Fender's 'smart' guitar amp has no Bluetooth pairing controls

Bum note: you could Rickroll an artist live on stage

By John Leyden


Updated Guitar amp manufacturer Fender's recently-introduced Mustang GT 100 guitar amplifier can be made to play whatever audio an attacker fancies, security researchers have discovered.

The amp allows Bluetooth connections, but without pairing security. Anyone within range could therefore "stream arbitrary audio to it and hijack your amp output", security researcher Chris Pritchard of Pen Test Partners (PTP) reported.

The device - marketed towards gigging musicians - is trivially easy to hack, as a video put together by PTP (below) demonstrates.

Anyone using the Mustang GT at a concert therefore ought to turn Bluetooth off - even though that removes the "smart" features that would have been the main reason for buying it in the first place.

The same amplifier is also vulnerable to more subtle hacks. For example it's possible to interfere with its preset sound settings.

The presets feature allows users to wield a smartphone app that imbues the amp with presets that mimic famous guitarists' signature sounds. The app interacts with the amp over Bluetooth Low Energy (BLE) and does so separately to the Bluetooth audio input.

Permissions-based security is absent from the preset feature, meaning mischief-makers could push a new sound preset to the amp over BLE: a musician could expect to sound like Hendrix but instead come out sounding rather different. The same trick could be used to mute the amp by enabling a feature designed to be used only when musicians are tuning up their kit.

Security researchers at Pen Test Partners also put the Marshall Code 50 smart amp through its paces. Marshall’s machine has similar features to the Fender but with better security. "It relies on authentication to do anything, so it can’t be hijacked in the same way," PTP's Pritchard said.

The issues uncovered in Fender's amp are best-described as features that are open to abuse rather than vulnerabilities that could leak data. They do, however illustrate that vendors are adding smarts to all manner of technologies without also adding intelligent security controls.

"We don’t consider these to be vulnerabilities particularly, more abuse of features for unintended consequences," Pen Test Partners' Ken Munro told El Reg.

PTP reckons Fender could mitigate the issues it has uncovered by implementing some simple pairing security. "Even a button press on the amp to put it in pairing mode for a short period would be a step in the right direction," PTP concludes.

Fender is yet to respond to a request for comment from The Register. ®

Updated to add

A spokesman for Fender has finally been in touch to say the Bluetooth-related security issues "were addressed in an update to the amp a few months ago," although you need to install said update to benefit from it.

"Any new amps should now have the latest software, and as always we recommend that you update your amp to get the latest software, which includes fixes like this," he said. "The software can be easily updated via Wi-Fi, and only takes a few minutes, depending on your internet speed."

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

IoT shouters Chirp get themselves added to Microsoft Azure IoT

Now your devices can join you in bellowing at Redmond's products

Bad news, mobile operators: Unlicensed IoT tech rocketing ahead of NB-IoT and LTE-M – report

Plus global mobe mobs name Sigfox top IoT tech lag

What do you press when flaws in Bluetooth panic buttons are exposed?

Researcher able to DoS and track personal protection kit

Hitachi's IoT gang punts never-off data protection platform

A masterclass in mind-boggling 'always-on availability' spiel

Google unwraps its gateway drug: Edge TPU chips for IoT AI code

Custom ASICs make decisions on sensors as developers get hooked on ad giant's cloud

Amazon, Google inject Bluetooth vuln vaccines into Echo, Home AI pals

Updated The BlueBorne ultimatum

Google reveals rapid Bluetooth gadget connection tech

'Fast Pair' works on Androids and some audio devices, Google wants it in your car too

Offline (if that's how you like it): Microsoft Azure IoT Edge

Fancy something a bit lighter? Fill your boots with Azure Sphere hardware

Hitachi Vantara brain dump: IoT, servers, containers and self-regulating data centres

You lucky NEXT 2018 people

Er, we have 670 staff to feed now: UK's ICO fines 100 firms that failed to pay data protection fee

Enforcing GDPR is expensive work, says watchdog