Comment by Rygian

Here's an excerpt from [1]:

> Step 1: Connect (CVE-20700/20701) The attacker is in physical proximity and silently connects to a pair of headphones via BLE or Classic Bluetooth.

> Step 2: Exfiltrate (CVE-20702) Using the unauthenticated connection, the attacker uses the RACE protocol to (partially) dump the flash memory of the headphones.

> Step 3: Extract Inside that memory dump resides a connection table. This table includes the names and addresses of paired devices. More importantly, it also contains the Bluetooth Link Key. This is the cryptographic secret that a phone and headphones use to recognize and trust each other.

> Note: Once the attacker has this key, they no longer need access to the headphones.

> Step 4: Impersonate The attacker’s device now connects to the targets phone, pretending to be the trusted headphones. This involves spoofing the headphones Bluetooth address and using the extracted link-key.

> Once connected to the phone the attacker can proceed to interact with it from the privileged position of a trusted peripheral.

[1] https://news.ycombinator.com/item?id=46454740