Gaming soundbar can be hijacked from over 16 yards away without touch or pairing — the company allegedly refuses to label the blatant security flaw a cybersecurity risk

https://www.tomshardware.com/tech-industry/cyber-security/creatives-sound-blaster-katana-v2x-can-be-hijacked-over-bluetooth

Publish Date: 2026-06-06 12:06:00

Source Domain: www.tomshardware.com

Security researcher Rasmus Moorats has demonstrated that Creative’s Sound Blaster Katana V2X gaming soundbar can be hijacked over Bluetooth from roughly 16 yards (15 meters) away, with no pairing or physical contact, in a blog post published on June 3. By exploiting an unauthenticated Bluetooth interface and the absence of firmware signing, an attacker can flash custom firmware onto the speaker over the air, turning the USB-connected device into a keyboard that types commands into the host PC. Creative, which was contacted through Singapore’s national cyber response team, took close to two months to reply and concluded the behavior was not a security risk, leaving owners of the ~$280 soundbar without an official patch.

The Katana V2X communicates with Creative’s desktop app via a proprietary protocol that Moorats refers to as the Creative Transfer Protocol (CTP). Over USB, the speaker requires a challenge-response handshake before accepting any command, but over Bluetooth Low Energy, the same protocol accepts the same commands without authentication or pairing, so any device in range could read settings, change them, or push firmware. The firmware itself carries no cryptographic signature, only a SHA-256 checksum that Moorats recomputed after editing the image.

To weaponize that, he edited the speaker’s USB descriptor set so that the device reported itself as a keyboard, on top of the limited media controls it already provided. The firmware ran a modified build of FreeRTOS, and instead of writing fresh keystroke-injection code, Moorats overwrote an unused diagnostic task with one that waits for the USB subsystem to come up, then types and runs a command on every boot. His proof of concept printed “echo pwned,” but the same routine could open PowerShell and paste a malicious one-liner.