Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Identity & Access

Google’s Titan Security Keys Vulnerable to Bluetooth Attacks

Google announced on Wednesday that it’s offering a free replacement for its Titan Security Key dongles following the discovery of a potentially serious vulnerability.

Google announced on Wednesday that it’s offering a free replacement for its Titan Security Key dongles following the discovery of a potentially serious vulnerability.

The Titan Security Key is designed to help users protect themselves against phishing attacks and account takeover by using FIDO standards for two-factor authentication (2FA). The product uses cryptography to verify the user’s security key and address when they log in to their account.

The problem impacts the Bluetooth Low Energy (BLE) version of T1 and T2 Titan Security Keys; USB and NFC security keys are not affected. Google has set up a page where users are informed whether or not they have any impacted security keys connected to their Google account.Titan Security Key Bluetooth vulnerability

The security issue, described as a misconfiguration in the Titan’s Bluetooth pairing protocols, was reported to Google by Microsoft. The weakness allows an attacker who is in Bluetooth range to communicate with the security key and the device it is paired with.

However, Google notes that an attack is not easy to pull off as attackers would have to carry out their actions exactly when the victim is performing certain activities.

A hacker could connect their own device to the victim’s security key before the legitimate device connects, but they have to launch the attack exactly when the target presses the button on their security key, which users are required to do when signing in to their account.

An attacker can also use their own device to masquerade as the victim’s security key and connect to the victim’s device when the button is pressed on the key. Once connected, the hacker can change the functionality of their device to a Bluetooth mouse or keyboard and perform actions on the victim’s device.

“This security issue does not affect the primary purpose of security keys, which is to protect you against phishing by a remote attacker. Security keys remain the strongest available protection against phishing; it is still safer to use a key that has this issue, rather than turning off security key-based two-step verification (2SV) on your Google Account or downgrading to less phishing-resistant methods (e.g. SMS codes or prompts sent to your device),” said Christiaan Brand, Product Manager at Google Cloud.

Advertisement. Scroll to continue reading.

Feitian-branded security keys are also impacted by the vulnerability and they are also eligible for a replacement, but customers may have to pay a very small fee. Outside the U.S., the keys are delivered via Amazon and the device can only be discounted to $1, Brand said on Twitter.

It’s worth noting that in the case of Feitian keys, the issue impacts versions 1, 2 and 3.

Users who have linked their security key to an iOS device can minimize the risk of attacks by unpairing the key immediately after using it. However, after iOS is updated to version 12.3, the security key will stop working. In the case of Android, users can also unpair their device immediately after use, and starting with the upcoming June 2019 Security Patch Level the impacted Bluetooth devices will be unpaired automatically.

In both cases users have been advised to use their security key only in spaces where a potential attacker cannot be in physical proximity.

Related: G Suite Admins Can Now Disable Phone 2-SV

Related: Google Offers Added Account Protection With ‘Security Key’

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.