Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

Google’s Titan Security Keys Vulnerable to Bluetooth Attacks

Google announced on Wednesday that it’s offering a free replacement for its Titan Security Key dongles following the discovery of a potentially serious vulnerability.

Google announced on Wednesday that it’s offering a free replacement for its Titan Security Key dongles following the discovery of a potentially serious vulnerability.

The Titan Security Key is designed to help users protect themselves against phishing attacks and account takeover by using FIDO standards for two-factor authentication (2FA). The product uses cryptography to verify the user’s security key and address when they log in to their account.

The problem impacts the Bluetooth Low Energy (BLE) version of T1 and T2 Titan Security Keys; USB and NFC security keys are not affected. Google has set up a page where users are informed whether or not they have any impacted security keys connected to their Google account.Titan Security Key Bluetooth vulnerability

The security issue, described as a misconfiguration in the Titan’s Bluetooth pairing protocols, was reported to Google by Microsoft. The weakness allows an attacker who is in Bluetooth range to communicate with the security key and the device it is paired with.

However, Google notes that an attack is not easy to pull off as attackers would have to carry out their actions exactly when the victim is performing certain activities.

A hacker could connect their own device to the victim’s security key before the legitimate device connects, but they have to launch the attack exactly when the target presses the button on their security key, which users are required to do when signing in to their account.

An attacker can also use their own device to masquerade as the victim’s security key and connect to the victim’s device when the button is pressed on the key. Once connected, the hacker can change the functionality of their device to a Bluetooth mouse or keyboard and perform actions on the victim’s device.

“This security issue does not affect the primary purpose of security keys, which is to protect you against phishing by a remote attacker. Security keys remain the strongest available protection against phishing; it is still safer to use a key that has this issue, rather than turning off security key-based two-step verification (2SV) on your Google Account or downgrading to less phishing-resistant methods (e.g. SMS codes or prompts sent to your device),” said Christiaan Brand, Product Manager at Google Cloud.

Feitian-branded security keys are also impacted by the vulnerability and they are also eligible for a replacement, but customers may have to pay a very small fee. Outside the U.S., the keys are delivered via Amazon and the device can only be discounted to $1, Brand said on Twitter.

It’s worth noting that in the case of Feitian keys, the issue impacts versions 1, 2 and 3.

Users who have linked their security key to an iOS device can minimize the risk of attacks by unpairing the key immediately after using it. However, after iOS is updated to version 12.3, the security key will stop working. In the case of Android, users can also unpair their device immediately after use, and starting with the upcoming June 2019 Security Patch Level the impacted Bluetooth devices will be unpaired automatically.

In both cases users have been advised to use their security key only in spaces where a potential attacker cannot be in physical proximity.

Related: G Suite Admins Can Now Disable Phone 2-SV

Related: Google Offers Added Account Protection With ‘Security Key’

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.