Some security hacks require someone to have physical access to your computer. In many cases, that’s easy to mitigate. Other attack vectors can put you at risk from anywhere via the network. That’s what firewalls are for. But there is an in-between risk where an attacker just has to be “around” your computer. [Rasmus Moorats] found out that a Creative Sound Blaster sound bar could open up just such an attack.
[Rasmus] was poking around the firmware just to write custom software to control it. The possibility of an attack was just an accidental find.
The soundbar connects to USB, but it also has Bluetooth, which, for some reason, is always on. There’s an app that can communicate with the speaker using BLE, and Creative has a special protocol to control it. The same protocol works on USB or Bluetooth, but with an important difference.
On USB, you have to authenticate to send commands. However, you can easily decompile the provided apps and learn the authentication key. But on BLE, it doesn’t require authentication at all for some reason. You can simply send commands via BLE, and the speaker obeys. No pairing. No physical access. Just be close enough for a Bluetooth connection.
The worst of the commands lets you reflash the device firmware. So, if you were a bad actor, you could flash firmware to act as a USB keyboard and then inject lots of bad commands into the host system.
BLE seems to be a common vector in consumer electronics. Maybe now you have to air-gap your speakers, too.
Bluetooth is the root of all security evil.
Does this apply to 5.0 and above?
no, stupidity is
Have you used any of the BLE stacks? They’re a pile of burning garbage. It all sucks and should be completely abandoned for something better.
That having been said, NimBLE is the best I’ve found. If you’re interested in using BLE, use NimBLE or go do something else.
I thought I’d look through the Bluetooth spec once. Then I found out it was over 1000 pages and seemed like a jumbled mess.
Agreed. I don’t think there is a single Android security bulletin, monthly release, that does not contain a Bluetooth issue, for the last decade.
Why can’t you connect it with mini-jack, as God intended. (Or use even use TOSLINK if you’re into the whole teenage-rebel-satanist thing.)
I second toslink. One of the simplest technologies (relatively speaking) that should always be included in all mid-fi wares (and usually omitted).
Another security problem with BT is the (often constant even if off) broadcast of manufacturer and model names from TVs and other desireable and stealable consumer products in peoples homes.
OTOH I know when the mailwomans headset has been here, and the neighbors car (head unit) comings and goings.
Yes! I would love to disable Bluetooth (or at least Bluetooth discoverability) on my LG TVs! It’s insane that that is not an option
There was an article on here a few days ago about that very thing forcing an aircraft to return to the airport.
https://hackaday.com/2026/05/31/hackaday-links-may-31-2026/
You can easily track cars driving by your house if they’re broadcasting BT stuff.
i think the key to a good security posture is to decide what risks you’re willing to take. nothing will be perfect so “i take no risks” just means you’re in denial and that is the worst attitude toward security possible.
i’ve decided, if you get onto my local wifi (which is open), then you can have quite a few goodies. my android tv box, my ipcam, my wife’s windows laptop, probably my wireless APs are vulnerable too…all open attack surface. the stuff i actually care about is isolated one more layer than that and ideally should not be vulnerable to the local network. or at least, not any more vulnerable locally than externally. knock on wood.