The word “smart” has become such a powerful selling point that sometimes manufacturers jump almost head first into adding connectivity to their products. Among the latest to receive WiFi and Bluetooth are guitar amplifiers. But just as musicians develop their own personality, manufacturers of instruments implement technology differently, sometimes overlooking important aspects that could defeat the purpose of their product.
Security researchers have found that the Mustang GT 100 guitar amplifier from Fender acts as a Bluetooth device without authenticating the connection. Simply put, anyone with a smartphone can feed it any sound or music and the Mustang takes the order without question. The problem is amplified by the fact that the device is also intended for live performances.
With smart features, a guitar amp can work with sound presets using a mobile app. The app can use the phone’s WiFi to download new presets and send them to the amp via Bluetooth, or it can create new ones. Changing the presets does not require authentication, making it possible to rename them, add new ones or change their assignment to songs.
Unless Bluetooth is disabled before a live gig, anyone in the audience could connect to the amp (default ID is “Mustang GT”) and turn the performance into a private party – at least for a short while, or ruin the concert. To prove this point, researchers at PenTest Partners made a demonstration where a guitar riff was suddenly interrupted by the tunes of Never Gonna Give You Up, the famous rickroll song.
The researchers were able to push a new preset to the amplifier over Bluetooth, and activate the “tuning” function, which mutes the amplifier. Until Fender releases a patch that adds at least basic authentication over Bluetooth, security researchers recommend guitarists disable this connection when they are not using it; they do not view this as a vulnerability, but as a feature that could be abused.
Bluetooth connectivity under its current implementation in Fender Mustang GT 100 amp may be intended only for the studio, but it is not hard to imagine how artists could forget to turn the connection off before going live on stage.
Image credit: davesguitar.com
tags
September 06, 2024
September 02, 2024
August 13, 2024