Alberto Moreno Tablado has found an interesting vulnerability in the Windows Mobile 6 OBEX FTP service, in the Microsoft Bluetooth stack. It's used by devices such as the HTC TyTn II and other similar smartphones. Devices that use other Widcomm or other non-Microsoft Bluetooth stacks are not affected.

The vulnerability is a classical path traversal vulnerability, which means that an attacker can send path information along with the file name to the Windows Mobile device, and thus cause the file to be copied anywhere in device file system.

In theory this might be really serious vulnerability, as attacker could copy something to a location where the application would automatically start at next boot. But in practice, the vulnerability is of limited use for an attacker as it would require the victim to pair his phone, before OBEX FTP can be used. So this vulnerability has quite low exploitability.

The same basic caution that protects against other Bluetooth attacks also protects from this one.

Do not form Bluetooth pairs with devices that you do not fully trust. And if you are not using Bluetooth file sharing, do disable it from the Bluetooth FTP settings in Bluetooth connection settings.



Note: Our thanks goes to Dawid M. for directing us to Tablado's research.