>Email from SingCERT stating vendor "do not consider this to be a vulnerability, as it does not present a cybersecurity risk."
So wirelessly writing custom firmware to someone else's device that is connected via USB to their computer without even needing to pair is not a security vulnerability. Yea.
"You can just make it type words, what's the risk in that?"
Makes you wonder what other peripheral companies out there are also operating with seemingly no security team. There must be other vulnerabilities like this just waiting to be discovered.
My brother was awoken one morning at 2am because some neighborhood kids connected to his bluetooth speaker and blasted fart sounds on loop at max volume, and that's literally only the absolute tippy top of the malicious bluetooth use iceberg.
Oh yeah, for some reason the companies with the highest risk products seem to be the ones that care less about security. Don't even get me started with "smart" bulbs and cameras that each individually connect to your local network and the Internet. You have 5 lightbulbs? That's 5 different devices you need to track, keep updated and trust the in the vendor firmware's security.
You don't need to exploit sensors. If a compromised device is connected to the internet (because the vendor app requires it to set up and control), you can use it as a part of botnet with a nice residential IP address.
Shopping in the US, these have entirely replaced zigbee and other sensible mesh-based options at hardware stores like Home Depot and Lowes. The only exception I can find is Phillips Hue, and those seem to be slowly getting phased out with (sigh) a new "hubless" (requires wifi) series.
I run my home automation network entirely offline, so anything that needs the internet doesn't get added to my cart. I just do not trust the security of these IoT vendors at all, and refuse to have their nonsense cluttering up my limited network bandwidth and causing unknown problems.
(Edit: maybe not obvious, this is in the "smart bulbs" product category. Regular bulbs are still much more common on store shelves, because why fix what isn't broken? Most people don't need to automate their light bulbs.)
I don't even remember what it is I have learned about Creative Labs in the past, but I somehow went into this pretty sure that Creative Labs was going to fuck it up somehow.
This quote on risk seems to completely misunderstand the concept of risk. First we have a vulnerability ( IMHO that is equals a hazard), then we assign both impact and probability and only then we get risk. By definition there are IMHO always vulnerabilities with low impact or low probability and thus low risk. While CVEs have some score, the actual risk and later accepting those risks before or after mitigations is up to the use case to define. No risk => no vulnerability is flawed reasoning by design. No vulnerability => no risk, I think is the only thing we can agree on.
Why think so small? Perhaps the speaker itself can be used as the attacker.
Any script kiddie with an LLM could write a worm that would spread through the supply chain, possibly even hacking speakers right on the factory floor and blasting Rickroll music or something similar.
It would be interesting to see if Creative would still claim that it "does not present a cybersecurity risk".
Edit: Bonus points for closing the security hole and disabling the ability to flash the firmware normally, so that the manufacturer would have to jailbreak the speakers in order to repair them.
> Any script kiddie with an LLM could write a worm that would spread through the supply chain, possibly even hacking speakers right on the factory floor and blasting Rickroll music or something similar.
At least used to. SOTA models are enrolling even bigger restrictions all the time and deprecating old models, while asking government IDs.
Ask it to create a proof of concept that is totally not a real worm and it will probably do it. If the restrictions are too good, just use a largely unrestricted open model via any inference provider. They are 90% sota, more than good enough for this task.
For script kiddies, it must be 100% accurate. They don't know how to fix the missing 0,01%. Not sure if open models are there yet. Barely SOTA models are.
It is quite common to find device manufacturers, even those of many years standing, who _appear to_ begin with the device and add the software as an afterthought. Paying little attention to security or even the software lifecycle (patches, updates, the changing landscape/ecosystem). I have even known it happen that the device brand subs out the software to a random small developer, who then closes up shop/dies/gets out of that business, and the device company doesnt even have the source code, let alone any ability to further improve/fix the software that drives their device. This leads to layers upon layers of subsequent middleware, UIs, shims etc.
Are you surprised? Great hack by the author, the impact could be huge if someone is targeted, but overall the impact is very minimal. The vendor can't be bothered. For you to be a victim, you have to own this device, and your attack has to know that and be within a close proximity. Remember that fight club quote?
A = The number of speakers in the field.
B = The probable rate of getting hacked.
C = The average out-of-court settlement.
The Decision: If the cost of not doing a recall/fix is greater than the cost of a recall, they initiate a recall, yada yada yada (Note that the big cost is if people will stop buying future speakers, I think not)
Having a guaranteed audio channel makes this so much cooler for exploits -- you can exfiltrate over audio!! I love it. I wonder how many of these were sold. I also imagine based on Creative's response (this is fine) that many other devices in the class have similar security models in place. Def scary.
