Google will replace Bluetooth Titan Security Keys due to a security flaw

Google Titan's Bluetooth Security Key Can Be Used to Hack Paired Devices

Google Titan's Bluetooth Security Key Can Be Used to Hack Paired Devices

Google is warning that the Bluetooth Low Energy version of the Titan security key it sells for two-factor authentication can be hijacked by nearby attackers, and the company is advising users to get a free replacement device that fixes the vulnerability.

Users of iOS 12.3 "will not be able to use your affected key to sign into your Google Account, or any other account protected by the key, and you will need to order a replacement key".

If your Titan Security Key has a "T1" or "T2" on the back of it, it means it has the security bug and is eligible for a replacement from Google.

This issue affects the BLE version of Titan Security Keys.

"While Yubico previously initiated development of a [Bluetooth] security key and contributed to the [Bluetooth] U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability". The same keys are sold in other countries under their original Feitian brand.

Users of "Android devices updated with the upcoming June 2019 Security Patch Level (SPL) and beyond" will be able to use their vulnerable BLE Titan Security Keys without unincumbered since they will get automatically unpaired. Google has a few suggestions for those who use the affected Bluetooth keys.

The news comes nearly a year after a statement by Yubico, (which Google used to buy security keys from before developing its own) questioning the strength of Bluetooth-based security keys. If successful, the attacker could attempt to convert the hostile device to a Bluetooth keyboard or mouse to direct input to the compromised device.

"When you're trying to sign into an account on your device, you are normally asked to press the button on your [Bluetooth Low Energy] security key to activate it".

It's because of these reasons that Google is now replacing these keys. First, they'd have to be physically close to you at the moment when an app prompts you to press the Bluetooth key's button to log in. Immediately after, they should unpair the security key [Android, iOS]. The company published the following advice for owners of faulty Bluetooth-powered Titan security keys, until replacements arrive. First the attacker has to be within 30 feet of the Titan Key user.

How do you know if you need a replacement?

Once you update to iOS 12.3, your affected security key will no longer work. Google is also still recommending that people use the keys in their current state as some protection is better than none. If they are not already signed into their Google Account on the iOS device and are locked out, they can use the instructions available HERE to get back into their accounts.

In the meantime, Google has some suggestions for you.

Google also noted another attack scenario, where a nearby attacker could connect to a person's Bluetooth security key before the real owner did.

"After you've used your affected security key to sign into your Google Account, immediately unpair it". In this case, the security issue does not affect the device's primary goal. "[Bluetooth] does not provide the security assurance levels of NFC and USB and requires batteries and pairing that offer a poor user experience", it said at the time.

Notícias recomendadas

We are pleased to provide this opportunity to share information, experiences and observations about what's in the news.
Some of the comments may be reprinted elsewhere in the site or in the newspaper.
Thank you for taking the time to offer your thoughts.