A cryptographic bug affects the Bluetooth implementations and operating system drivers of Apple, Broadcom, Intel, Qualcomm, and possibly other hardware vendors.
This bug occurs because Bluetooth-capable devices do not sufficiently validate encryption parameters used during "secure" Bluetooth connections. More precisely, pairing devices do not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange.
This results in a weak pairing that may allow a remote attacker to obtain the encryption key used by a device and recover data sent between two devices paired in a "secure" Bluetooth connection.
Both the Bluetooth standard's "Secure Simple Pairing" process and Bluetooth LE's "Secure Connections" pairing process are affected.
CERT/CC has sent out a security advisory last night with the following explanation for the vulnerability:
Apple, Broadcom, Intel, and Qualcomm have confirmed that Bluetooth implementations and OS drivers are affected. Apple, Broadcom, and Intel have deployed fixes for the bug. A Qualcomm spokesperson told Bleeping Computer via email that they have deployed fixes as well.
Microsoft said its devices are not affected. CERT/CC experts were not able to determine if Android, Google devices, or the Linux kernel are affected.
The Bluetooth Special Interest Group (SIG), the organization that oversees the development of Bluetooth standards, has issued a statement in regards to the vulnerability.
The organization says it has now updated the official Bluetooth specification to require that all pairing devices validate all parameters used for key-based encrypted Bluetooth connections.
Researchers and Bluetooth SIG said they weren't aware of any in-the-wild attacks where this vulnerability might have been used. The good news is that the attacker needs to be near the victim when he/she is pairing a Bluetooth device, a process that occurs very rarely, and can't be forced via a deauth operation. Furthermore, if one of the two devices participating in a paring operation have received a patch, then the attack won't work anymore.
The updates for CVE-2018-5383 should be expected as OS updates or driver updates (for desktops, laptops, and smartphones), or firmware updates (in the case of IoT/smart devices).
Article updated with information on Intel and Qualcomm fixes.