NEWS FROM THE LAB - Tuesday, July 14, 2009

Remotely Exploitable Hole in HTC's Bluetooth Posted by Response @ 15:11 GMT

An interesting vulnerability in the Windows Mobile 6 OBEX FTP service was disclosed back in January.

The author of that research, Alberto Moreno Tablado, recently contacted us to let us know there's an update.

From Tablado:

The vulnerability was first disclosed on January 2009 as a whole Microsoft Bluetooth Stack issue in Windows Mobile 6. However, further investigations proved that the issue is in a 3rd party driver installed by HTC. Microsoft states that the OBEX FTP server driver affected is a 3rd party driver installed by HTC on its devices running Windows Mobile, so the vulnerability only affects to this vendor specifically and other vendors' Windows Mobile devices are not affected.

Furthermore, in January it appeared that vulnerable devices needed to be paired with their attackers. Tablado now states that more sophisticated attacks, such as sniffing the Bluetooth pairing, linkkey cracking and MAC address spoofing, can be used in order to avoid this [requirement].

OBEX directory traversal display, screenshot from seguridadmobile.com

The following devices are reported as vulnerable:

  •  HTC devices running Windows Mobile 6 Professional
  •  HTC devices running Windows Mobile 6 Standard
  •  HTC devices running Windows Mobile 6.1 Professional
  •  HTC devices running Windows Mobile 6.1 Standard

Full details can be found on Seguridad Mobile's website.

Our thanks goes to Mr. Tablado for the update on his very interesting research.