HTC smartphones left vulnerable to Bluetooth attack
Security has been the utmost concern of most companies nowadays since most of them are starting to realize that they should treat their data as one of their most important asset inside their company’s servers.
Companies are spending millions to make sure that their infrastructure is protected from external and internal attacks. Since most companies are starting to adopt mobile computing, smartphones are starting to become a popular device for mobile workers. For the simple reason that they can work from anywhere and anytime.
Would it be frustrating to know that after spending a huge amount of money to protect your system, you will find out that the security problem originated from the device you’re using? Take for example this report I got from a Spanish security researcher by the name of Alberto Moreno Tablado.
Tablado reported that HTC smartphones running Windows Mobile 6 or 6.1 contains a vulnerability in an HTC driver (obexfile.dll) installed on their phones. The vulnerability can allow an attacker to access any file on the HTC phone or upload malicious code using Bluetooth.
“This connection can be done either by standard Bluetooth pairing or taking advantage of the Bluetooth MAC spoofing attack,” Tablado said, referring to a process where the attacking device attempts to convince the target that it’s another device on its list of paired devices.
The directory traversal vulnerability allows an attacker to move from a phone’s Bluetooth shared folder into other folders, giving them access to contact details, e-mails, pictures, or other data stored on the phone. They can use this access to read files or upload software, including malicious code.
The security researcher tested the vulnerability on a range of HTC handsets, including the Touch Diamond, Touch Pro, Touch Cruise, Touch Find, S710, and S740, among others. “It seems that HTC includes this driver, which is vulnerable, in all the devices running Windows Mobile 6 and Windows Mobile 6.1, as a part of the Bluetooth stack,” he said.
Tablado reported the incident to Microsoft in January, Microsoft responded soon after the vulnerability was reported to them, saying they had determined the issue was caused by the HTC driver. Tablado then reported the problem to HTC in February but according to Tablado, HTC “showed no interest”.
Tablado in his blog (http://www.seguridadmobile.com/windows-mobile/windows-mobile-security/HTC-Windows-Mobile-OBEX-FTP-Service-Directory-Traversal.html) said “HTC Europe has been contacted several times since February 2009 until JUne 2009. Through out this period of time I attempted to collaborate with the vendor and provided all the details concerning on the exploitation of the flaw. However, I only received acknowledgement responses from HTC Europe Support (Tech), no intentions to release a security fix from HTC Taiwan.”
Now if Tablado’s claim is true, I don’t know why HTC showed no interest to solve this issue. Do they think it’s a problem not worth addressing? Whether it’s a minor or a major problem, it is the responsibility of a manufacturer to address the concerns of its users, especially if it’s about security. Which led me to one question: Could it be possible that HTC handsets contain more problems other than the Bluetooth vulnerability? I am just asking.
HTC handsets don’t come in cheap. Users are spending their hard earned money to a device that can give them what they want in the most SECURE environment possible. Not knowing the problem is excusable, but ignoring a problem brought to your attention is unforgivable.
The vulnerability is a zero-day threat which means that all devices shipped up to date (July 2009) may be vulnerable.
To all HTC users, as a workaround do not accept pairing nor connection requests from unknown sources. Delete old entries in the paired devices list.
I am calling the attention of Mr. Kevin Hou, managing director of HTC for Southeast Asia and HTC Philippines country manager Mark Sergio to shed light on this problem. I want to know how you intend to solve this problem.