AfterDawn: Tech news

HTC smartphones affected by Bluetooth vulnerability

Written by James Delahunty (Google+) @ 16 Jul 2009 18:43 User comments (1)

HTC smartphones affected by Bluetooth vulnerability Security researcher Alberto Moreno Tablado has reported a security flaw with the File Transfer Profile service that's built in to the Bluetooth stack implemented by HTC. Despite contacting HTC about this problem in February, no fix has been issued, prompting Tablado to go public. The security vulnerability could allow an attacker to view and edit sensitive files stored on a device.
"Microsoft states this is a 3rd party driver developed by HTC and installed on HTC devices running Windows Mobile, so the vulnerability only affects to this vendor specifically," Tablado says. "A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP or gnomevfs-ls from a Linux box to traverse to parent directories out of the default Bluetooth shared folder by using ../ or .. marks."

Authentication or Authorization rights could be gotten by pairing the HTC handset with a Bluetooth device, or more complication solutions would include spoofing the MAC address or include sniffing the Bluetooth pairing. Once obtained, an attacker can navigate can access or modify any file stored on the device without the user being aware of the attack.

More info:

Previous Next  

1 user comment

116.7.2009 18:54

I have a HTC phone. I always keep the bluetooth off unless needed, common sense.

The phone still works after me dropping it on cement and treating it like crap, its more durable than one might expect.

Comments have been disabled for this article.

Latest user comments

News archive