Google recalls some Titan security keys after finding Bluetooth vulnerability
Google is recalling its Bluetooth Titan security keys due to a vulnerability that could allow attackers to connect to your device. No need to panic — the bug only seems to apply to a very narrow set of circumstances, according to a blog post published by Google on Wednesday. The attacker would have to be within 30 feet of you during the moment you press the button on your Titan Key to activate it, and also know your username and password. In this scenario, the attacker could then use their device to act as your security key and access your device.
Not all Titan Security Keys have the bug, which Google says is due to a misconfiguration in the key’s Bluetooth pairing protocols. Only the Bluetooth Low Energy (BLE) model is impacted. If your Titan Security Key has a “T1” or “T2” on the back of it, it means it has the security bug and is eligible for a replacement from Google.
But even if your Titan Security Key has the bug, don’t stop using it while waiting for a replacement. Google warns that even a key with a security bug is safer than using no key at all. Just take extra precautions, such as using your security key away from other people and immediately unpairing it after you sign-in to your Google account. Google has more specific instructions for iOS and Android devices, which you can read here.
The large number of security flaws found in Bluetooth-enabled devices in recent years has raised questions of whether the technology is safe. Yubico, Google’s competitor in the security key space, criticized Google for launching a Bluetooth-enabled security key. “BLE does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience,” wrote the company in a blog post last year.
Armis CTO and co-founder Nadir Izrael similarily told Engadget in an email: “Bluetooth is a complicated protocol and I’m not surprised to see an issue. This vulnerability highlights the importance of testing to ensure there are no exposures or misconfigurations when implementing the Bluetooth protocol.
We saw similar issues with BlueBorne, where we identified how a Bluetooth implementation level issue can lead to an RCE or Man-in-the-Middle attack. Google is a good organization focused on security. But if this got by them, imagine the issues facing the potential 10 to 12 billion other Bluetooth devices out there. Are those manufacturers making sure they have closed those security gaps?”
But the scope of the threat impacting the Titan security keys appears to be pretty small, according to Lauren Weinstein of People for Internet Responsibility. He added that using the Bluetooth security key for two-factor authentication is far safer than turning it off altogether or relying on SMS authentication. “(…the Titan security bug) needs to be fixed of course, and Google is doing that by offering free replacement keys, but for most users it is unlikely to be a problem in practice,” said Weinstein in a direct message to Engadget.
(18)