The funniest computer security story of the week is also one of the nastiest: a gaming soundbar can stop being a soundbar and start acting like a keyboard. Not metaphorically. Literally.

Security researcher Rasmus Moorats published research on Creative's Sound Blaster Katana V2X showing how the USB-connected speaker could be reached over Bluetooth Low Energy from roughly 15 meters away, accept unauthenticated control commands, take a firmware image, and then present itself to the attached computer as a USB human-interface device. That is the old BadUSB nightmare wearing a living-room accessory costume.

This is not a cloud breach, a leaked token, or another dashboard with a red severity badge. It is weirder and more useful than that. It is a small lesson in how modern peripherals have become computers with radios, firmware update paths, custom protocols, and just enough trust to ruin your afternoon.

attacker nearby
  -> Bluetooth Low Energy
  -> Creative control protocol command
  -> unsigned firmware update
  -> speaker reboots as audio device + HID keyboard
  -> trusted PC accepts keystrokes from a known USB peripheral
The punchline is not Bluetooth by itself. The punchline is Bluetooth controlling a trusted USB identity.

The soundbar had a side door

The Katana V2X is marketed as a desktop gaming soundbar: USB audio, Bluetooth 5.0, HDMI ARC, optical input, microphones, LEDs, the whole small-battle-station menu. Creative also ships desktop software that talks to the device so users can change settings. Moorats went looking because he wanted a Linux tool for his own speaker. He found a much bigger story.

The speaker uses a proprietary command channel he refers to as CTP, or Creative Transport Protocol. Over USB, that channel had a challenge-response step before accepting commands. Over Bluetooth Low Energy, according to the research, the same class of commands could be reached without pairing and without that authentication barrier.

That matters because CTP was not limited to harmless party tricks like changing LED colors. One command path handled firmware updates. The firmware container had a checksum, but a checksum is not a signature. A checksum tells the device whether bytes changed by accident. A cryptographic signature tells the device whether the bytes came from someone allowed to replace its brain.

A checksum on firmware is a luggage scale. It can tell you the bag's weight. It cannot tell you who packed it.

BadUSB gets a radio

BadUSB is the class of attack where a USB device changes its personality. A thumb drive, cable, charger, or in this case a soundbar can advertise itself as something the operating system tends to trust, such as a keyboard. Computers are trained to accept keyboards quickly because a computer that distrusts every keyboard is not much fun to set up.

Moorats' twist was the distance. Classic BadUSB usually implies that someone touched the device, replaced it, mailed it, or convinced a user to plug it in. Here, the trusted peripheral was already plugged into the PC. The remote control plane was the radio. Once the firmware was altered, the speaker could enumerate as a HID keyboard in addition to doing speaker things.

That makes this research feel less like a one-off product bug and more like a warning label for the whole peripheral zoo. Every desk now has little computers hanging off bigger computers: docks, cameras, headsets, microphones, RGB controllers, capture cards, audio interfaces, charging hubs, monitors. Many of them have wireless chips. Many of them have update logic. Most users think of them as objects, not endpoints.

The patch story is the sour part

According to Moorats' write-up and follow-on reporting, Creative did not treat the behavior as a cybersecurity risk after disclosure through SingCERT. That is a strange answer for a device that can accept unauthenticated wireless commands and rewrite firmware in a way that changes USB behavior on a connected host.

The generous interpretation is that consumer hardware teams still separate product behavior from computer security. The speaker plays audio, the firmware updates, the app controls settings, therefore the system works. The less generous interpretation is that peripheral makers still get to ship tiny computers without the security expectations we would apply to laptops, routers, phones, or servers.

Either way, the practical consequence is awkward. Owners cannot rely on a normal patch loop if the vendor says there is no security issue. Enterprise defenders cannot simply scan for a CVE and move on. Operating systems cannot easily distinguish a normal keyboard from a compromised familiar USB device without breaking legitimate hardware.

What changes after this

The obvious lesson is that firmware updates need signatures. Not vibes, not checksums, not a protocol that trusts the friendly path and forgets the wireless path. If a device can load code, it needs to verify who signed that code. If a radio can reach the update path, it needs authentication before it gets anywhere near it.

The second lesson is that USB trust is too flat. A peripheral that has always been an audio device should not casually sprout a keyboard interface without creating friction somewhere. That friction might come from operating-system prompts, enterprise USB policy, endpoint detection rules, or better device attestation. None of those is perfect, but silent identity expansion is the dangerous default.

  • For hardware makers: secure boot and signed update chains should be baseline, even on accessories.
  • For OS vendors: new HID interfaces from existing devices deserve more suspicion.
  • For IT teams: desks full of smart peripherals are part of the attack surface, not office decor.
  • For users: if a device does not need USB data, do not give it USB data. Power-only paths exist for a reason.

The fun version of the story is that a soundbar learned to type. The serious version is that peripheral security is still playing catch-up with peripheral ambition. The cheap chips got radios. The radios got protocols. The protocols got firmware access. The trust model did not get the memo.

That is why the Katana V2X research lands. It is not just about Creative, one speaker, or one clever researcher with time and taste in audio gear. It is about the uncomfortable number of devices sitting inches from our keyboards that are already computers, already networked, and still being treated like plastic.

Sources