The author of that research, Alberto Moreno Tablado, recently contacted us to let us know there's an update.
From Tablado:
The vulnerability was first disclosed on January 2009 as a whole Microsoft Bluetooth Stack issue in Windows Mobile 6. However, further investigations proved that the issue is in a 3rd party driver installed by HTC. Microsoft states that the OBEX FTP server driver affected is a 3rd party driver installed by HTC on its devices running Windows Mobile, so the vulnerability only affects to this vendor specifically and other vendors' Windows Mobile devices are not affected.
Furthermore, in January it appeared that vulnerable devices needed to be paired with their attackers. Tablado now states that more sophisticated attacks, such as sniffing the Bluetooth pairing, linkkey cracking and MAC address spoofing, can be used in order to avoid this [requirement].
The following devices are reported as vulnerable:
• HTC devices running Windows Mobile 6 Professional • HTC devices running Windows Mobile 6 Standard • HTC devices running Windows Mobile 6.1 Professional • HTC devices running Windows Mobile 6.1 Standard
