A USB-connected speaker can infect a PC without ever being touched
arstechnica.comSure it is a good hobby for learning things; the title is definitely a clickbait and attention seeking;
The speaker has usb interface, and since it uses HID, its bandwidth is limited to 64bytes max per ms; it runs freertos, and for the price of the speaker it is highly unlikely it runs an mcu with trustzone;
moreover, usb descriptors are exchanged with the host in the clear, so patching it and adding a keyboard (that most os will implicitly trust) requires a usb cable, and there is definitely some 'touch' involved to get to that step, even if we ignore the physical access to the speaker/pc for the sake of argument;
of course, once that's done, updating image over bluetooth is easy, and that's the claim behind 'without ever being touched';
Recent discussion: https://news.ycombinator.com/item?id=48382310
Btw, Qubes OS can protect your data and passwords from such attack.