Fender's 'smart' guitar amp has no Bluetooth pairing controls

Bum note: you could Rickroll an artist live on stage

By John Leyden


Updated Guitar amp manufacturer Fender's recently-introduced Mustang GT 100 guitar amplifier can be made to play whatever audio an attacker fancies, security researchers have discovered.

The amp allows Bluetooth connections, but without pairing security. Anyone within range could therefore "stream arbitrary audio to it and hijack your amp output", security researcher Chris Pritchard of Pen Test Partners (PTP) reported.

The device - marketed towards gigging musicians - is trivially easy to hack, as a video put together by PTP (below) demonstrates.

Anyone using the Mustang GT at a concert therefore ought to turn Bluetooth off - even though that removes the "smart" features that would have been the main reason for buying it in the first place.

The same amplifier is also vulnerable to more subtle hacks. For example it's possible to interfere with its preset sound settings.

The presets feature allows users to wield a smartphone app that imbues the amp with presets that mimic famous guitarists' signature sounds. The app interacts with the amp over Bluetooth Low Energy (BLE) and does so separately to the Bluetooth audio input.

Permissions-based security is absent from the preset feature, meaning mischief-makers could push a new sound preset to the amp over BLE: a musician could expect to sound like Hendrix but instead come out sounding rather different. The same trick could be used to mute the amp by enabling a feature designed to be used only when musicians are tuning up their kit.

Security researchers at Pen Test Partners also put the Marshall Code 50 smart amp through its paces. Marshall’s machine has similar features to the Fender but with better security. "It relies on authentication to do anything, so it can’t be hijacked in the same way," PTP's Pritchard said.

The issues uncovered in Fender's amp are best-described as features that are open to abuse rather than vulnerabilities that could leak data. They do, however illustrate that vendors are adding smarts to all manner of technologies without also adding intelligent security controls.

"We don’t consider these to be vulnerabilities particularly, more abuse of features for unintended consequences," Pen Test Partners' Ken Munro told El Reg.

PTP reckons Fender could mitigate the issues it has uncovered by implementing some simple pairing security. "Even a button press on the amp to put it in pairing mode for a short period would be a step in the right direction," PTP concludes.

Fender is yet to respond to a request for comment from The Register. ®

Updated to add

A spokesman for Fender has finally been in touch to say the Bluetooth-related security issues "were addressed in an update to the amp a few months ago," although you need to install said update to benefit from it.

"Any new amps should now have the latest software, and as always we recommend that you update your amp to get the latest software, which includes fixes like this," he said. "The software can be easily updated via Wi-Fi, and only takes a few minutes, depending on your internet speed."

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Bad news, mobile operators: Unlicensed IoT tech rocketing ahead of NB-IoT and LTE-M – report

Plus global mobe mobs name Sigfox top IoT tech lag

Amazon, Google inject Bluetooth vuln vaccines into Echo, Home AI pals

Updated The BlueBorne ultimatum

What do you press when flaws in Bluetooth panic buttons are exposed?

Researcher able to DoS and track personal protection kit

Princeton research team hunting down IoT security blunders

Taming Things leaky, sneaky, or creepy

Google reveals rapid Bluetooth gadget connection tech

'Fast Pair' works on Androids and some audio devices, Google wants it in your car too

Chirp unveils free tier of shouting-at-IoT devices audio net tech

One day, your gizmos can bellow nuclear power station info at each other too

Don't fear 1337 exploits. Sloppy mobile, phishing defenses a much bigger corp IT security threat

AppSec EU DARPA-funded white hat emits timeless advice

Microsoft's next trick? Kicking things out of the cloud to Azure IoT Edge

Open-source service sticks containers in internet of stuffs

Windows 10 IoT Core Services unleashed to public preview

Gizmos gain control over Windows 10 updates - at a price

EU security think tank ENISA looks for IoT security, can't find any

Proposes baseline security spec, plus stickers to prove thing-makers have complied