Here's the thing about IoT security that keeps me up at night: we've collectively decided that a $283 Bluetooth speaker doesn't need the same basic authentication guarantees as your laptop. And when I say "we," I mean Creative Technologies, the Singapore-based company behind the Sound Blaster Katana V2X — a device that's been praised nearly everywhere for its sound quality and performance.
But praise doesn't stop a researcher from turning your speaker into a remote code execution proxy. And it didn't.
Rasmus Moorats, an independent security researcher, stumbled onto this vulnerability completely by accident. He'd bought a Katana V2X and was curious whether he could build a Linux tool to communicate with it. What he found instead was a proprietary protocol called CTP — Creative Technologies Transport Protocol, or at least that's what he guesses the acronym stands for — that runs over both Bluetooth and USB connections with almost no authentication whatsoever.
CTP lets connected devices send commands to the speaker. Change LED colors. Adjust equalizer settings. That's it on the surface, and that's exactly how Creative Technologies designed it to feel: a harmless convenience layer. But beneath the surface, CTP also exposes an "upload new firmware to device" command that requires no code signing, no challenge-response handshake over Bluetooth, and absolutely zero user consent.
Moorats replaced the speaker's official firmware with a custom image that simply displayed "patched" on the LED strip. Then he started thinking about what else a real attacker could do.
The answer, as it turns out, is everything.
The Attack Chain: From Bluetooth Range to a Pwned PC
Let me walk you through what Moorats actually demonstrated, because the chain is elegant in a way that makes your skin crawl.
First, an attacker positions themselves within Bluetooth range of the target speaker. This is a real constraint — we're talking neighbors, housemates, or people in adjacent office cubicles. Bluetooth range typically tops out around 10 meters for Class 2 devices, though it can stretch further with external antennas.
Second, the attacker connects to the speaker over Bluetooth using CTP. No pairing required. No authentication prompt. The Katana V2X keeps its Bluetooth radio on at all times, even in sleep mode, with no apparent way to disable it. This alone is a design decision that deserves more scrutiny than it's received.
Third, the attacker sends the firmware upload command. The speaker accepts arbitrary binary data and flashes it to its internal storage. There's no code signing verification, no recovery-mode lockout, nothing. The researcher noted that a real attacker would likely disable the firmware update routine in both normal and recovery modes after gaining access, making it impossible for the victim to wipe the malicious firmware or push a legitimate patch in the future.
Fourth, the speaker reboots with the custom firmware. The modified FreeRTOS instance now runs code chosen entirely by the attacker.
Fifth — and this is where it gets genuinely dangerous — the speaker uses its existing HID (Human Interface Device) functions to impersonate a keyboard connected to the target PC. The speaker's firmware already contained code for volume control and playback commands via HID. Moorats modified the USB descriptor set to add a second keyboard profile, then leveraged existing firmware routines to streamline keystroke injection.
The result? The attacker types echo pwned into the connected PC's terminal. In a real-world scenario, they'd be executing powershell.exe or equivalent and pasting in an actual payload. The speaker becomes a wireless keyboard that nobody thought was a keyboard, typing commands on behalf of an attacker who never touched the target machine.
Before you ask: yes, USB-connected devices do perform a challenge-and-response authentication handshake. But that handshake happens automatically each time the software boots, and the correct response can be extracted from the speaker's companion app binary. Over Bluetooth? No such handshake exists at all.
The HID Pivot: Why Peripheral Trust Is a Broken Model
What makes this vulnerability particularly insidious isn't just the firmware reflashing — it's what that reflashing enables. The HID pivot transforms a passive peripheral into an active attack instrument.
Think about how deeply we trust USB and Bluetooth HID devices. When you plug in a keyboard, your operating system assumes it's sending keystrokes from a human. When a mouse moves the cursor, you don't question whether it's actually a person moving it. This trust is baked into every major OS — Windows, macOS, Linux — and enforcing it requires significant security overhead that manufacturers routinely skip on cheap IoT devices.
The Katana V2X runs FreeRTOS, a real-time operating system commonly used in embedded devices. It's lightweight, it's open source, and it comes with a set of HID functions that the speaker implements for basic volume and playback control. But FreeRTOS's HID stack doesn't care whether those keystrokes come from a human or from attacker-chosen firmware. It just sends them.
