I spoke to few people about this yesterday after a heads up from a fellow twitter user and thought it should go up on the site as we sell HTC devices. We’ve had a quick look into this and it does seem to be prevalent on some of our demo HTC smartphones.
HTC smartphone’s running Windows Mobile 6 or Windows Mobile 6.1 seem to be the main problem and you need to be careful when connecting to an untrusted device using Bluetooth. There’s a vulnerability in one of the HTC drivers installed on the little smartphones that allows an attacker to access any file on the phone or even upload malicious code through a Bluetooth connection. It looks like this is a WM 6 thing, as phones running Windows Mobile 5 are not affected.
To shield from the attack, make sure that Bluetooth is disabled and essentially file sharing over Bluetooth is de-activated. If both are on then a connection can be made either through standard Bluetooth pairing and then by taking advantage of the “Bluetooth MAC spoofing attack”, where the attacking device can convince the target phone that it’s a trusted device on its paired device list.
So if you are vulnerable and you have both your Bluetooth and file sharing on, it could mean that the attacker can use a means of directory traversal which enables them to move out of the phone’s Bluetooth shared folder and into pretty much any other folder on the file system. PIM data isn’t safe either so your contact details, e-mails, pictures and pretty much any data stored on the phone in the Microsoft file system can be viewed and copied. So far we haven’t had any comment back about SMS’s and data stored on the SIM card. As these are not strictly managed by Windows Mobile, they could be safe. We’ll get back to you on that. Attackers can also use this vulnerability upload software and then run malicious code.
So how can you protect yourself from this? Firstly don’t accept any untrusted Bluetooth connections. Secondly, disable your “file sharing over Bluetooth” which will stop the attacker from traversing your files even if they get a connection. Lastly, it is prudent to delete your current list of paired devices because hackers can masquerade as one of your trusted devices which gives them a connection and access to your smartphone.
We contacted HTC and their UK distributor about this but so far we haven’t had word back if they will issue an updated Bluetooth driver. In the meantime if you follow the security protection measures above, then you should be OK.
This actually reminds me of the original Bluetooth vulnerability that Nokia phones had where anyone with a Bluetooth dongle could effectively steal your PIM data and send messages to/from your phone. With mobile phones becoming more and more popular, more powerful and holding more and more important data, issues like this are going to become more common.
The lesson is to ensure you protect your little devices just as you do your laptops by ensuring you have good device protection, employ a device management solution and lastly talk to someone who can ensure you have a good data sync and back up strategy if all else fails.
Next article should be a 3 part on Device Management and what we’re doing here to address the main problems user shave with their systems.
Check back soon
The Rugged and Mobile blog.