Sunday, 21 July 2019
Latest news
Main » Google recalls some Titan security keys after it discovers Bluetooth flaw

Google recalls some Titan security keys after it discovers Bluetooth flaw

17 May 2019

"You can also continue to use your USB or NFC security keys, which are supported on Android and not affected by this issue", it said.

Due to a misconfiguration in the Titan Security Keys' Bluetooth pairing protocols, it is possible for an attacker who is physically close to you at the moment you use your security key - within approximately 9.14m - to (a) communicate with your security key, or (b) communicate with the device to which your key is paired. It allows a so-called Man in The Middle (MiTM) attack, in which someone could get between your Titan key and the device it's communicating with. If they do that, then they've just been granted access to your account using the security key that was supposed to add another layer of protection. Indeed, Google says that these issues don't affect the primary goal of security keys - defending against remote attackers - and that they don't apply to USB or NFC keys. "In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly", Google explained. These keys are a low-priced method of two-factor authentication that provides an added layer of security when logging in to your Google account.

Brand also noted that once a security key is paired with a user's device, a hacker could use their Bluetooth device to masquerade as the security key and then connect to other devices at the moment a victim is asked to press the key's button.

Or, they could, in effect, use their device as a Bluetooth accessory like a keyboard to take control of your computer. If you are locked out of your Google Account on your iOS device before your replacement key arrives, see these instructions for getting back into your account.

This flaw vindicates the somewhat controversial decision a year ago by rival security-key maker Yubico to not manufacture Bluetooth-enabled security keys.

Google is doing this because Microsoft reported a security vulnerability affecting these security keys. In this case, the security issue does not affect the device's primary goal. The good news is Google identified the issue and will send you a free replacement that closes the loophole.

This makes it hard for hackers to target a user, since they won't be able to login without the physical key.

Rival vendor Yubico has refrained from offering a Bluetooth security key, claiming the technology "does not meet our standards for security, usability, and durability".

It's the most robust form of defense against phishing, one of the most common attacks meant to steal your password, giving hackers access to your account and data. Google is also still recommending that people use the keys in their current state as some protection is better than none.

In normal operation, you'd first register your BLE-enabled Titan key with the web service you're using, generating a secret that is stored on the key.

Article updated with Google comment regarding Feitian-branded keys.

Google recalls some Titan security keys after it discovers Bluetooth flaw