This is the fundamental problem with peripheral trust models in consumer electronics: devices that present themselves as harmless input peripherals can be repurposed into full attack vectors the moment an attacker gains write access to their firmware. And as this case demonstrates, write access is embarrassingly easy to obtain when the manufacturer hasn't thought about it.
The broader question — and one that deserves an answer from every IoT manufacturer reading this — is what other Bluetooth devices in your home or office are sitting on the same broken trust model right now. Smart plugs. LED strips. Fitness trackers. The list is long, and most of it has never been audited.
Creative Technologies' Response: A Case Study in Vendor Silence
Moorats reported his findings to Creative Technologies. He got nothing back.
So he brought in CERT Singapore — the Computer Emergency Response Team for the Republic of Singapore, where Creative Technologies is headquartered. Eventually, after CERT intervened, the company responded. Their position? The behavior isn't a vulnerability.
Let that sink in. A company whose product can be turned into a remote code execution device for any PC within Bluetooth range has decided that this is by design, not by defect.
This kind of response isn't uncommon in the IoT space. Manufacturers often classify authentication gaps as "features" because adding them would require hardware changes, firmware re-certification, or — worst case for a public company — admitting that their product shipped with a known security flaw. The economic incentives are misaligned, and the result is exactly what we're seeing here: a widely reviewed, well-regarded speaker that ships with a remote code execution path its maker refuses to acknowledge.
The researcher tested the attack against a connected Windows machine. The implications for enterprise environments — where employees bring personal peripherals into corporate networks daily — are substantial enough that this should be flagged in any security team's IoT risk assessment.
What NIST and CISA Actually Recommend for This
This isn't a theoretical problem. It's a concrete, demonstrated attack chain against a consumer device that millions of people use daily. And the frameworks we already have in place — NIST's Cybersecurity Framework and CISA's cybersecurity best practices — have clear guidance on exactly how to mitigate risks like this.
Here's what actually works, based on established guidance:
Firmware integrity verification. Every IoT device that accepts firmware updates should implement code signing. Period. The absence of this control on the Katana V2X is not a design choice — it's a fundamental security failure that any competent security review would flag before production.
Network segmentation. NIST's framework emphasizes isolating IoT devices on dedicated VLANs or guest networks. If a speaker is compromised, it shouldn't have direct network access to your production systems. This limits lateral movement even when the device itself can't be patched.
Bluetooth radio management. Devices should allow users to disable Bluetooth when not in active use. The Katana V2X's always-on radio with no off switch is a design that prioritizes convenience over security, and the attack chain demonstrated here proves why that tradeoff doesn't hold up.
Endpoint detection and response. EDR solutions on connected host devices can detect anomalous HID activity — keystrokes appearing without user input, unexpected process spawning from peripheral-connected sessions. This won't prevent the initial compromise, but it can catch the execution phase.
Vendor accountability. CISA's best practices include requiring vendors to maintain responsible disclosure channels and respond to reported vulnerabilities in a timely manner. Creative Technologies' initial silence, followed by a denial that the issue was a vulnerability at all, represents exactly the kind of vendor behavior these guidelines were written to prevent.
The Bottom Line: Buy the Speaker, But Don't Trust It
Let me be clear about what this means for you as a consumer.
The Sound Blaster Katana V2X is, by all accounts, an excellent speaker. The sound quality is praised across numerous reviews, and it performs well for its price point. But excellent audio output doesn't compensate for a device that can be turned into a remote code execution proxy by anyone within Bluetooth range.
If you own one, here's what I'd actually recommend:
Disconnect it from your primary work machine. Use it with a dedicated device that doesn't contain sensitive data, or run it through an audio interface that breaks the USB data path. If you need Bluetooth connectivity, understand that every second the radio is on, you're exposing yourself to this attack chain.
And if you work in IT security, flag this. Not as a theoretical risk. As a demonstrated, reproducible attack against a commercially available device that your employees may already have on their desks.
The broader lesson here is uncomfortable but necessary: the IoT security landscape operates on a model where manufacturers ship devices with known attack paths and call them features. Until the economic incentives shift — through regulation, liability, or consumer pressure that actually moves revenue — devices like the Katana V2X will keep shipping with remote code execution built in, and researchers will keep finding new ways to activate them.