Allowing arbitrary firmware updates without any signature validation, over Bluetooth, even unpaired and in sleep mode, and without any authentication is absolutely wild and should be criminal negligence.
It took Creative nearly two months to respond to SingCERT. Unfortunately, their response was that “they do not consider this to be a vulnerability, as it does not present a cybersecurity risk”
What a foolish response. The guy wasn’t asking for money and gave them everything they would need to make a patched firmware.
I suppose that depends on your definition of a cybersecurity risk. Unfortunately it likely won’t matter to them unless it starts affecting their bottom line.
Getting in touch with Creative was a frustrating process.
They do not have any security contacts. In fact, I wasn’t even able to find regular contacts that wasn’t just a support form on their website. I tried (two times) to get in contact with them via the web form before giving up and contacting SingCERT to act as an intermediary, hoping they would have better luck reaching Creative.
Initially, SingCERT didn’t seem to be able to get in contact with Creative either. It took Creative nearly two months to respond to SingCERT. Unfortunately, their response was that “they do not consider this to be a vulnerability, as it does not present a cybersecurity risk”. I don’t know how they reached this conclusion, but it became clear that Creative had no interest in responding to or addressing this issue.
I don’t understand how this can still happen with a well known brand in 2026. Personally the microphone is the least concerning aspect of this finding, since a Bluetooth connection would still be required. With more dedicated research, the BadUSB aspect is far more concerning in my book. Plug the speaker into a computer, even once and only to charge, and the computer is pwned? Preventing any future patching? I don’t know how I could ever trust one of these devices going forward.
Awesome write up.
Allowing arbitrary firmware updates without any signature validation, over Bluetooth, even unpaired and in sleep mode, and without any authentication is absolutely wild and should be criminal negligence.
What a foolish response. The guy wasn’t asking for money and gave them everything they would need to make a patched firmware.
“does not present a cybersecurity risk…” to them.
I suppose that depends on your definition of a cybersecurity risk. Unfortunately it likely won’t matter to them unless it starts affecting their bottom line.
“It’s not a vulnerability, no I’m not crying”
“You’re the vulnerability”
Came to comment the same.
That and it has a microphone built in.
Well I won’t be buying another creative product ever again
I didn’t even know that was still an option.
I don’t understand how this can still happen with a well known brand in 2026. Personally the microphone is the least concerning aspect of this finding, since a Bluetooth connection would still be required. With more dedicated research, the BadUSB aspect is far more concerning in my book. Plug the speaker into a computer, even once and only to charge, and the computer is pwned? Preventing any future patching? I don’t know how I could ever trust one of these devices going forward.