Google Titan Security Key is Vulnerable.
Titan Security Keys Could Be Hacked through Bluetooth pairing.
In July 2018, Google Launches Titan Security Key.
Titan Security Keys are malicious-resistant two-factor authentication (2FA) devices that help protect high-value users such as IT admins. Titan Security Keys help to prevent unethical programs and secure your Google Account with the Advanced Protection Program.
Google release the security issue with Bluetooth Low Energy (BLE) Titan Security Key.
What’s the Bug inside the Titan Security Keys?
The bug affects Bluetooth pairing only, so non-Bluetooth security keys are not affected.
Current users of Bluetooth Titan Security Keys should continue to use their existing keys while waiting for a replacement, since security keys provide the strongest protection against phishing.
What is the security issue?
Due to a misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols, it is possible for an attacker who is physically close to you at the moment you use your security key — within approximately 30 feet — to (a) communicate with your security key, or (b) communicate with the device to which your key is paired.
In order for the misconfiguration to be exploited, an attacker would have to align a series of events in close coordination:
- When you’re trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects.
- In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly.
- Before you can use your security key, it must be paired to your device. Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key.
- After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.This security issue does not affect the primary purpose of security keys, which is to protect you against phishing by a remote attacker.
How to protect yourself?
Follow the steps for iOS and Android devices.
For iOS devices-
For iOS version 12.2 or earlier running devices, Google recommends using your affected security key in a private place where a potential attacker is not within close physical proximity (approximately 30 feet).
After you’ve used your key to sign into your Google Account on your device, immediately unpair it. You can use your key in this manner again while waiting for your replacement, until you update to iOS 12.3.
Once you update to iOS 12.3, your affected security key will no longer work. You will not be able to use your affected key to sign into your Google Account, or any other account protected by the key, and you will need to order a replacement key.
If you are already signed into your Google Account on your iOS device, do not sign out because you won’t be able to sign in again until you get a new key. If you are locked out of your Google Account on your iOS device before your replacement key arrives, see these instructions for getting back into your account. Note that you can continue to sign into your Google Account on non-iOS devices.
For Android and other devices-
Google recommend using your affected security key in a private place where a potential attacker is not within close physical proximity (approximately 30 feet). After you’ve used your affected security key to sign into your Google Account, immediately unpair it.
Android devices updated with the upcoming June 2019 Security Patch Level (SPL) and beyond will automatically unpair affected Bluetooth devices, so you won’t need to unpair manually. You can also continue to use your USB or NFC security keys, which are supported on Android and not affected by this issue.
How to get a replacement key?
We recommend that everyone with an affected BLE Titan Security Key get a free replacement by visiting google.com/replacemykey.
Is it still safe to use my affected BLE Titan Security Key?
It is much safer to use the affected key instead of no key at all. Security keys are the strongest protection against phishing currently available.
That’swhy Apple and Yubico have refused to support BLE-enabled security keys.