After efficiently changing the firmware with a alternative picture that did nothing greater than show the phrase “patched” on the speaker’s LED show, the researcher acquired to questioning what else a hacker would possibly do. So he turned his consideration to FreeRTOS, the open supply working system that ran the Katana V2X. It contained a set of HID capabilities for permitting the speaker to behave as a human interface system, a classification that features keyboards, mice, and webcams. The speaker carried out a restricted HID that allowed for issues like altering the amount and enjoying or pausing sound, however little else.
The researcher found that he may change the speaker’s USB descriptor set, which is basically a report that informs gadgets concerning the capabilities of a USB- or Bluetooth-connected peripheral. He was in a position to increase the prevailing descriptor set with a second one which reported the speaker being a keyboard. Then he used code already included within the firmware to streamline the method of sending keypresses.
All of this gave Moorats an concept: What if he used his system to ship instructions to the speaker that used the HID to go them alongside to the related PC? After some trial and error, he discovered that he may. In a weblog put up revealed on Wednesday, he wrote:
Chaining all of it collectively, I used to be in a position to completely remotely, over the air, add a customized firmware to my speaker which I hadn’t paired with, which might reboot, flash the customized firmware, and after rebooting sort within the command echo pwned and execute it.
In an actual assault state of affairs, I’d execute the keystrokes for opening powershell.exe or related and paste an really malicious one-liner into that, however as a proof of idea, this was greater than sufficient for me. An actual attacker would additionally doubtless disable the routine for updating the firmware in each regular and restoration mode, making it not possible to wipe the malicious firmware from the system or patch it sooner or later.
That is worsened by the truth that Bluetooth is at all times on for the speaker, even in sleep mode, with no obvious method to disable it.
Earlier than the speaker and USB-connected system can work together, they need to efficiently full a challenge-and-response authentication process. Because the gadgets carry out this handshake mechanically every time the software program boots, this isn’t often an issue for the hacker. In sure circumstances, nevertheless, similar to when the Katana V2X app isn’t open on the related system, it’s a requirement.
