Downgrade attacks are generally something you have to be careful of when designing security protocols, especially in the case where legacy exists.
There is also a big difference between a simple passive eavesdropper attack and an active attack (this one).
I wonder whether this is the first of a more to come - it is easy to imagine a couple of ideas for future attacks (all well known techniques) which might also be possible.
Displaying the security method used is all well and good on a controller, but it depends on the user knowing or caring about what they are being told.
A recent example I encountered was where a car dealership was pairing by phone to a new car using Bluetooth. I quote “You don’t need to check the numbers they are always the same.” This is only true if there is not an active attacker. In this case the user has trained themselves to ignore the warnings and just hit ok. This is the same as just pressing ok on those annoying dialog boxes that get in your way on your favorite OS when you are trying to do something.
I suspect there are easier ways for people to get in (smash doors/windows, rubber hose cryptanalysis, or more sophisticated - removing cryptographic information from devices outside the home, etc), each with their trade-offs and traceability.
I am not worried by this, as I think when you consider the balance between the cost of the attack (active vs passive) and temporal element (having to be there at the right time), it is very unlikely in the end today.
Interesting never the less, if you like that sort of thing.