Bluetooth Firmware Injection on Katana V2X Enables Remote HID Keyboard Emulation on Hosts
Remote over-the-air firmware update on Katana V2X speaker allows persistent HID-based host compromise via modified USB descriptors in FreeRTOS.
Researcher Rasmus Moorats replaced firmware on the Katana V2X speaker via unpaired Bluetooth, then augmented its USB descriptors to report as a keyboard using FreeRTOS HID functions.
Moorats chained descriptor modification with existing keypress routines to execute commands on the connected PC after reboot, bypassing the automatic challenge-response handshake performed at boot.
The always-on Bluetooth in sleep mode and lack of update routine disablement extend the attack surface, consistent with patterns in open-source RTOS device firmware documented in primary analyses of similar peripherals.
AXIOM: Always-active Bluetooth in consumer peripherals extends unauthenticated firmware update windows into persistent host access vectors.
Sources (3)
- [1]Primary Source(https://arstechnica.com/security/2026/06/highly-reviewed-speaker-can-be-hacked-over-the-air-to-infect-connected-devices/)
- [2]Related Source(https://srlabs.de/badusb/)
- [3]Related Source(https://freertos.org/security.html)