>Email from SingCERT stating vendor "do not consider this to be a vulnerability, as it does not present a cybersecurity risk."

So wirelessly writing custom firmware to someone else's device that is connected via USB to their computer without even needing to pair is not a security vulnerability. Yea.

The same can be said about any computer that runs macOS or Windows. Being able to run your own software doesn't have to be a vulnerability per se.

The reflashing interface being available over Bluetooth is weird but you will need physical access to pair with the speaker AFAIK

Edit: I was wrong, this is a BTLE endpoint that works without pairing. In that case, this is a ridiculous vulnerability. I hope they'll patch it in a way that doesn't take away the ability to run your own software.

"You can just make it type words, what's the risk in that?"

Makes you wonder what other peripheral companies out there are also operating with seemingly no security team. There must be other vulnerabilities like this just waiting to be discovered.

My brother was awoken one morning at 2am because some neighborhood kids connected to his bluetooth speaker and blasted fart sounds on loop at max volume, and that's literally only the absolute tippy top of the malicious bluetooth use iceberg.

That answer will change very quickly, if someone marches to a Creative show room, sales event or CES and "patches" all of their devices.

I don't even remember what it is I have learned about Creative Labs in the past, but I went into this pretty sure that Creative Labs was going to fuck it up somehow.

This quote on risk seems to completely misunderstand the concept of risk. First we have a vulnerability ( IMHO that is equals a hazard), then we assign both impact and probability and only then we get risk. By definition there are IMHO always vulnerabilities with low impact or low probability and thus low risk. While CVEs have some score, the actual risk and later accepting those risks before or after mitigations is up to the use case to define. No risk => no vulnerability is flawed reasoning by design. No vulnerability => no risk, I think is the only thing we can agree on.

In reality, even if they did recognize the severity of this problem, they likely view the cost to remediate it as prohibitive, as it would involve reworking their whole weird janky system. So better to pretend they don’t have to deal with security.

Yeah, but we already sold the device, so it's someone else's problem. Now if they were paying us a subscription fee..

AND being able to further reprogram the device to gain control of the PC.

This is negligence of the highest kind.

Sounds like Microsoft too:

https://www.youtube.com/watch?v=9kxx5xp5nTQ

The vendor response is the more worrying part

> SingCERT dropped the case

I expect some dodgy company to try to shirk out of it, I don't expect a country's cybersecurity agency to do so

probably not high enough risk to consider one on their list. First you need someone to be physically in there, 2nd the person needs to have a USB speaker connected, which means is likely a home. 3rd if it's a restaurant or something you need the thing to not play anything first with a lot of restaurant noise