Notices

Hi everyone

I was showing my great N900 to my son and he asked me to activate Bluetooth and pair his phone (SG 5320). I did and then he showed me all my files in the home/user partition from his phone screen.

Moreover he was able to browse, move, transfer and delete(!) Files on my N900 from his Samsung phone. His phone had an extra protection for Folders as a standard so I could not impress him that much :-).

I know that this is not new, but two points caught my attention:

A. N900 cannot protect any of my folders from connected bluetooth devices

B. N900 did not even reacted with a warning that a connected phone was doing something....different and more dangerous than just sending a picture..

That said, it is very very easy to social engineer a N900 user into allowing a bluetooth connection.

Anyone with an idea how to solve this ? And yes... apologies if my question sounds stupid, but I do not want to chmod everytime someone sends me a file per bluetooth

thanks in advance for a hint on how to solve that...
best
fact

Pair the devices, then press devices on the bluetooth dialog, edit the new paired device and uncheck 'Trusted device' should do the trick.

maybe don't pair the phones in first place? I know that is not what you asked for but for security aspects this should be quite a barrier, isn't it? But your question sure is relevant as you don't want to open your entire home directory to every person you share a file with.

The idea of pairing was to establish a trusted relationship. I laughed at when viruses for cellphones started appearing, that required people to accept a pairing request and accept a file transfer. I thought nobody would be so incredibly stupid to accept. But I was wrong, the universe creates bigger fools to nullify all the security features

So shadowjk, let me see if I got your comment right....your son/friend wants to send you a file and accepting this makes you what...stupid ???

I disagree...look at what all average users ( 100's of millions of mobile phone) do everyday....they are sharing videos, vcf cards and mp3 files ...it is in fact the same type of problem the web browsers and the java applets had in their infancy...

and the simplest solution could be as simple as

A) a default quarantene folder as the only possible and visible access point for write and read operations for file transfer from external paired devices (apart from the obvious access to the bluetooth demons)

B) strong monitoring of any violations of A --disconnecting any non compliant device

C) separate general folder protection against changes and deletes (chmod from the file explorer)


It is not an intelectual pissing contest but simple ideas to make the N900 really useful for the average user...(I am an average user as well)...Here you can see how HTC solved the problem, SAMSUNG did as well -3 years ago...

http://www.phonedog.com/2007/03/26/b...ew-htc-phones/

Thanks ToJa92, but unfortunately it works even without the "trusted" flag on. So is actually any paired phone with a Bluetooth Explorer capability

this is a bit stupid because your son wanted to pair with you to send you stuff but he got into your phone so that is his fault you wouldnt pair with someone if you didnt trust them thats what pairing is after all.

plus the fact that on the n900 u dont have to pair to send a file so that is secure maybe on some phones i know like samsung and maybe blackberry you have too the same as using a photo kiosk.

Yeah actually if someone just wants to send a file, you get the dialog with the filename, and you can place it where you want.. Pairing not even needed, filesystem browsing denied.

ShadowJK was saying that accepting an unexpected file transfer/browse request (say, from malware) was stupid, not what you were talking about (and by the way, I think you have a point). Also, for the record, when geeks talk use the word "stupid" in that sense, we don't usually mean that the person is of inferior intelligence, but more in the sense of it being "stupid" to, say, run across a busy intersection - it doesn't actually mean you're an idiot, but it certainly is foolish and ill-advised. The fact that a large amount of people regularly do things with their computers that are more equivalent to running out in front of a bus leads to bitterness, and bitterness to name-calling. So yeah, it's probably a bit harsh, but generally not intended to be offensive. :P

UPDATE: This may also be enlightening: http://www.mit.edu/~jcb/tact.html