Comment by cloudfudge

I didn't see a summary in here so based on my reading:

  * Certain headset devices from varying vendors have crappy BT security over both bluetooth classic and BLE
  * They implement a custom protocol called RACE which can do certain things with no authentication at all
  * One of the things RACE lets you do is read arbitrary memory and exfiltrate keys needed to impersonate the vulnerable device with your already-paired phone
  * Once you're impersonating the vulnerable device you can do all sorts of things on the paired phone like place/accept calls, listen on the microphone, etc.

This is pretty bad and you can easily see this being used to bypass other layers of auth like SMS verification or "have a robot call me and read me a code." It also makes me wonder if a spoofed device could appear as a HID device (e.g. a keyboard), but it's unclear whether the link key compromise works for new device classes.

So the way to mitigate this is to be certain you don't have one of the vulnerable peripherals or to disable BT. Note that the list of device models sounds *far* from complete because it's a chipset issue. Which makes me wonder if there are cars out there using this chipset and exposing the same vulns. I'd be very interested if anyone has a source on whether any cars use these chipsets.