Inquiry Regarding BLUFFS CVE Vulnerability

If you used the same security (key len) values from the SDK examples, you will be vulnerable. These set the min key strength to 7 for maximum interoperability (and compatibility with international laws).

Your developer is free to set the value to 16 in your custom firmware which would fix the issue AFAIK. Using unmodified example code is not advisable in any case.

Hi Niteen, 

I'm waiting for the official answer from our Product Security team but from what I can find in the description of the vulnerability, it should only affect Bluetooth BR/EDR devices, meaning Bluetooth Classic not Bluetooth Low Energy (BLE). 

So it would not be relevant for our products. 

Hi Niteen, 
We got the confirmation from our Security team that the vulnerability doesn't impact Bluetooth Low Energy and only relevant to Bluetooth Classic (BR/EDR). 

Please see the official Bluetooth SIG Statement for more details https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/bluffs-vulnerability/