Google’s Bluetooth Titan 2FA keys have a weird security vulnerability

Share

Google provides the Titan key for accessing your Google accounts, but you can also use it with other accounts that support the FIDO U2F standard for hardware keys.

A misconfiguration in the wireless pairing protocols of the Bluetooth Low Energy (BLE) version of the Titan Security Key has forced Google to recall the device. This flaw makes users vulnerable to attackers within 30 feet during the use of the key.

"After you've used your key to sign into your Google account on your device, immediately unpair it". Since the Titan Security Key's main objective is to prevent phishing attacks, Google has stated that even using an affected key is safer than no key at all. If your Titan Security Key has a "T1" or "T2" on the back of it, it means it has the security bug and is eligible for a replacement from Google. For instance, someone who already has your username and password could - in theory - pair their device to your security key at the moment you press the button on your Titan to validate your credentials. "After that, [the hacker] could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device", Brand said. If you are locked out of your Google Account on your iOS device before your replacement key arrives, see these instructions for getting back into your account.

But Google isn't taking that risk and is replacing affected Titan Keys.

The Bluetooth-enabled devices are one variety of low-priced security keys that, as Ars reported in 2016, represent the single most effective way to prevent account takeovers for sites that support the protection.

If you're using one of Google's Titan Bluetooth Security Keys to sign into all your two-factor protected accounts, there's good news and bad news.

The company also provided a number of steps created to make it possible for users of iOS (12.2 or earlier) and Android devices and of BLE version of Titan Security Keys to minimizing the security risks until they receive their replacement security keys. That's plenty of time to get a free replacement, which you can do by visiting google.com/replacemykey. Everything was all fine and dandy for a while, but then today, Google alerted users to a rather peculiar flaw in its BLE Titan keys.

Real Madrid to announce signing of Chelsea's Eden Hazard
Chelsea's final day goalless draw at Leicester saw Sarri's side finish the season in third, though the club were a huge 26 points behind champions Man City.

"From a technology perspective, these keys are wonderful; they make security easier to a lot easier to consume".

The threat of having the key hijacked and the current incompatibility with the latest release of iOS are sure to generate further user resistance to using the BLE-based keys.

Once you update to iOS 12.3, your affected security key will no longer work. "You can use your key in this manner again while waiting for your replacement, until you update to iOS 12.3", Google said.

"After you've used your affected security key to sign into your Google Account, immediately unpair it".

According to the BLE Titan Security Key store page, "Titan Security Keys help prevent phishing and keep out anyone who shouldn't have access to your online accounts".

Article updated with Google comment regarding Feitian-branded keys.

Share