Highly reviewed speaker can be hacked over the air to infect connected devices
Highly reviewed speaker can be hacked over the air to infect connected devices
备受好评的音箱存在无线入侵漏洞,可感染已连接设备
Operating system makers take many steps to prevent their wares from accepting commands from remote devices. The safeguards, designed to thwart malicious attacks, typically require hackers to jump through all kinds of hoops to bypass the measures. But what if remote code execution were as simple as being within Bluetooth range of a speaker connected to the targeted device? 操作系统制造商采取了多种措施,防止其产品接收来自远程设备的指令。这些旨在抵御恶意攻击的防护机制,通常要求黑客费尽周折才能绕过。但如果远程代码执行变得像进入连接目标设备的音箱的蓝牙范围那样简单呢?
It turns out it can, at least when the speaker is a Sound Blaster Katana V2X sold by Singapore-based Creative Technologies. The speaker, which sells for $283, is widely acclaimed with numerous reviews showering praise on the sound and performance of it and its predecessor, the Sound Blaster V2. 事实证明,这种情况确实存在,至少对于新加坡创新科技(Creative Technologies)销售的 Sound Blaster Katana V2X 音箱而言是如此。这款售价 283 美元的音箱广受好评,众多评论对其及其前代产品 Sound Blaster V2 的音质和性能赞不绝口。
A PC-pwning proxy
一个控制电脑的代理
Researcher Rasmus Moorats stumbled on the hack by accident, after he purchased a Katana V2X, a soundbar that connects to PCs, Macs, and Linux devices over USB or Bluetooth. Moorats was curious if he could create a Linux tool that communicated with his speaker. He discovered he could do so through CTP, a proprietary mechanism he guesses is short for Creative Transport Protocol. 研究人员 Rasmus Moorats 在购买了 Katana V2X(一款可通过 USB 或蓝牙连接 PC、Mac 和 Linux 设备的条形音箱)后,偶然发现了这个漏洞。Moorats 好奇自己是否能创建一个与音箱通信的 Linux 工具。他发现可以通过 CTP(他推测是 Creative Transport Protocol 的缩写)来实现,这是一种专有机制。
CTP allows devices connected via Bluetooth or USB to send commands to the speaker, such as changing LED colors and equalizer settings. CTP also allows the connected devices to receive responses from the speaker. To Moorat’s surprise, his Bluetooth device was able to connect to the speaker, which was connected to a PC via USB, without any authentication. Not only that, but his Bluetooth device didn’t have to be paired first. CTP 允许通过蓝牙或 USB 连接的设备向音箱发送指令,例如更改 LED 颜色和均衡器设置。CTP 还允许连接的设备接收来自音箱的响应。令 Moorats 惊讶的是,他的蓝牙设备无需任何身份验证,就能连接到通过 USB 连接到 PC 的音箱。不仅如此,他的蓝牙设备甚至不需要预先配对。
Also surprising: One of the CTP commands, labeled “upload new firmware to device,” allowed him to replace the official firmware with his own custom one. The firmware reflashing didn’t use code signing or other measures to prevent the loading of unofficial code. After successfully replacing the firmware with a replacement image that did nothing more than display the word “patched” on the speaker’s LED display, the researcher got to wondering what else a hacker might do. 同样令人惊讶的是:其中一条标记为“上传新固件到设备”的 CTP 指令,允许他用自定义固件替换官方固件。固件重刷过程没有使用代码签名或其他措施来防止加载非官方代码。在成功将固件替换为一个仅在音箱 LED 显示屏上显示“patched”(已修补)字样的镜像后,研究人员开始思考黑客还能做些什么。
So he turned his attention to FreeRTOS, the open source operating system that ran the Katana V2X. It contained a set of HID functions for allowing the speaker to act as a human interface device, a classification that includes keyboards, mice, and webcams. The speaker implemented a limited HID that allowed for things like changing the volume and playing or pausing sound, but little else. 于是,他将注意力转向了运行 Katana V2X 的开源操作系统 FreeRTOS。它包含一组 HID(人机接口设备)功能,允许音箱充当人机接口设备,这一类别包括键盘、鼠标和网络摄像头。该音箱实现了一个有限的 HID 功能,仅允许更改音量和播放/暂停声音等操作,除此之外别无其他。
