Major security hole in WM5, WM6 bluetooth stack

Security Researcher Alberto Moreno Tablado has discovered a major hole in the bluetooth stack of Windows Mobile 5.0 and Windows Mobile 6.0 phones.

Apparently the weakness is in the bluetooth FTP service, which allows another authorized and paired bluetooth device to browse specific specified directories on your Windows Mobile phone. This can be very useful for copying files to and from your smartphone from your desktop for example wirelessly.

Unfortunately it seems the service has a Directory Transversal Vulnerability, meaning an attacker does not have to be confined to the specified and safe directories, but can break out of the sandbox and copy files to and from anywhere on your smartphone.

Alberto gives the example of copying the PIM.vol file from the root of your device, meaning the attacker now has your all your contacts, calender and tasks, or being able to place a trojoan.exe in your \windows\startup directory.

Microsoft has just been notified of the issue, and has as of this writing not responded to Alberto yet.

Currently there no known patch, and Alberto has not tested Windows Mobile 6.1 to see if its vulnerable yet, but given the similarities of the versions this is quite likely. The only mitigating factor for now is that only authorized and paired devices are allowed to use the Bluetooth FTP service at the moment, and Alberto advises Windows Mobile users not accept pairing prompts from strangers.

Read the full security bulletin here.