ARS Technica says the real-world risk is pretty low:
“I don’t really worry about bugs like these,” Dan Guido, mobile security specialist and the CEO of security firm Trail of Bits, told me. “I’m glad someone is finding them and getting them fixed, but it’s not a big concern for me.”
The lack of real-world risk is a good thing. Many IoT devices receive few if any security updates, making it likely that many devices used in both homes and businesses will remain vulnerable to BleedingTooth for the rest of the time they’re used. Many of these devices were likely already vulnerable to BlueBorne and several other security bugs that have bitten Bluetooth in the past. So far, there are no reports of any of them being actively exploited.