Recent High Sierra and Security Updates patched a serious Bluetooth bug

Most Macs have suffered from a serious security vulnerability in Bluetooth which could allow a third party to determine their Bluetooth crypto keys, thus breaking the encryption of their Bluetooth communications. Apple has just revealed that this vulnerability was fixed in recent updates to High Sierra 10.13.4 and 10.13.5, and in Security Updates 2018-003 and 2018-004 for El Capitan and Sierra (as well as in iOS 11.4, tvOS 11.4, and watchOS 4.3.1).

If you haven’t yet applied those updates to your Macs, iOS and other devices, you should do so as a matter of urgency, before this vulnerability is exploited.

The vulnerability appears to be another serious programming error: an entire step in the exchange necessary to establish secure Bluetooth connections may be omitted, which then fails to validate parameters being used to generate the secure keys used in device pairing. Some sources claim that this only affects low energy implementations, but the vulnerability note and Apple’s release notes do not state that, and it may affect regular BR/EDR implementations as well as LE.

Although there currently aren’t any known exploits, and an attack has to be performed within local Bluetooth range, now that details of the vulnerability have been published, you should assume that it will be exploited in the near future.

The following Macs have this vulnerability fixed in High Sierra 10.13.5 or Security Update 2018-003:

  • MacBook Pro – Retina, 15-inch, Mid 2015; Retina, 15-inch, 2015; Retina, 13-inch, Early 2015; 15-inch, 2017; 15-inch, 2016; 13-inch, Late 2016, Two Thunderbolt 3 Ports; 13-inch, Late 2016, Four Thunderbolt 3 Ports; 13-inch, 2017, Four Thunderbolt 3 Ports.
  • MacBook – Retina, 12-inch, Early 2016; Retina, 12-inch, Early 2015; Retina, 12-inch, 2017.
  • iMac Pro.
  • iMac – Retina 5K, 27-inch, Late 2015; Retina 5K, 27-inch, 2017; Retina 4K, 21.5-inch, Late 2015; Retina 4K, 21.5-inch, 2017; 21.5-inch, Late 2015; 21.5-inch, 2017.

The following Macs have this vulnerability fixed in High Sierra 10.13.6 or Security Update 2018-004:

  • MacBook Pro – 15-inch, 2018; 13-inch, 2018, Four Thunderbolt 3 Ports.

It appears that Apple considers that other Macs are not vulnerable.

This vulnerability is widespread, and believed to affect many computers, phones, tablets, and other Bluetooth devices, although Microsoft has declared that Windows (and presumably its own Surface systems) are not affected. It appears to affect many or most Android devices, but patch information for them is being given by individual vendors.