After efficiently changing the firmware with a substitute picture that did nothing greater than show the phrase “patched” on the speaker’s LED show, the researcher received to questioning what else a hacker may do. So he turned his consideration to FreeRTOS, the open supply working system that ran the Katana V2X. It contained a set of HID capabilities for permitting the speaker to behave as a human interface system, a classification that features keyboards, mice, and webcams. The speaker carried out a restricted HID that allowed for issues like altering the quantity and enjoying or pausing sound, however little else.
The researcher found that he might change the speaker’s USB descriptor set, which is actually a report that informs units in regards to the capabilities of a USB- or Bluetooth-connected peripheral. He was capable of increase the prevailing descriptor set with a second one which reported the speaker being a keyboard. Then he used code already included within the firmware to streamline the method of sending keypresses.
All of this gave Moorats an concept: What if he used his system to ship instructions to the speaker that used the HID to move them alongside to the related PC? After some trial and error, he discovered that he might. In a weblog post revealed on Wednesday, he wrote:
Chaining all of it collectively, I used to be capable of completely remotely, over the air, add a customized firmware to my speaker which I hadn’t paired with, which might reboot, flash the customized firmware, and after rebooting sort within the command echo pwned and execute it.
In an actual assault situation, I might execute the keystrokes for opening powershell.exe or comparable and paste an truly malicious one-liner into that, however as a proof of idea, this was greater than sufficient for me. An actual attacker would additionally probably disable the routine for updating the firmware in each regular and restoration mode, making it unimaginable to wipe the malicious firmware from the system or patch it sooner or later.
That is worsened by the truth that Bluetooth is at all times on for the speaker, even in sleep mode, with no obvious approach to disable it.
Earlier than the speaker and USB-connected system can work together, they need to efficiently full a challenge-and-response authentication process. For the reason that units carry out this handshake routinely every time the software program boots, this isn’t often an issue for the hacker. In sure instances, nevertheless, similar to when the Katana V2X app isn’t open on the related system, it’s a requirement.
