[hootz]

>Email from SingCERT stating vendor "do not consider this to be a vulnerability, as it does not present a cybersecurity risk."

So wirelessly writing custom firmware to someone else's device that is connected via USB to their computer without even needing to pair is not a security vulnerability. Yea.

[Uncle_Brumpus]

"You can just make it type words, what's the risk in that?"

Makes you wonder what other peripheral companies out there are also operating with seemingly no security team. There must be other vulnerabilities like this just waiting to be discovered.

My brother was awoken one morning at 2am because some neighborhood kids connected to his bluetooth speaker and blasted fart sounds on loop at max volume, and that's literally only the absolute tippy top of the malicious bluetooth use iceberg.

[phh]

> "You can just make it type words, what's the risk in that?"

I don't know if it's a useful answer to people saying this kind of stuff, but here are some examples of other attacks arbitrary USB pwn allows.

A USB device can appear as a network adapter and most OS will happily route all your traffic there, so your speaker can know which porn you're looking at!

It can also appear as a DisplayLink dongle, so it can see what's on the screen (it does require those specific drivers installed, and uh yeah, no way in hell it's technically possible on that MCU).

It can also turn it into a mouse jiggler to prevent lock screen (yes it's technically the same thing as your first point, just HID, but different angle).

It can also appear as a USB-storage: You don't trust the cloud, so you're writing those super secret documents to give to your boss on the USB drive you just plugged in? Surprise, you actually sent it to the attacker.

[Ajedi32]

The ability to "type words" is worse than all of that. Just type Win+R, "cmd", Enter and you've got arbitrary code execution on the connected PC. I think that was GP's point. Any competent security team would be aware of such risks.

[trhway]

Couple decades ago a product team of our product, the team consisting of PMs, senior engineers, etc., dismissed a security issue as a not serious because notepad.exe - which the PoC used to show arbitrary command execution - supposedly can't do much damage.

[xeonmc]

See also the debacle with Razer gaming mice giving you root access just by plugging in, which I think takes the cake for clownshoe software practices almost rivalling Riot Games (though not with the latter's degree of self-congratulatory Dunning-Kruger gusto.)

[hootz]

Oh yeah, for some reason the companies with the highest risk products seem to be the ones that care less about security. Don't even get me started with "smart" bulbs and cameras that each individually connect to your local network and the Internet. You have 5 lightbulbs? That's 5 different devices you need to track, keep updated and trust the in the vendor firmware's security.

[zahlman]

> "smart" bulbs

Thankfully I don't think I've seen these for sale.

What sensors would they have that could be exploited by an attacker?

[duckmysick]

You don't need to exploit sensors. If a compromised device is connected to the internet (because the vendor app requires it to set up and control), you can use it as a part of botnet with a nice residential IP address.

[zahlman]

... Why does it have anywhere near the level of computing power that a botnet would find useful?

[Nasrudith]

Guess what the big bottleneck is in a DDOS? Not the computing power.

[zeta0134]

Shopping in the US, these have entirely replaced zigbee and other sensible mesh-based options at hardware stores like Home Depot and Lowes. The only exception I can find is Phillips Hue, and those seem to be slowly getting phased out with (sigh) a new "hubless" (requires wifi) series.

I run my home automation network entirely offline, so anything that needs the internet doesn't get added to my cart. I just do not trust the security of these IoT vendors at all, and refuse to have their nonsense cluttering up my limited network bandwidth and causing unknown problems.

(Edit: maybe not obvious, this is in the "smart bulbs" product category. Regular bulbs are still much more common on store shelves, because why fix what isn't broken? Most people don't need to automate their light bulbs.)

[zahlman]

> I run my home automation network entirely offline, so anything that needs the internet doesn't get added to my cart.

Absolutely support you in that. I don't really feel the urge to automate appliances around me in the first place, though. I feel like I'd just be locking myself into the schedule I'd automated, building my life around it. What good is free time without freedom?

[sebastiennight]

> Regular bulbs are still much more common on store shelves, because why fix what isn't broken?

