After efficiently changing the firmware with a alternative picture that did nothing greater than show the phrase “patched” on the speaker’s LED show, the researcher received to questioning what else a hacker would possibly do. So he turned his consideration to FreeRTOS, the open supply working system that ran the Katana V2X. It contained a set of HID features for permitting the speaker to behave as a human interface gadget, a classification that features keyboards, mice, and webcams. The speaker applied a restricted HID that allowed for issues like altering the amount and taking part in or pausing sound, however little else.
The researcher found that he may change the speaker’s USB descriptor set, which is actually a report that informs gadgets in regards to the capabilities of a USB- or Bluetooth-connected peripheral. He was in a position to increase the present descriptor set with a second one which reported the speaker being a keyboard. Then he used code already included within the firmware to streamline the method of sending keypresses.
All of this gave Moorats an thought: What if he used his gadget to ship instructions to the speaker that used the HID to go them alongside to the related PC? After some trial and error, he discovered that he may. In a weblog submit revealed on Wednesday, he wrote:
Chaining all of it collectively, I used to be in a position to completely remotely, over the air, add a customized firmware to my speaker which I hadn’t paired with, which might reboot, flash the customized firmware, and after rebooting kind within the command echo pwned and execute it.
In an actual assault state of affairs, I might execute the keystrokes for opening powershell.exe or comparable and paste an really malicious one-liner into that, however as a proof of idea, this was greater than sufficient for me. An actual attacker would additionally seemingly disable the routine for updating the firmware in each regular and restoration mode, making it unimaginable to wipe the malicious firmware from the gadget or patch it sooner or later.
That is worsened by the truth that Bluetooth is at all times on for the speaker, even in sleep mode, with no obvious approach to disable it.
Earlier than the speaker and USB-connected gadget can work together, they need to efficiently full a challenge-and-response authentication process. For the reason that gadgets carry out this handshake mechanically every time the software program boots, this isn’t normally an issue for the hacker. In sure instances, nonetheless, comparable to when the Katana V2X app isn’t open on the related gadget, it’s a requirement.
