A cryptographic bug in many Bluetooth firmware and operating system drivers could allow an attacker within about 30 meters to capture and decrypt data shared between Bluetooth-paired devices.
The flaw was found by Lior Neumann and Eli Biham of the Israel Institute of Technology, and flagged today by Carnegie Mellon University CERT. The flaw, which is tracked as CVE-2018-5383, has been confirmed to affect Apple, Broadcom, Intel, and Qualcomm hardware, and some Android handsets. It affects Bluetooth’s Secure Simple Pairing and Low Energy Secure Connections.
Fortunately for macOS users, Apple released a patch for the flaw in July.