[Suggested description]
An issue was discovered in Lush 2 through 2020-02-25.
Due to the lack of Bluetooth traffic encryption, it is possible to
hijack an ongoing Bluetooth connection between the Lush 2 and a mobile
phone. This allows an attacker to gain full control over the device.

------------------------------------------

[Additional Information]
The victim will lose the legitimate connection and therefore will lose
the ability to control the device. This attack hijacks the connection,
even when someone else was actively using the device before. The
original user loses control, and the attacker gains control of the
device. Note that the user of the device remains capable of simply
shutting it down. In order to exploit this vulnerability, the attacker
must be present in a certain radius in which the Bluetooth connection
can be intercepted. This attack vector also requires specific hardware
like the Micro:bit.

------------------------------------------

[Vulnerability Type]
Incorrect Access Control

------------------------------------------

[Vendor of Product]
Lovense

------------------------------------------

[Affected Product Code Base]
Lush 2 - Cannot be determined.

------------------------------------------

[Affected Component]
Lush 2, Bluetooth interface

------------------------------------------

[Attack Type]
Local

------------------------------------------

[CVE Impact Other]
Take over normal device functionality from the original owner.

------------------------------------------

[Attack Vectors]
An attacker needs to be physically close (100ish meter) in order to take over control of the device.

------------------------------------------

[Reference]
N/A

------------------------------------------

[Has vendor confirmed or acknowledged the vulnerability?]
true

------------------------------------------

[Discoverer]
Willem Westerhof, Jasper Nota, Roan Engelbert, Ilona de Bruin from Qbit cyber security in assignment of the Consumentenbond.
Use CVE-2020-11921.