CVE-2020-16630

Name of the Vulnerable Software and Affected Versions TI's BLE stack (affected versions not specified)

Description The issue concerns TI's BLE stack, which caches and reuses the Link Key (LTK) property for a bonded mobile. An LTK can be either an unauthenticated key with no Man-In-The-Middle (MITM) protection, created by Just Works, or an authenticated key with MITM protection, created by Passkey Entry, Numeric Comparison, or Out-Of-Band (OOB). If a victim mobile uses secure pairing to pair with a victim BLE device based on TI chips and generates an authenticated LTK, a fake mobile with the victim mobile's MAC address can use Just Works to pair with the victim device. The generated LTK will still have the property of authenticated MITM protection, allowing the fake mobile to access attributes with authenticated read/write permission.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.