Bluetooth devices 4.0 and 5.0 are vulnerable to attack on, as yet, unpatched. Dubbed BLURTooth, the potential Man in the Middle attack.

For this attack to be successful, an attacking device would need to be within wireless range of a vulnerable Bluetooth device supporting both BR/EDR and LE transports that supports CTKD between the transports and permits pairing on either the BR/EDR or LE transport either with no authentication (e.g. JustWorks) or no user-controlled access restrictions on the availability of pairing.

The Bluetooth SIG is recommending that potentially vulnerable implementations introduce the restrictions on Cross-Transport Key Derivation mandated in Bluetooth Core Specification versions 5.1 and later.

[bluetooth.com...]