Updated Guitar amp manufacturer Fender's recently-introduced Mustang GT 100 guitar amplifier can be made to play whatever audio an attacker fancies, security researchers have discovered.
The amp allows Bluetooth connections, but without pairing security. Anyone within range could therefore "stream arbitrary audio to it and hijack your amp output", security researcher Chris Pritchard of Pen Test Partners (PTP) reported.
The device - marketed towards gigging musicians - is trivially easy to hack, as a video put together by PTP (below) demonstrates.
Anyone using the Mustang GT at a concert therefore ought to turn Bluetooth off - even though that removes the "smart" features that would have been the main reason for buying it in the first place.
The same amplifier is also vulnerable to more subtle hacks. For example it's possible to interfere with its preset sound settings.
The presets feature allows users to wield a smartphone app that imbues the amp with presets that mimic famous guitarists' signature sounds. The app interacts with the amp over Bluetooth Low Energy (BLE) and does so separately to the Bluetooth audio input.
Permissions-based security is absent from the preset feature, meaning mischief-makers could push a new sound preset to the amp over BLE: a musician could expect to sound like Hendrix but instead come out sounding rather different. The same trick could be used to mute the amp by enabling a feature designed to be used only when musicians are tuning up their kit.
Security researchers at Pen Test Partners also put the Marshall Code 50 smart amp through its paces. Marshall’s machine has similar features to the Fender but with better security. "It relies on authentication to do anything, so it can’t be hijacked in the same way," PTP's Pritchard said.
The issues uncovered in Fender's amp are best-described as features that are open to abuse rather than vulnerabilities that could leak data. They do, however illustrate that vendors are adding smarts to all manner of technologies without also adding intelligent security controls.
"We don’t consider these to be vulnerabilities particularly, more abuse of features for unintended consequences," Pen Test Partners' Ken Munro told El Reg.
PTP reckons Fender could mitigate the issues it has uncovered by implementing some simple pairing security. "Even a button press on the amp to put it in pairing mode for a short period would be a step in the right direction," PTP concludes.
Fender is yet to respond to a request for comment from The Register. ®
Updated to add
A spokesman for Fender has finally been in touch to say the Bluetooth-related security issues "were addressed in an update to the amp a few months ago," although you need to install said update to benefit from it.
"Any new amps should now have the latest software, and as always we recommend that you update your amp to get the latest software, which includes fixes like this," he said. "The software can be easily updated via Wi-Fi, and only takes a few minutes, depending on your internet speed."