So wirelessly writing custom firmware to someone else's device that is connected via USB to their computer without even needing to pair is not a security vulnerability. Yea.
Makes you wonder what other peripheral companies out there are also operating with seemingly no security team. There must be other vulnerabilities like this just waiting to be discovered.
My brother was awoken one morning at 2am because some neighborhood kids connected to his bluetooth speaker and blasted fart sounds on loop at max volume, and that's literally only the absolute tippy top of the malicious bluetooth use iceberg.
Thankfully I don't think I've seen these for sale.
What sensors would they have that could be exploited by an attacker?
I run my home automation network entirely offline, so anything that needs the internet doesn't get added to my cart. I just do not trust the security of these IoT vendors at all, and refuse to have their nonsense cluttering up my limited network bandwidth and causing unknown problems.
(Edit: maybe not obvious, this is in the "smart bulbs" product category. Regular bulbs are still much more common on store shelves, because why fix what isn't broken? Most people don't need to automate their light bulbs.)
I expect some dodgy company to try to shirk out of it, I don't expect a country's cybersecurity agency to do so
This is negligence of the highest kind.
Any script kiddie with an LLM could write a worm that would spread through the supply chain, possibly even hacking speakers right on the factory floor and blasting Rickroll music or something similar.
It would be interesting to see if Creative would still claim that it "does not present a cybersecurity risk".
At least used to. SOTA models are enrolling even bigger restrictions all the time and deprecating old models, while asking government IDs.
It doesn't have bluetooth so thankfully something like this wouldn't happen with mine. It's crazy that there's no auth at all for Bluetooth. I was reversing my e-scooter recently (still WIP) and there was a whole bunch of authentication required before its app could control any of it. I am still not confident in its security though
Exfiltrating via audio also brings to mind one of those devices I really wanted to build ~20 years ago that can listen to the inside of a room by bouncing a laser beam off a window. Van pulls up in front of your house, pushes malicious code via bluetooth to speaker, which starts shrieking data it stole from the host that's then picked up by the vibrations it emparts on a window by a laser beam. Boom, crypto wallet stolen, or something... you could probably put that in a movie.
It's crazy that companies just stick their head in the sand, when confronted with serious security issues.