TV manufacturers might want to differ.

[efreak]

A light bulb doesn't require a processor to turn on and off when power is applied, so the only reason to add one is for extra functionality. A TV requires a (relatively) powerful processor just for decoding the signal.

[samtheDamned]

If we could started teaching Morse Code in standard curriculum then in about 18 years or so we could finally subsidize smart lightbulbs with blinking ads for products and then we could stop selling pesky "dumb" bulbs.

[hgoel]

You can find a lot of literature out there for tracking people based on WiFi signal strength. The very thing they use to connect ends up being a sensor that gives away some pretty critical info.

[RobMurray]

wifi, bluetooth, and microphones. Yes microphones. I have a very cheap smart bulb with a mode that responds to music. That's not even unusual for smart bulbs.

[rcxdude]

Probably most of them. It's not exactly an area with a great focus on quality, let alone security.

[gorbachev]

That answer will change very quickly, if someone marches to a Creative show room, sales event or CES and "patches" all of their devices.

[gaudystead]

That's assuming the attacker informs Creative of the attack. A malicious actor could go to the showroom, update the firmware on all devices, and simply let them continue on as normal, waiting for a future opportunity to strike.

Let's hope Creative patches things before something like this happens.

[riedel]

This quote on risk seems to completely misunderstand the concept of risk. First we have a vulnerability ( IMHO that is equals a hazard), then we assign both impact and probability and only then we get risk. By definition there are IMHO always vulnerabilities with low impact or low probability and thus low risk. While CVEs have some score, the actual risk and later accepting those risks before or after mitigations is up to the use case to define. No risk => no vulnerability is flawed reasoning by design. No vulnerability => no risk, I think is the only thing we can agree on.

[xnickb]

Yeah, but we already sold the device, so it's someone else's problem. Now if they were paying us a subscription fee..

[jagged-chisel]

It still wouldn’t be our problem because the ToS says the customer accepts all risk and liability.

[jeroenhd]

The same can be said about any computer that runs macOS or Windows. Being able to run your own software doesn't have to be a vulnerability per se.

The reflashing interface being available over Bluetooth is weird but you will need physical access to pair with the speaker AFAIK

Edit: I was wrong, this is a BTLE endpoint that works without pairing. In that case, this is a ridiculous vulnerability. I hope they'll patch it in a way that doesn't take away the ability to run your own software.

[protimewaster]

I don't even remember what it is I have learned about Creative Labs in the past, but I went into this pretty sure that Creative Labs was going to fuck it up somehow.

[3form]

AND being able to further reprogram the device to gain control of the PC.

This is negligence of the highest kind.

[KurSix]

The vendor response is the more worrying part

[semiquaver]

In reality, even if they did recognize the severity of this problem, they likely view the cost to remediate it as prohibitive, as it would involve reworking their whole weird janky system. So better to pretend they don’t have to deal with security.

[necovek]

This is why governments need to — and are — stepping in with things loke Cyber Resilience Act in EU.

If this product continues to sell in EU after Dec 2027, they will have an obligation to update.

[semiquaver]

Easy fix from the company’s point of view: make product lifecycles one year tops.

[HarHarVeryFunny]

Sounds like Microsoft too:

https://www.youtube.com/watch?v=9kxx5xp5nTQ

[iso1631]

> SingCERT dropped the case

I expect some dodgy company to try to shirk out of it, I don't expect a country's cybersecurity agency to do so

[vuurmot]

ESL moment Read the article properly, it is the company that tried to shirk out of it

[throwwwll]

Morons they are.

[m3kw9]

probably not high enough risk to consider one on their list. First you need someone to be physically in there, 2nd the person needs to have a USB speaker connected, which means is likely a home. 3rd if it's a restaurant or something you need the thing to not play anything first with a lot of restaurant noise

[praptak]

> First you need someone to be physically in there

Bluetooth works fine through walls.

[hootz]

First, you need a skiddie neighbor who knows about your speaker and has an AI agent that can read this article, 2nd...

[ikiris]

They must have outsourced their security to MSRC