How a USB-connected speaker can infect a PC without ever being touched


After successfully replacing the firmware with a replacement image that did nothing more than display the word “patched” on the speaker’s LED display, the researcher began to wonder what else the hacker could do. So he turned his attention to FreeRTOS, the open-source operating system that powers Katana V2X. It includes a classifier that includes a number of HID functions, keyboards, mice, and webcams that allow the speaker to act as a human interface device. The speaker has implemented a limited HID, which allows things like changing the volume and playing or pausing the sound, but not much else.

The researcher discovered that he could change the speaker’s USB descriptor set, which is essentially a report that tells devices about the capabilities of a USB or Bluetooth-connected peripheral. It was able to augment the existing set of descriptors with a second one that said the speaker was a keyboard. He then used code already embedded in the software to facilitate the process of sending the buttons.

All of this gave Mooras an idea: If he used his device to send commands to a speaker that uses HID, would it transmit them to a connected computer? After some trial and error, he realized he could. On a blog post In an article published on Wednesday, he wrote:

Tying it all together, I was able to completely remotely, over the air, download the unpaired custom firmware to my speaker, it would reboot, flash the custom firmware, and after rebooting, type in echo pwned and run it.

In a real attack scenario, I would perform keystrokes to open powershell.exe or similar and paste an actually malicious one-liner into it, but as a proof of concept this was more than enough for me. A real attacker would probably disable the routine to update the firmware in both normal and recovery mode, making it impossible to remove or patch malware in the future.

This is made worse by the fact that Bluetooth is always on for the speaker, even in sleep mode, with no obvious way to turn it off.

Before the speaker and USB-connected device can communicate, they must successfully complete the problem and response identification procedure. Since the devices automatically perform this handshake every time the software starts up, this is usually not a problem for a hacker. In some cases, for example, if the Katana V2X app is not open on the connected device, this is a requirement.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending now

I used TCL NXTPAPER 70 Pro’s e-paper display and I can’t wait for the US launch next month
DeepRare outperforms doctors in rare disease diagnosis study
Steam Giveaway: Free until March 9th with Parkitect Multiplayer Co-Op
PopSockets founder David Barnett talks about building a viral business