The researcher discovered that he could change the speaker’s USB descriptor set, which is essentially a report that informs devices about the capabilities of a USB- or Bluetooth-connected peripheral. He was able to augment the existing descriptor set with a second one that reported the speaker being a keyboard. Then he used code already included in the firmware to streamline the process of sending keypresses. 研究人员发现,他可以更改音箱的 USB 描述符集,这本质上是一份告知设备关于 USB 或蓝牙连接外设功能的报告。他成功地在现有的描述符集中增加了一个新的描述符,将音箱伪装成键盘。随后,他利用固件中已有的代码简化了发送按键指令的过程。
All of this gave Moorats an idea: What if he used his device to send commands to the speaker that used the HID to pass them along to the connected PC? After some trial and error, he found that he could. In a blog post published on Wednesday, he wrote: 这一切给了 Moorats 一个灵感:如果他利用自己的设备向音箱发送指令,通过 HID 将其传递给连接的 PC 会怎样?经过多次尝试,他发现确实可行。在周三发布的一篇博文中,他写道:
“Chaining it all together, I was able to totally remotely, over the air, upload a custom firmware to my speaker which I hadn’t paired with, which would reboot, flash the custom firmware, and after rebooting type in the command echo pwned and execute it.” “将所有环节串联起来,我能够完全远程、通过无线方式,向一台我未曾配对的音箱上传自定义固件。音箱会重启并刷入该固件,重启后自动输入命令 echo pwned 并执行。”
In a real attack scenario, I would execute the keystrokes for opening powershell.exe or similar and paste an actually malicious one-liner into that, but as a proof of concept, this was more than enough for me. A real attacker would also likely disable the routine for updating the firmware in both normal and recovery mode, making it impossible to wipe the malicious firmware from the device or patch it in the future. This is worsened by the fact that Bluetooth is always on for the speaker, even in sleep mode, with no apparent way to disable it. “在真实的攻击场景中,我会执行打开 powershell.exe 或类似程序的按键操作,并粘贴一段真正的恶意单行代码,但作为概念验证,这已经足够了。真正的攻击者还可能会禁用正常模式和恢复模式下的固件更新程序,从而使设备无法清除恶意固件或在未来进行修补。更糟糕的是,该音箱的蓝牙功能始终处于开启状态,即使在睡眠模式下也是如此,且没有明显的关闭方法。”
Before the speaker and USB-connected device can interact, they must successfully complete a challenge-and-response authentication procedure. Since the devices perform this handshake automatically each time the software boots, this isn’t usually a problem for the hacker. In certain cases, however, such as when the Katana V2X app isn’t open on the connected device, it’s a requirement. Nonetheless, the authentication is a simple enough hurdle to clear, because the correct response can be extracted from the app binary that ships with the speaker. Surprisingly, no such challenge and response is required for Bluetooth-connected devices. 在音箱与 USB 连接的设备交互之前,它们必须成功完成质询-响应(challenge-and-response)身份验证过程。由于设备在每次软件启动时都会自动执行此握手,这对黑客来说通常不是问题。但在某些情况下,例如当连接设备上未打开 Katana V2X 应用程序时,这是必需的。尽管如此,身份验证是一个很容易跨越的障碍,因为正确的响应可以从音箱附带的应用程序二进制文件中提取出来。令人惊讶的是,蓝牙连接设备并不需要这种质询-响应机制。
Moorat reported his findings to Creative Technologies, but never received a response. He then brought in CERT Singapore to intervene. Eventually, the organization got a response from the company. It said company engineers didn’t regard the behavior as a vulnerability. The researcher tested the attack against a connected Windows machine. Moorats 将他的发现报告给了创新科技,但从未收到回复。随后,他请新加坡计算机应急响应小组(CERT Singapore)介入。最终,该组织收到了公司的回复。公司工程师表示,他们并不认为这种行为属于漏洞。研究人员已在连接的 Windows 机器上测试了该攻击。
It bears repeating that the hacks described can be carried out only when the attacker is within Bluetooth range of the speaker. That’s a significant requirement that limits attacks to neighbors, housemates, or people in offices that are adjacent to the speaker. Still, the ability to turn a Bluetooth device into a PC-pwning proxy and remote bugging device doesn’t exactly evoke warm and fuzzy feelings. It also raises the question: What other Bluetooth devices open users to the same attacks? 需要重申的是,上述攻击只有在攻击者处于音箱的蓝牙范围内时才能实施。这是一个重要的限制条件,将攻击范围局限于邻居、室友或音箱附近的办公室人员。尽管如此,将蓝牙设备变成控制 PC 的代理和远程窃听设备的能力,确实让人感到不安。这也引发了一个问题:还有哪些蓝牙设备会让用户面临同样的攻击风险?