I demonstrated sniffing the key exchange and recovering the LTK when using both Just Works and 6-digit PIN at ShmooCon in February 2013. For details, refer to my site, which has a video of the talk and the source code necessary to break BTLE's key exchange.
OOB key exchange (by physical wire, for instance) is the only reliable method to establish a secure link layer connection. I will be demonstrating some alternatives to BTLE's built in security at BlackHat USA this July 2013.
It is possible (even relatively straightforward) to implement a BTLE stack using the CC254x's proprietary radio. I have a compelling proof-of-concept implemented on Ubertooth, which has a much less capable CC2400 radio chip. The 254x handles a lot of the annoying stuff in silicon (such as whitening and CRC calculation/verification).
Saying that all 2300 pages of Core 4.0 are required for BTLE is false at face value. A significant portion of the spec is devoted to BR, EDR, and AMP. I estimate that you need well under 1000 pages (probably closer to 400-500) to implement a full stack on top of the CC254x's proprietary radio.
Apologies for resurrecting this near-dead thread.
