In association with heise online

28 January 2009, 10:44

Windows Mobile Bluetooth vulnerability allows access to any files

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A directory traversing vulnerability in the Bluetooth OBEX-FTP server of Windows Mobile 6 allows attackers to access files outside of the permitted list. According to the report, using "../" or "..\\" as part of the path name, is sufficient to traverse to other directories. An attacker could use the technique to copy files from a device, or to install their own software, such as a key logger, or other spyware.

The issue does require that the targeted hand held device is paired with the attacking device, which is usually only possible with the owner's consent. There are, though, situations where a user may wish to restrict access to their files for paired devices, and the problem means that these restrictions are only partially effective. Alberto Moreno Tablado, who discovered the bug, has published a detailed guide to the problem.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit