I bought a Sound Blaster Katana V2X because it looked cool. It had LEDs. It sounded good. It came with a $283 price tag and a dozen glowing reviews calling it "the best soundbar under $300." I didn’t think about the firmware. I didn’t think about the Bluetooth stack. I didn’t think about the fact that it was a tiny, unsecured computer sitting on my desk, listening.
Then Rasmus Moorats showed me what it could do.
He didn’t set out to hack a speaker. He was just trying to build a Linux tool to control the damn thing’s equalizer. But when he sent a Bluetooth command to the Katana V2X, it answered. No pairing. No password. Just… yes. And then he found the command: "upload new firmware." No signature check. No validation. Just a raw binary dump, accepted like a gift from a stranger.
He flashed a new firmware that made the speaker’s LED spell "patched." Then he did something even more terrifying: he rewrote the USB descriptor so the speaker pretended to be a keyboard.
Suddenly, my $283 speaker wasn’t just playing music.
It was typing.
And it could type anything.
I’ve spent the last two years writing about zero-days in enterprise firewalls and supply chain exploits in cloud infrastructure. But this? This is the first time I’ve felt genuinely violated by a consumer product.
Because here’s the thing: you don’t need to be a hacker to be vulnerable. You just need to own a Bluetooth speaker. And if you’ve ever left your laptop unlocked, or if your office is next to someone else’s, or if your partner sometimes "borrows" your computer… you’re already at risk.
This isn’t a flaw. It’s a design choice.
And Creative Technologies didn’t even think it was worth fixing.
What You Can Do Right Now
I know what you’re thinking: "Okay, I’m freaked out. What do I do?"
Here’s your action list. No fluff. No theory. Just what you can do today.
-
Unplug your Katana V2X. Seriously. If you have one, unplug it. Don’t just turn it off. Unplug it. The Bluetooth radio stays on even when powered off. Only cutting the power kills it.
-
Disable Bluetooth on your PC. If you don’t use Bluetooth peripherals, turn it off entirely. Go to Settings > Bluetooth > Turn Off. Do it now.
-
Don’t leave your laptop unlocked. If you walk away from your desk, lock it. Always. Even if you think you’re safe. This attack doesn’t need your password. It types it for you.
-
Check your other devices. Any Bluetooth speaker? Any smart display? Any wireless headphones? Look up their model online. Search for "firmware update" and "HID" and "Bluetooth always on." If you find nothing? You’re probably safe. But if you find a forum post where someone says "I hacked mine"? You’re not.
-
Don’t trust the app. The Creative app doesn’t protect you. It enables the vulnerability. If your speaker has an app, uninstall it. It’s not a tool. It’s a backdoor.
-
If you’re a company: Audit every IoT device in your office. Turn off Bluetooth on all of them. Disable USB HID on all peripherals. If you can’t, replace them.
-
Demand better. When you buy a speaker, ask: "Is firmware signed? Can it be a keyboard?" If the salesperson doesn’t know, walk away. If the company doesn’t answer your email? Don’t buy it.
This isn’t about fear.
It’s about agency.
You don’t have to live with a device that can hack you.
You just have to stop pretending it’s harmless.
And if you’re still not convinced?
Go to your speaker.
Unplug it.
Turn it back on.
Listen.
It’s not just playing music.
It’s waiting.
And it’s always listening.
