Google warns Titan Security Key has Bluetooth bug that leaves it vulnerable

Ceria Alfonso
May 16, 2019

To minimize potential risk - Google's Advanced Protection Program is intended specifically for those likely to be targeted by cyber attacks - Google is advising iOS and Android users to login to their devices in protected places where no attacker is likely to be nearby.

This episode is unfortunate since, as Broad notes, physical security keys remain the strongest protection now available against phishing and other types of account takeovers.

Where Titan distinguished itself, however, was adding Bluetooth functionality - essentially giving the option to use the key from within around 9.14m.

Last year, Google began selling the product as part of a $50 bundle containing one Bluetooth-enabled key and one standard USB security key.

That's because a flaw in some of the keyfobs' Bluetooth Low Energy (BLE) software could let an attacker within about 30 feet of you hijack the key-registration or device-pairing processes, Google warned in a blog post today (May 15).

Google is offering free replacements of its Titan Security Keys, used for two-factor authentication, after learning the widgets' Bluetooth connections could be compromised by nearby hackers.

More news: El Al-Sadd podría anunciar pronto que Xavi será su nuevo entrenador

Titan security keys without Bluetooth capabilities are not affected, such as those that work via NFC or USB. Google has a few suggestions for those who use the affected Bluetooth keys. In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly. However, the company recommended that users do not stop using the keys until they get a replacement, as they can provide enhanced security, compared to not using a security key after all.

That said, Google has been selling its security key technology to businesses, which have to worry about insider threats and corporate espionage. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device. "You can use your key in this manner again while waiting for your replacement, until you update to iOS 12.3", Google said.

Once you update to iOS 12.3, your affected security key will no longer work. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects. You will not be able to use your affected key to sign into your Google Account, or any other account protected by the key, and you will need to order a replacement key. If you are locked out of your Google Account on your iOS device before your replacement key arrives, see these instructions for getting back into your account. "BLE (Bluetooth Low Energy) does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience", the company said a year ago.

Before you can use your security key, it must be paired to your device. In this case, the security issue does not affect the device's primary objective.

Editor's Note: This story has been corrected to note Google is not recalling the product, but offering free replacements.

Article updated with Google comment regarding Feitian-branded keys.

Otros informes por

Discuta este artículo