Most Macs have experienced a serious Bluetooth vulnerability that could allow third parties to identify their Bluetooth cryptographic keys and interrupt the encryption of their Bluetooth communications.
Apple has just announced that this vulnerability was fixed in the latest updates for High Sierra 10.13.4 and 10.13.5 and in security updates 2018-003 and 2018-004 for El Capitan and Sierra (as well as in iOS 11.4, tvOS 11.4 and watchOS 4.3.1).
If you have not yet installed these updates on your Mac, iOS and other devices, you should do so urgently before exploiting this vulnerability.
The vulnerability seems to be another serious programming error: a complete step in the exchange required to establish secure Bluetooth connections can be omitted, which means that the parameters used to generate the security keys for device pairing cannot be validated. Some sources claim that this only affects low-power implementations, but not the vulnerability notes and Apple release notes, and may affect regular BR/EDR implementations and LE.
Although there are currently no known exploits and an attack must be performed within the local Bluetooth area, you must now assume that the vulnerability will be exploited in the near future after the details have been released.
The following Macs have fixed this vulnerability in High Sierra 10.13.5 or in the Security Update 2018-003:
- MacBook Pro – Retina, 15 inches, mid 2015; Retina, 15 inches, 2015; Retina, 13 inches, early 2015; 15 inches, 2017; 15 inches, 2016; 13 inches, end of 2016, two Thunderbolt 3 ports; 13 inches, end of 2016, four Thunderbolt 3 ports; 13 inches, 2017, four Thunderbolt 3 ports.
- MacBook – Retina, 12 inches, early 2016; Retina, 12 inches, early 2015; Retina, 12 inches, 2017.
- iMac Pro.
- iMac – Retina 5K, 27 inches, end of 2015; Retina 5K, 27 inches, 2017; Retina 4K, 21.5 inches, end of 2015; Retina 4K, 21.5 inches, 2017; 21.5 inches, end of 2015; 21.5 inches, 2017.
The following Macs have this vulnerability corrected in High Sierra 10.13.6 or in Security Update 2018-004:
- MacBook Pro: 15 inches, 2018; 13 inches, 2018, four Thunderbolt 3 ports.
It seems that Apple considers that other Macs are not vulnerable.
This vulnerability is widespread and probably affects many computers, phones, tablets and other Bluetooth devices, although Microsoft has explained that Windows (and probably its own interface systems) are not affected. It seems to affect many or most Android devices, but patch information is provided by individual vendors.