Fender's 'smart' guitar amp has no Bluetooth pairing controls

Bum note: you could Rickroll an artist live on stage

By John Leyden

Posted in Security, 27th February 2018 08:02 GMT

Updated Guitar amp manufacturer Fender's recently-introduced Mustang GT 100 guitar amplifier can be made to play whatever audio an attacker fancies, security researchers have discovered.

The amp allows Bluetooth connections, but without pairing security. Anyone within range could therefore "stream arbitrary audio to it and hijack your amp output", security researcher Chris Pritchard of Pen Test Partners (PTP) reported.

The device - marketed towards gigging musicians - is trivially easy to hack, as a video put together by PTP (below) demonstrates.

Anyone using the Mustang GT at a concert therefore ought to turn Bluetooth off - even though that removes the "smart" features that would have been the main reason for buying it in the first place.

The same amplifier is also vulnerable to more subtle hacks. For example it's possible to interfere with its preset sound settings.

The presets feature allows users to wield a smartphone app that imbues the amp with presets that mimic famous guitarists' signature sounds. The app interacts with the amp over Bluetooth Low Energy (BLE) and does so separately to the Bluetooth audio input.

Permissions-based security is absent from the preset feature, meaning mischief-makers could push a new sound preset to the amp over BLE: a musician could expect to sound like Hendrix but instead come out sounding rather different. The same trick could be used to mute the amp by enabling a feature designed to be used only when musicians are tuning up their kit.

Security researchers at Pen Test Partners also put the Marshall Code 50 smart amp through its paces. Marshall’s machine has similar features to the Fender but with better security. "It relies on authentication to do anything, so it can’t be hijacked in the same way," PTP's Pritchard said.

The issues uncovered in Fender's amp are best-described as features that are open to abuse rather than vulnerabilities that could leak data. They do, however illustrate that vendors are adding smarts to all manner of technologies without also adding intelligent security controls.

"We don’t consider these to be vulnerabilities particularly, more abuse of features for unintended consequences," Pen Test Partners' Ken Munro told El Reg.

PTP reckons Fender could mitigate the issues it has uncovered by implementing some simple pairing security. "Even a button press on the amp to put it in pairing mode for a short period would be a step in the right direction," PTP concludes.

Fender is yet to respond to a request for comment from The Register. ®

Updated to add

A spokesman for Fender has finally been in touch to say the Bluetooth-related security issues "were addressed in an update to the amp a few months ago," although you need to install said update to benefit from it.

"Any new amps should now have the latest software, and as always we recommend that you update your amp to get the latest software, which includes fixes like this," he said. "The software can be easily updated via Wi-Fi, and only takes a few minutes, depending on your internet speed."

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Google reveals rapid Bluetooth gadget connection tech

'Fast Pair' works on Androids and some audio devices, Google wants it in your car too

Cambridge Analytica seeks data protection assistant

Jobseeker? You may have heard of it...

What do you press when flaws in Bluetooth panic buttons are exposed?

Researcher able to DoS and track personal protection kit

Amazon, Google inject Bluetooth vuln vaccines into Echo, Home AI pals

Updated The BlueBorne ultimatum

UK Data Protection Bill tweaked to protect security researchers

Re-identification of data will not be a crime, as long as you warn the authorities

Facebook smartmobe app's pre-ticked privacy settings violate German data protection law

Court favours consumer group in long-running dispute

Big tech wants the ICO on EU data protection board in Brexit fallout

Watchdog keeping voting rights 'huge gain' for marketing sector, say Facebook, Google et al

Creepy Cayla doll violates liberté publique, screams French data protection agency

You can probably strike these toys off your kids' Crimbo lists

Dell EMC patches 3 zero-days in Data Protection Suite

Could combine to 'fully compromise' virtual appliance, researchers warn

UK.gov's Brexiteers warned not to push for divergence on data protection laws

As PM lacks specifics on UK’s desired ‘adequacy-plus’ deal