Last July, Google announced its Titan line of security keys for two-factor authentication. The company today identified an issue with the Bluetooth variant that can be used by an attacker in close proximity to you.
According to Google, there is a “misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols.” This only affects the battery-powered fob, and not the key that directly plugs in via USB. The Google Store sells both in a $50 bundle.
It is possible for an attacker who is physically close to you at the moment you use your security key — within approximately 30 feet — to (a) communicate with your security key, or (b) communicate with the device to which your key is paired.
There are two specific scenarios where the Titan Security Key can be exploited. The first is before setup, and the second is during regular usage:
Before you can use your security key, it must be paired to your device. Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.
When you’re trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects. In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly.
Fobs physically labeled with “T1” or “T2” on the back are affected by the issue and are eligible for free replacement. The site below will automatically look for Titan Security Keys tied on your account to generate a Google Store promo code.
We recommend that everyone with an affected BLE Titan Security Key get a free replacement by visiting google.com/replacemykey.
Google is also providing steps for Android and iOS users to protect themselves immediately. iOS 12.3, which was released by Apple earlier this week, will unpair any affected keys automatically, with Android’s June security patch also doing the same.