After successfully replacing the firmware with a alternative image that did nothing greater than display the word “patched” on the speaker’s LED display, the researcher got to wondering what else a hacker might do. So he turned his attention to FreeRTOS, the open source operating system that ran the Katana V2X. It contained a set of HID functions for allowing the speaker to act as a human interface device, a classification that features keyboards, mice, and webcams. The speaker implemented a limited HID that allowed for things like changing the quantity and playing or pausing sound, but little else.
The researcher discovered that he could change the speaker’s USB descriptor set, which is actually a report that informs devices concerning the capabilities of a USB- or Bluetooth-connected peripheral. He was in a position to augment the prevailing descriptor set with a second one which reported the speaker being a keyboard. Then he used code already included within the firmware to streamline the means of sending keypresses.
All of this gave Moorats an idea: What if he used his device to send commands to the speaker that used the HID to pass them along to the connected PC? After some trial and error, he found that he could. In a blog post published on Wednesday, he wrote:
Chaining all of it together, I used to be in a position to totally remotely, over the air, upload a custom firmware to my speaker which I hadn’t paired with, which might reboot, flash the custom firmware, and after rebooting type within the command echo pwned and execute it.
In an actual attack scenario, I’d execute the keystrokes for opening powershell.exe or similar and paste an actually malicious one-liner into that, but as a proof of concept, this was good enough for me. An actual attacker would also likely disable the routine for updating the firmware in each normal and recovery mode, making it not possible to wipe the malicious firmware from the device or patch it in the long run.
That is worsened by the incontrovertible fact that Bluetooth is at all times on for the speaker, even in sleep mode, with no apparent option to disable it.
Before the speaker and USB-connected device can interact, they need to successfully complete a challenge-and-response authentication procedure. For the reason that devices perform this handshake routinely every time the software boots, this isn’t normally an issue for the hacker. In certain cases, nonetheless, corresponding to when the Katana V2X app isn’t open on the connected device, it’s a requirement.
