After successfully updating the firmware with an entry image that didn’t just show the word “patches” on the speaker’s LED display, the researcher began to wonder what else the hacker could do. So they turned to FreeRTOS, the open source engine that ran Katana V2X. It had HID systems to allow the speaker to act as a communication device, a group that includes keyboards, mice, and webcams. The speaker used a limited HID that allowed things like changing the volume and playing or pausing audio, but little else.
The researcher found that he could change the USB descriptor, which is basically a report that informs the devices about the capabilities of the USB- or Bluetooth-connected device. He was able to augment the existing descriptor with a second one that identified the speaker as a keyboard. They then used code that was already included in the firmware to change the way the keys were sent.
All of this gave Moorats an idea: What if he could use his device to send commands to a speaker that uses HID to deliver them to a connected PC? After trial and error, he found that he could. In the blog post published on Wednesday, he wrote:
To put it all together, I was able to remotely, remotely, install a custom firmware for my speaker that I didn’t install, which would reboot, flash the custom firmware, and after rebooting type the call command and execute it.
In a real-world scenario, I could just keystroke to open powershell.exe or something similar and put one malicious link there, but as a proof of concept, this was enough for me. A real attacker can also disable the routine of updating firmware in normal and recovery mode, making it impossible to wipe malicious firmware from the device or install it in the future.
This is made worse by the fact that Bluetooth is always on for the speaker, even when sleeping, with no obvious way to turn it off.
Before the speaker and the USB-connected device can start interacting, they must successfully complete the challenge-and-answer authentication process. Since the devices do this handshake automatically every time the shoes are programmed, this is usually a problem that destroys. In some cases, however, if the Katana V2X software is not opened on the connected device, it is necessary.
