Remote attack on Sound Blaster Katana V2X: Bluetooth speaker injects keystrokes into PC

Security researcher Rasmus Moorats has published a proof-of-concept attack on the Sound Blaster Katana V2X gaming speaker that allows remote keystroke injection into a connected PC over Bluetooth, with zero physical interaction. The exploit chain: replace the speaker's firmware over Bluetooth, then make it masquerade as a USB keyboard to type arbitrary commands into the host machine. The manufacturer, Creative Technology, told Ars Technica that it does not consider this behavior a vulnerability.

Technical breakdown: from firmware to keyboard injection

The Katana V2X runs FreeRTOS, an open-source real-time operating system. The speaker's firmware includes HID (Human Interface Device) functions for basic controls like volume and playback. Moorats discovered he could modify the USB descriptor set — the metadata a device sends to the host to declare its capabilities — to add a second descriptor reporting the device as a keyboard. The firmware already contained code to streamline sending keypresses, making injection straightforward.

In his blog post, Moorats wrote: "Chaining it all together, I was able to totally remotely, over the air, upload a custom firmware to my speaker which I hadn't paired with, which would reboot, flash the custom firmware, and after rebooting type in the command echo pwned and execute it." He notes that a real attacker would likely open PowerShell or cmd and paste a malicious one-liner, and also disable firmware update routines to prevent remediation.

Bluetooth always on, no pairing needed

The attack is facilitated by the speaker's Bluetooth being always active, even in sleep mode, with no user-accessible option to disable it. While the speaker and a connected device normally perform a challenge-response authentication handshake each time the software boots, this is automated and not a barrier. In some cases, if the Katana V2X app isn't open on the host, the handshake is required — but that still doesn't prevent the attack.

Why this matters for developers

This exploit highlights the insecurity of IoT devices that implement HID functionality without proper access controls. The ability to inject keystrokes remotely turns any connected speaker into a potential attack vector. Developers building USB HID devices should enforce strict descriptor validation on the host side, and avoid exposing firmware update capabilities over wireless interfaces without cryptographic signing and mutual authentication.

Mitigation and next steps

Creative Technology's response — that the behavior is not a vulnerability — suggests no firmware patch is coming. Users of the Katana V2X should consider physically disconnecting the USB cable when not in use, or disabling Bluetooth if possible (the speaker has no official method). For developers, this is a clear case study: never trust USB descriptors from a device that can be updated wirelessly. Implement host-side HID policy that rejects unexpected keyboard reports from non-keyboard devices, and require user confirmation for new HID capabilities.

Technical details: the attack chain

  1. Over-the-air firmware replacement: The attacker sends a malicious firmware image to the speaker over Bluetooth. The speaker reboots and flashes the new firmware.
  2. USB descriptor augmentation: The custom firmware includes a modified USB descriptor that reports the device as both a speaker and a keyboard.
  3. Keystroke injection: The firmware uses the existing HID keypress functions to type commands into the connected PC. The host sees the speaker as a legitimate keyboard and executes the keystrokes.

Moorats confirmed that the attack works even without prior pairing. The speaker's Bluetooth is discoverable, and the firmware update mechanism does not require authentication.

Context: HID injection attacks are not new, but this vector is

USB keystroke injection via BadUSB and similar attacks is well-known. However, this case adds a wireless firmware update path, making the attack remote and persistent. The fact that the manufacturer dismisses it as non-vulnerable underscores the gap between security researcher expectations and industry practices.

What you should do now

If you own a Sound Blaster Katana V2X, disconnect the USB cable when not using the speaker. If you develop USB HID devices, audit your firmware update process and descriptor handling. Consider implementing signed firmware updates and requiring user consent for HID descriptor changes. Monitor the CVE database for any future identifier assigned to this issue.