Researcher demonstrates over-the-air firmware hack on wireless speaker to execute arbitrary commands on connected PC

Rasmus Moorats discovered he could remotely upload custom firmware to a Katana V2X speaker without pairing, causing it to reboot, flash the firmware, and execute commands on a connected PC by typing keystrokes.

The attack exploits the speaker's USB descriptor set (a report describing a peripheral's capabilities) to make the device appear as a keyboard to connected computers, then uses existing firmware code to send keypresses and commands over the air via Bluetooth.

Bluetooth remains always on for the speaker even in sleep mode with no apparent way to disable it, and a real attacker could disable firmware update routines in both normal and recovery mode, making the malicious firmware impossible to wipe or patch.