When you pair a couple of Bluetooth devices, like your phone and computer, they exchange encryption keys. But it turns out the Bluetooth specification didn't require that both of them completely validate those keys. Well, it does now.
This comes after it was revealed Tuesday that an attacker within wireless reach could insert themselves into communications between the two devices if both failed to properly validate the keys. That's according to the Bluetooth SIG and Carnegie Mellon's CERT, with some updates catalogued by ZDNet.
Luckily, it doesn't work if at least one of the devices does its due diligence validating all the elliptic curve parameters during the Diffie-Hellman (ECDH) key exchange (CVE-2018-5383), and a lot of manufacturers have already patched their devices. Apple updated MacOS for El Capitan and later, plus the fix is in iOS 11.4. Intel has provided updated Bluetooth drivers for Windows 7, 8.1 and 10.
However, some patches need to come from your device's manufacturer -- Broadcom released a patch in June, for example, but those updates need to trickle down. Dell's already released Qualcomm's patch, as has Lenovo. A Google spokesperson said the company has "remediated the issue with updates to both ChromeOS and Android."
If you're not on an autoupdate cycle, you should probably check for updates with your phone or system manufacturer.
The security flaw won't matter if you're, say, connecting your Xbox controller to your PC, or your camera to your phone, and the Bluetooth SIG says it's unaware of any actual incidents related to the flaw. But Bluetooth file transfers are becoming more popular and tools like Apple's Handoff use Bluetooth for the connection while transferring files over Wi-Fi. You may be typing sensitive information on your Bluetooth keyboard. And while it requires proximity for someone to fool with the data connection, given how many Bluetooth devices frustratingly require repeated re-pairings, the probability of that rises.
We've reached out to Apple for comment but didn't immediately hear back. Broadcom, Qualcomm and Google confirmed they've issued patches.
First published July 24, 10:05 a.m. PT.
Update, July 26 at 4:36 a.m. PT: Adds response from Google.