Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Google’s Titan Security Keys Vulnerable to Bluetooth Attacks

Google announced on Wednesday that it’s offering a free replacement for its Titan Security Key dongles following the discovery of a potentially serious vulnerability.

Google announced on Wednesday that it’s offering a free replacement for its Titan Security Key dongles following the discovery of a potentially serious vulnerability.

The Titan Security Key is designed to help users protect themselves against phishing attacks and account takeover by using FIDO standards for two-factor authentication (2FA). The product uses cryptography to verify the user’s security key and address when they log in to their account.

The problem impacts the Bluetooth Low Energy (BLE) version of T1 and T2 Titan Security Keys; USB and NFC security keys are not affected. Google has set up a page where users are informed whether or not they have any impacted security keys connected to their Google account.Titan Security Key Bluetooth vulnerability

The security issue, described as a misconfiguration in the Titan’s Bluetooth pairing protocols, was reported to Google by Microsoft. The weakness allows an attacker who is in Bluetooth range to communicate with the security key and the device it is paired with.

However, Google notes that an attack is not easy to pull off as attackers would have to carry out their actions exactly when the victim is performing certain activities.

A hacker could connect their own device to the victim’s security key before the legitimate device connects, but they have to launch the attack exactly when the target presses the button on their security key, which users are required to do when signing in to their account.

An attacker can also use their own device to masquerade as the victim’s security key and connect to the victim’s device when the button is pressed on the key. Once connected, the hacker can change the functionality of their device to a Bluetooth mouse or keyboard and perform actions on the victim’s device.

“This security issue does not affect the primary purpose of security keys, which is to protect you against phishing by a remote attacker. Security keys remain the strongest available protection against phishing; it is still safer to use a key that has this issue, rather than turning off security key-based two-step verification (2SV) on your Google Account or downgrading to less phishing-resistant methods (e.g. SMS codes or prompts sent to your device),” said Christiaan Brand, Product Manager at Google Cloud.

Feitian-branded security keys are also impacted by the vulnerability and they are also eligible for a replacement, but customers may have to pay a very small fee. Outside the U.S., the keys are delivered via Amazon and the device can only be discounted to $1, Brand said on Twitter.

Advertisement. Scroll to continue reading.

It’s worth noting that in the case of Feitian keys, the issue impacts versions 1, 2 and 3.

Users who have linked their security key to an iOS device can minimize the risk of attacks by unpairing the key immediately after using it. However, after iOS is updated to version 12.3, the security key will stop working. In the case of Android, users can also unpair their device immediately after use, and starting with the upcoming June 2019 Security Patch Level the impacted Bluetooth devices will be unpaired automatically.

In both cases users have been advised to use their security key only in spaces where a potential attacker cannot be in physical proximity.

Related: G Suite Admins Can Now Disable Phone 2-SV

Related: Google Offers Added Account Protection With ‘Security Key’

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...