Creative Sound Blaster Katana V2X Vulnerability Allows Remote PC Hacking

Rasmus Moorats discovered that the Creative Sound Blaster Katana V2X soundbar allows unauthorized Bluetooth access to execute remote commands on connected PCs. By bypassing pairing and uploading custom firmware, the device mimics a keyboard to run malicious code, according to reports from Techspot and detikINET.

How does a soundbar turn into a “ghost keyboard”?

The attack leverages the Creative Transport Protocol (CTP), which handles lighting and sound settings. Moorats found that any Bluetooth device in range can connect to this protocol without authentication or pairing. This creates an open door to the hardware physically connected to a computer.

Once connected, the attacker exploits a lack of code signing in the firmware update process. Moorats successfully uploaded custom firmware over-the-air (OTA). Because the device runs FreeRTOS, it supports Human Interface Device (HID) functions. By modifying the firmware, the soundbar stops acting like a speaker and starts acting like a USB keyboard.

From there, the soundbar can “type” commands into the host PC. Moorats noted he could remotely trigger programs like PowerShell to execute malicious code and lock the system to prevent the firmware from being deleted.

Why is the “zero-pairing” vulnerability a growing trend?

This incident highlights a shift toward “invisible” attack vectors. Traditional hacking often requires a user to click a link or download a file. Hardware-based attacks, like the one found in the Katana V2X, require zero user interaction.

The trend is moving toward exploiting secondary protocols—like the CTP used by Creative—that manufacturers implement for convenience but fail to secure. As more peripherals (lights, speakers, controllers) integrate complex operating systems like FreeRTOS, the attack surface for the host PC expands.

According to the report, the Bluetooth radio on the Katana V2X remains active even in sleep mode. This means a device can be compromised while the user isn’t even using the computer, provided the attacker is within Bluetooth range.

What happens when companies deny security flaws?

A significant point of friction exists between security researchers and manufacturers regarding what constitutes a “vulnerability.” Creative Technology responded to the findings by stating their technicians do not consider this device behavior a vulnerability, according to Techspot.

This creates a dangerous precedent. When a company labels a flaw as “intended behavior” rather than a security hole, they avoid the cost of issuing patches. In this case, it took the intervention of CERT Singapore (the Singaporean Cyber Security Agency) to facilitate communication between the researcher and the company.

Will future hardware be more secure?

The industry is seeing a slow move toward mandatory code signing. Code signing ensures that a device will only accept firmware updates that are digitally signed by the manufacturer. The Katana V2X lacked this, allowing Moorats to inject his own code.

Future trends suggest that “Zero Trust” architecture will move from the software level down to the hardware port. We can expect more operating systems to prompt users before allowing a previously known audio device to suddenly identify itself as a keyboard.

Frequently Asked Questions

Do you use smart peripherals connected to your main workstation? Share your security setup in the comments below or subscribe to our newsletter for more hardware security alerts.