HTC smartphone owners beware
If you own an HTC smartphone running Windows Mobile 6 or 6.1 be warned. Accepting Bluetooth connections from an untrusted source will leave you vulnerable to an attack that could give some nefarious type the ability to access any file on the phone or upload malicious code.
The warning comes from a Spanish security researcher who warned, “HTC devices running Windows Mobile 6 and Windows Mobile 6.1 are prone to a directory traversal vulnerability in the Bluetooth OBEX FTP Service”.
The directory traversal vulnerability allows an attacker to gain access beyond the phone’s Bluetooth shared folder to include contact details, e-mails, pictures or other data stored on the phone. This access can be used to not only read files, but also upload software including malicious code.
To be at risk the targeted phone must have Bluetooth enabled and file sharing over Bluetooth activated. Only HTC handsets are affected as the driver, obexfile.dll, is an HTC driver, but since HTC is the world’s largest manufacturer of Windows Mobile handsets, millions of users are potentially vulnerable. HTC devices running Windows Mobile 5 are not vulnerable, nor are other vendors of Windows Mobile devices such as ASUS, Samsung and LG.
Any HTC smartphone owners concerned about the threat should refrain from accepting Bluetooth connections from untrusted sources and delete old entries in their paired devices list. That said, anyone who does accept a connection from an unknown source really only has themselves to blame if they end up getting hacked.
[Sources: wmpoweruser, mobility site]
Related Posts
One Comment
I would like to point out that this vulnerability does not exist in ALL HTC Smartphones running Windows Mobile 6. Models that use the Widcomm Bluetooth Stack provided by Broadcom Corporation (such as the Touch Pro 2) do not contain this vulnerability.