HTC Handheld Devices Affected by Critical Bluetooth Vulnerability

A zero-day severe directory traversal vulnerability in the Bluetooth File Transfer Profile (FTP) implementation on HTC smartphones running Windows Mobile 6 and 6.1 has been publicly disclosed. The flaw allows attackers to perform file-reading and -writing operations outside the folders shared via Bluetooth.

Spanish mobile security researcher Alberto Moreno Tablado, who discovered this vulnerability, explained that he decided to go public after HTC showed no interest in releasing a patch, despite the fact that it had been notified about the issue since February. "HTC Europe has been contacted several times since 2009/02 until 2009/06. Through out [sic.] this period of time I attempted to collaborate with the vendor and provided all the details concerning on [sic.] the exploitation of the flaw," he writes.

Tablado initially believed that this was a vulnerability in the Microsoft Bluetooth stack in Windows Mobile 6 and 6.1, however Microsoft concluded that only HTC's implementation of the OBEX FTP Service was affected. More specifically, this concerns a 3rd-party driver called obexfile.dll, developed by HTC.

The flaw is easy to exploit and only requires pairing over Bluetooth with the vulnerable device. This can be easily achieved if the devices have paired before or by employing more complex techniques, such as sniffing the Bluetooth pairing, cracking the link key, or spoofing the MAC address.

Once connected, it is trivial to break out of the shared folder by sending "../" or "..\\" paths. The immediate result is the ability to get the file structure of the device, but the implications are much more serious. Sensitive files such as pictures, documents, emails, contacts, calendar tasks, and browsing cookies can be transparently accessed and downloaded without the victim's knowledge.

Furthermore, the vulnerability can also be used to infect the devices with trojans. The malware can be executed by replacing system files with it or uploading it into the Startup folder. The researcher notes that all these operations can be performed from a Bluetooth-enabled computer running Linux by using free tools such as ObexFTP or gnomevfs-ls.

Windows Mobile 5.0 devices are not affected by this vulnerability, but all HTC handhelds running Windows Mobile 6 Professional or Standard, as well as Windows Mobile 6.1 Professional or Standard, that have been produced to date are potentially vulnerable. "Do not accept pairing nor connection requests from unknown sources. Delete old entries in the paired devices list," the researcher advises.

Update: HTC has released a hotfix, which addresses this vulnerability for its Touch Diamond, Touch Pro and Touch HD models. This stands to show that full disclosure is not an obsolete model, like some claim, and can significantly contribute to getting a security issue resolved faster.