A USB-connected speaker can infect a PC without ever being touched(arstechnica.com)
arstechnica.com
A USB-connected speaker can infect a PC without ever being touched
https://arstechnica.com/security/2026/06/highly-reviewed-speaker-can-be-hacked-over-the-air-to-infect-connected-devices/
3 comments
Recent discussion: https://news.ycombinator.com/item?id=48382310
Btw, Qubes OS can protect your data and passwords from such attack.
Btw, Qubes OS can protect your data and passwords from such attack.
The speaker has usb interface, and since it uses HID, its bandwidth is limited to 64bytes max per ms; it runs freertos, and for the price of the speaker it is highly unlikely it runs an mcu with trustzone;
moreover, usb descriptors are exchanged with the host in the clear, so patching it and adding a keyboard (that most os will implicitly trust) requires a usb cable, and there is definitely some 'touch' involved to get to that step, even if we ignore the physical access to the speaker/pc for the sake of argument;
of course, once that's done, updating image over bluetooth is easy, and that's the claim behind 'without ever being touched';