Creative Sound Blaster Katana V2X Bluetooth flaw lets attackers hijack from 50 feet

A security researcher has demonstrated that Creative Technology's Sound Blaster Katana V2X gaming soundbar can be hijacked over Bluetooth from up to 16 yards away. The attack requires no physical touch or prior pairing with the device.

Rasmus Moorats, a security researcher, disclosed the vulnerability publicly after what he described as an unresponsive response from Creative. The flaw allows an attacker within range to connect to the soundbar and play arbitrary audio or potentially execute other commands without authentication.

The Vulnerability

The issue lies in how the soundbar handles Bluetooth pairing. According to Moorats, the device does not require a PIN or confirmation for new connections when in discoverable mode. An attacker with a standard Bluetooth adapter can scan for nearby devices, find the Katana V2X and connect without any user interaction.

Once connected, the attacker can stream audio or send commands that the soundbar accepts as legitimate. This could range from playing loud noises to potentially exploiting further firmware weaknesses if they exist.

Company Response

Moorats reported the issue to Creative through its official channels several weeks ago. He claims the company declined to classify the flaw as a cybersecurity risk, instead treating it as a low-priority usability concern.

Creative has not issued a public statement about the vulnerability at time of writing. The company did not respond to requests for comment on this story.

Why This Matters

This vulnerability affects anyone using the Sound Blaster Katana V2X in their home or office. An attacker within roughly 50 feet could hijack the device without warning.

The refusal by Creative to acknowledge this as a security issue raises concerns about how consumer electronics companies handle vulnerabilities in internet-connected devices. If left unpatched, users have no way to protect themselves beyond disabling Bluetooth entirely on the soundbar.

The incident highlights broader problems in IoT security where manufacturers prioritize convenience over safety. Users expect basic protections like pairing confirmation on devices that connect wirelessly in shared spaces such as apartment buildings or open offices.