This post was published 2 years 10 months 8 days ago which may make its actuality or expire date not be valid anymore. This site is not responsible for any misunderstanding.

I was browsing my latest tweets on Twitter, when an interesting article caught my attention.

Me being an HTC FUZE user my self, I found my self reading the article, and figured this was something that all HTC users needed to be aware of. I will give most of the article, but if you wish to read the actual article, for more info click here.

If you have an HTC smartphone running Windows Mobile 6 or Windows Mobile 6.1, you may want to think twice before connecting to an untrusted device using
Bluetooth. A vulnerability in an HTC driver installed on these phones can allow an attacker to access any file on the phone or upload malicious code using
Bluetooth, a Spanish security researcher warned Tuesday.

“HTC devices running Windows Mobile 6 and Windows Mobile 6.1 are prone to a directory traversal vulnerability in the Bluetooth OBEX FTP Service,” security
researcher Alberto Moreno Tablado said in an e-mail exchange.

HTC handsets running Windows Mobile 5 are not affected. For the attack to work, the targeted device must have Bluetooth enabled and file sharing over Bluetooth activated.

“This connection can be done either by standard Bluetooth pairing or taking advantage of the Bluetooth MAC spoofing attack,” Moreno Tablado said, referring
to a process where the attacking device attempts to convince the target that it’s another device on its list of paired devices.
The directory traversal vulnerability allows an attacker to move from a phone’s Bluetooth shared folder into other folders, giving them access to contact
details, e-mails, pictures or other data stored on the phone. They can use this access to read files or upload software, including malicious code.
Users worried about the vulnerability should avoid pairing their phones with an untrusted handset or computer. They may also want to delete any devices
that are already paired with their phones, he said.

Because the driver, obexfile.dll, is an HTC driver, only handsets from the company are affected. However, HTC is the world’s largest manufacturer of Windows
Mobile handsets, selling phones under its own brand as well as making phones under contract for other companies. That means millions of users are potentially
vulnerable.

Moreno Tablado tested the vulnerability on a range of HTC handsets, including the Touch Diamond, Touch Pro, Touch Cruise, Touch Find, S710 and S740, among
others. “It seems that HTC includes this driver, which is vulnerable, in all the devices running Windows Mobile 6 and Windows Mobile 6.1, as a part of
the Bluetooth stack,” he said.