CC256XSTBTBLESW: Is the dual mode TI Bluetooth stack vulnerable to BLESA?

We, are analyzing this vulnerability and will get back this week.

Thanks

The BLESA vulnerability describes two scenarios in which the attacks may potentially succeed:
1. If bonding was established between two devices and the Generic Attribute Profile (GATT) client trusts the server with a response for a service request with ‘insufficient encryption, authentication or authorization
2. The GATT client continues with an unencrypted link with the server in case encryption request fails with the previously bonded devices

Suggested mitigations:

Based on the current analysis of the vulnerability, the recommended mitigation is for the application to ensure that any access to GATT characteristics that require an encrypted, authenticated or authorized link cannot be achieved without the needed security restrictions at the service level. The recommended mitigation is applicable to applications that incorporate the Generic Access Profile (GAP) central role to (i) initiate encryption once a connection is established with a previously bonded device and (ii) in case the encryption process fails, because the peer does not have the long term key (LTK), either re-initiate pairing or terminate the link.

The Bluetopia stack provides needed services/APIs to apply the recommended mitigations for the application. Please refer to the 'HCI_LE_Start_Encryption' API in 'BluetopiaCoreAPI.pdf' for initiating encryption on previously bonded devices. 

Thanks