A state machine transition flaw in the Bluetooth Low Energy (BLE) stack of Cypress PSoC4 v3.66 allows attackers to bypass the pairing process and authentication via a crafted pairing_failed packet.
The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.