Bluetooth LE with Secure Connection and static passkey: This is a bad idea, right?

I am currently looking into how to protect a BLE connection from active attacks (man-in-the-middle) if one of the devices neither has a display nor a keyboard.

Lemberg Solutions suggests this:

Alternatively, the passcode can be shipped together with the devices (on paper or as part of an online purchase), and the user should then manually input it to each separate device.

This can only mean that one device (device A) (most likely one without a keyboard and without a display) has a passkey embedded in the device somewhere. So it is static. This static passkey is also used by the other device (device B) (e.g. entered using keyboard input, via camera, …). The same passkey will be used every time BLE pairing is established with device A.

Am I understanding their suggestion correctly?

My understanding of Secure Connections with passkey is, that each device does the following for each bit of the passkey:

  • create a nonce
  • calculate a confirmation value using: nonce, passkey[i], SK
  • exchange the confirmation values with the other device (send own, receive other)
  • exchange the nonces (send own, receive other)
  • check that the confirmation value of the other device is correct If one of the checks fails, the connection is dropped.

In the case of a man-in-the-middle attack, the attacker can figure out the passkey by “brute-forcing” each bit. After all, there are only two possibilities for each bit.

This is not harmful for the current connection, because the attacker is “too late” to use the passkey. And it is not harmful if a different passkey is used for the next connection. But this is fatal if another connection is made using the same passkey (which is going to happen if a static passkey is used).

So, after the attacker listened to the pairing attempt, she interrupts the connection (e.g. right after the last set of nonces was transmitted). Now she only has to wait until the next connection attempt is made. She can now hijack the whole connection.

Is my assessment of this situation correct and the static passkey is a bad idea or am I overlooking something?