator on-screen that the input was coming from the speaker rather than the keyboard.
The soundbar also carries dual built-in beamforming microphones, marketed for voice chat on Discord. Different hostile firmware could capture and relay ambient audio over Bluetooth, turning the device into a passive listening tool. The researcher noted both scenarios in his published analysis.
A Twelve-Year-Old Attack Goes Wireless
The BadUSB class of exploit was first demonstrated publicly at Black Hat USA 2014 by researchers Karsten Nohl, Sascha Krißler, and Jakob Lell at Security Research Labs (SRLabs). Their presentation showed that USB firmware could be reprogrammed to present a connected device as an entirely different type of hardware, and that host operating systems would accept the reclassification without challenge because the USB specification places no cryptographic limit on what a peripheral can claim to be. Antivirus software scans files, not firmware, so the attack layer sits below the reach of conventional endpoint tools.
The 2014 work required physical access to the target device at some point in the attack chain. The exploit published in June removes that requirement entirely.
| BadUSB (2014) | Katana V2X (2026) | |
|---|---|---|
| Physical access required | Yes | No (over-the-air BLE) |
| Delivery vector | Direct USB insertion | Bluetooth 5.0, up to 15 m |
| Firmware signing | Absent on most controllers | Absent (SHA-256 checksum only) |
| Attack window | While device is physically connected | Permanent (Bluetooth always active) |
| Vendor patch | N/A (USB specification issue) | Refused by Creative |
BadUSB moved past proof-of-concept years ago. The FBI warned in 2020 that the FIN7 cybercrime group had been mailing USB drives disguised as gift cards to retail and hospitality employees, using them to drop ransomware on connection. A second FBI warning in 2022 noted that FIN7 had expanded its targeting to defense contractors and transportation companies, with packages impersonating Amazon deliveries and US government correspondence. Both campaigns required someone to physically insert the drive. The Katana attack operates from Bluetooth range.
Creative Called It Not a Vulnerability
Moorats attempted to contact Creative twice through its public website contact form. The company has no dedicated security disclosure channel and no bug-reporting portal. Both attempts produced no useful response, so he escalated to SingCERT as an intermediary. SingCERT initially had similar difficulty reaching the company. When Creative did respond, nearly two months had passed since first contact was made.
Creative’s position, as the researcher reported from the SingCERT correspondence:
They do not consider this to be a vulnerability, as it does not present a cybersecurity risk.
Creative, responding through SingCERT, offered no acknowledgment of the unauthenticated firmware update pathway and no commitment to adding Bluetooth authentication in a future release. Creative’s official Sound Blaster product listing still advertises Bluetooth 5.0 connectivity as a feature without any security qualification.
The built-in microphones make the dismissal harder to square with any reasonable security definition. A speaker running hostile firmware, with an always-on Bluetooth radio and dual beamforming microphones, could forward room audio to a receiver outside the building. Creative’s own product copy describes those microphones as suited for Discord voice chat. Hostile firmware would use the same hardware pointed outward, with no LED indicator or audio cue to signal it was active.
Patching It Yourself
Since Creative declined to ship a fix, the researcher built one. v2x-patcher is a command-line tool that pulls the official firmware from Creative’s update servers, patches it in memory to strip CTP support over Bluetooth, and flashes the modified image to a USB-connected device. Prebuilt binaries for Windows x86-64 and Linux x86-64 are available through the v2x-patcher firmware patching tool on the researcher’s Gitea repository.
Steps to apply the patch:
- Connect the soundbar via USB and confirm it is not in sleep mode (the display must be active before the tool can communicate with the device)
- Run the patcher; it downloads the official firmware, verifies its integrity, applies the BLE-blocking patch, and flashes the result. The tool will not proceed if the firmware version check fails.
- If the process bricks the device, hold POWER and SOURCE simultaneously while reconnecting power to enter recovery mode, then run the tool again
- The Creative mobile app will likely stop communicating over Bluetooth after patching, since it uses the same BLE channel the patch disables
The patch closes the CTP pathway over which wireless firmware updates travel, but it cannot give the Bluetooth radio an off switch. The hardware was not designed with one. The radio stays live after patching, so an attacker who discovers a different Bluetooth attack surface in the updated firmware would still have a permanently accessible radio to reach. Creative’s firmware, on the latest official release, remains vulnerable for anyone who has not applied the third-party patch.
Creative’s firmware ships without authentication and without a committed fix; every unpatched soundbar on a desk is a USB keyboard waiting for the right stranger to walk within range.