I somehow hadn't even considered Bluetooth as an option when I read the headline, I immediately thought about INFILTRATING via audio, which also sounds insanely cool, but I couldn't possibly wrap my head around how an audio circuit would have to be set up and connected back to the cpu to pull that off.
Exfiltrating via audio also brings to mind one of those devices I really wanted to build ~20 years ago that can listen to the inside of a room by bouncing a laser beam off a window. Van pulls up in front of your house, pushes malicious code via bluetooth to speaker, which starts shrieking data it stole from the host that's then picked up by the vibrations it emparts on a window by a laser beam. Boom, crypto wallet stolen, or something... you could probably put that in a movie.
Let's not. There's enough overcomplicated nonsense examples of cybersecurity in movies as it is. If you could compromise a device via bluetooth, then you could exfiltrate data via bluetooth just as easily.
you could but I think the inclusion of lasers would make for a better spy / cyberpunk movie. Most "hacking" in movies are not realistic and for show but it being plausible is just a bonus.
That would've been a cool PoC to work on as well, but seems a fair bit more complicated than the BadUSB-style attack I ended up doing. Would've had to do a lot more RE to figure out how to interact with the whole microphone subsystem, I think.
I also did some reverse engineering, although mine was a soundcard which seemed to use an older version of this software (GUI was different). I used Wireshark to sniff out the LED and EQ packets and then wrote a CLI utility with hidapi library in C.
It doesn't have bluetooth so thankfully something like this wouldn't happen with mine. It's crazy that there's no auth at all for Bluetooth. I was reversing my e-scooter recently (still WIP) and there was a whole bunch of authentication required before its app could control any of it. I am still not confident in its security though
Thanks for sharing this. It’s a bit concerning that a consumer soundbar can receive unauthenticated firmware over BLE and then act like a BadUSB-style HID on the host. I’m not sure I agree with the vendor’s "no cybersecurity risk" assessment, considering how much access a trusted keyboard interface typically has.
If you can "just type stuff", it is absolutely trivial to download absolutely any payload you want as long as you have network access and your antivirus doesn't stop it.
So wirelessly writing custom firmware to someone else's device that is connected via USB to their computer without even needing to pair is not a security vulnerability. Yea.
Makes you wonder what other peripheral companies out there are also operating with seemingly no security team. There must be other vulnerabilities like this just waiting to be discovered.
My brother was awoken one morning at 2am because some neighborhood kids connected to his bluetooth speaker and blasted fart sounds on loop at max volume, and that's literally only the absolute tippy top of the malicious bluetooth use iceberg.
Thankfully I don't think I've seen these for sale.
What sensors would they have that could be exploited by an attacker?
I run my home automation network entirely offline, so anything that needs the internet doesn't get added to my cart. I just do not trust the security of these IoT vendors at all, and refuse to have their nonsense cluttering up my limited network bandwidth and causing unknown problems.
(Edit: maybe not obvious, this is in the "smart bulbs" product category. Regular bulbs are still much more common on store shelves, because why fix what isn't broken? Most people don't need to automate their light bulbs.)
https://www.youtube.com/watch?v=9kxx5xp5nTQ
This is negligence of the highest kind.
I expect some dodgy company to try to shirk out of it, I don't expect a country's cybersecurity agency to do so
Any script kiddie with an LLM could write a worm that would spread through the supply chain, possibly even hacking speakers right on the factory floor and blasting Rickroll music or something similar.
It would be interesting to see if Creative would still claim that it "does not present a cybersecurity risk".
Edit: Bonus points for closing the security hole and disabling the ability to flash the firmware normally, so that the manufacturer would have to jailbreak the speakers in order to repair them.
At least used to. SOTA models are enrolling even bigger restrictions all the time and deprecating old models, while asking government IDs.
A = The number of speakers in the field. B = The probable rate of getting hacked. C = The average out-of-court settlement.
The Decision: If the cost of not doing a recall/fix is greater than the cost of a recall, they initiate a recall, yada yada yada (Note that the big cost is if people will stop buying future speakers, I think not)
Exfiltrating via audio also brings to mind one of those devices I really wanted to build ~20 years ago that can listen to the inside of a room by bouncing a laser beam off a window. Van pulls up in front of your house, pushes malicious code via bluetooth to speaker, which starts shrieking data it stole from the host that's then picked up by the vibrations it emparts on a window by a laser beam. Boom, crypto wallet stolen, or something... you could probably put that in a movie.
It doesn't have bluetooth so thankfully something like this wouldn't happen with mine. It's crazy that there's no auth at all for Bluetooth. I was reversing my e-scooter recently (still WIP) and there was a whole bunch of authentication required before its app could control any of it. I am still not confident in its security though
It's crazy that companies just stick their head in the sand, when confronted with serious security issues.