Security Experts:

Google's Titan Security Keys Vulnerable to Bluetooth Attacks

Google announced on Wednesday that it’s offering a free replacement for its Titan Security Key dongles following the discovery of a potentially serious vulnerability.

The Titan Security Key is designed to help users protect themselves against phishing attacks and account takeover by using FIDO standards for two-factor authentication (2FA). The product uses cryptography to verify the user’s security key and address when they log in to their account.

The problem impacts the Bluetooth Low Energy (BLE) version of T1 and T2 Titan Security Keys; USB and NFC security keys are not affected. Google has set up a page where users are informed whether or not they have any impacted security keys connected to their Google account.Titan Security Key Bluetooth vulnerability

The security issue, described as a misconfiguration in the Titan’s Bluetooth pairing protocols, was reported to Google by Microsoft. The weakness allows an attacker who is in Bluetooth range to communicate with the security key and the device it is paired with.

However, Google notes that an attack is not easy to pull off as attackers would have to carry out their actions exactly when the victim is performing certain activities.

A hacker could connect their own device to the victim’s security key before the legitimate device connects, but they have to launch the attack exactly when the target presses the button on their security key, which users are required to do when signing in to their account.

An attacker can also use their own device to masquerade as the victim’s security key and connect to the victim’s device when the button is pressed on the key. Once connected, the hacker can change the functionality of their device to a Bluetooth mouse or keyboard and perform actions on the victim’s device.

“This security issue does not affect the primary purpose of security keys, which is to protect you against phishing by a remote attacker. Security keys remain the strongest available protection against phishing; it is still safer to use a key that has this issue, rather than turning off security key-based two-step verification (2SV) on your Google Account or downgrading to less phishing-resistant methods (e.g. SMS codes or prompts sent to your device),” said Christiaan Brand, Product Manager at Google Cloud.

Feitian-branded security keys are also impacted by the vulnerability and they are also eligible for a replacement, but customers may have to pay a very small fee. Outside the U.S., the keys are delivered via Amazon and the device can only be discounted to $1, Brand said on Twitter.

It’s worth noting that in the case of Feitian keys, the issue impacts versions 1, 2 and 3.

Users who have linked their security key to an iOS device can minimize the risk of attacks by unpairing the key immediately after using it. However, after iOS is updated to version 12.3, the security key will stop working. In the case of Android, users can also unpair their device immediately after use, and starting with the upcoming June 2019 Security Patch Level the impacted Bluetooth devices will be unpaired automatically.

In both cases users have been advised to use their security key only in spaces where a potential attacker cannot be in physical proximity.

Related: G Suite Admins Can Now Disable Phone 2-SV

Related: Google Offers Added Account Protection With 'Security Key'

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.