A USB-connected speaker can infect a PC over the air without ever being touched
Researchers at Ruhr University Bochum have shown that a popular USB-Bluetooth speaker can have code injected into its firmware from more than 30 metres away and then send keyboard- or mouse-like commands to the connected computer. The finding, reported by Ars Technica, reveals a new class of attack that needs no user interaction.
The attack exploits a missing validation in the GATT layer of the Bluetooth Low Energy (BLE) protocol. The product allows users to upload themes or audio EQ profiles via BLE from a mobile app; researchers confirmed that the same channel can also transfer executable code.
The product name will be assigned to the Common Vulnerabilities and Exposures (CVE) system in a coordinated disclosure in the coming weeks. Ars Technica says the manufacturer is being given time to deploy a patch, but notes the product holds a four-star average on Amazon and Best Buy and has a wide distribution footprint.
After the firmware injection, the device can send Human Interface Device (HID) commands to the PC over USB. That means acting like a keyboard, opening a terminal, executing a script and eventually launching a malware loader.
The critical feature of the attack is the range BLE offers: an attacker can operate from more than 30 metres away. In open offices, cafés, libraries or conference rooms, the attacker does not need physical access to the target.
The researchers will present their work in detail at Black Hat USA 2026. Professor Christof Paar, head of the Bochum group, told Ars Technica: "Consumer electronics with BLE-writable firmware have exploded. If manufacturers don't take validation mechanisms seriously, this class of attack will grow."
On the user side, the article lists practical steps: avoid products that don't show a confirmation dialog for BLE-based firmware updates, turn off devices that remain in "GATT discoverable" mode and run endpoint protection software that issues OS-level HID-injection alerts.
For enterprise IT, the attack model may require updates to USB endpoint control policies. Most existing USB allow-lists filter by vendor/product ID, but those controls can be bypassed when the device presents itself as an ordinary HID class.
Other products with similar architecture are being tested by security researchers; a wider product family may be affected. Manufacturers studied include smart doorbells, USB headsets and home-automation hubs.
User defences depend on how quickly manufacturers ship patches. Ars Technica argues that tightening USB policies in enterprise environments and keeping consumer BLE products off the corporate network is the strongest short-term defence.
More from Tech
Congress still can't decide what to do about warrantless surveillance under Section 702
A Senate vote on a Section 702 reform package failed. According to The Verge, an amendment introduced by Republican Senator Bill Pulte that would have required a warrant fell 47-51. The surveillance authority is set to expire in December.
Small modular nuclear reactor reaches criticality in first US test
An 80 MW small modular reactor (SMR) built by TerraPower at Idaho National Laboratory has reached criticality in the first US test of an SMR design. The reactor's factory-manufactured modular architecture aims to cut construction times to a third of those of standard reactors.
Reid Hoffman leaves Microsoft's board to go into "founder mode" with Manus startup
LinkedIn co-founder Reid Hoffman has announced he is leaving Microsoft's board to spend more time at AI agent startup Manus. Manus's $800 million Series D round earlier this year put Hoffman back into "founder mode".