1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Bluetooth pairing bug forces Google to recall select Titan Security Keys

By Shawn Knight
May 15, 2019
Post New Reply
  1. A misconfiguration in the wireless pairing protocols of the Bluetooth Low Energy (BLE) version of the Titan Security Key has forced Google to recall the device.

    The bug could allow an attacker that is in range – within approximately 30 feet – of the device when it is used to communicate with the key or the device it is paired to. In order to exploit the misconfiguration, an attacker would have to time events perfectly as Google outlines:

    • When you’re trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects. In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly.
    • Before you can use your security key, it must be paired to your device. Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.

    To determine if your key is affected, check the back of the device. If you see “T1” or “T2” then your key is impacted and you are eligible for a free replacement. Because the bug only affects Bluetooth pairings, non-Bluetooth versions of the security key aren’t affected.

    Christiaan Brand, a product manager with Google Cloud, said current users of Bluetooth Titan Security Keys should continue to use them as they wait for their replacement as security keys provide the strongest protection against phishing. In this case, the security issue does not affect the device's primary purpose.

    Lead image courtesy zimmytws via Shutterstock

    Permalink to story.

     
  2. jobeard

    jobeard TS Ambassador Posts: 12,749   +1,490

    Phishing defense? Really?
    1. Whereas phishing is a social engineering attack, an informed user is the strongest defense, one who can control their own feelings of paranoia.
    2. A physical device always carries the risk that ANY flaw in the future will require a traumatic and sadly time squandering replacement.
     
  3. mattfrompa

    mattfrompa TS Evangelist Posts: 576   +73

    Really? this is like arguing against helmets because they don't prevent all injuries. Multi-factor authentication absolutely does increase your security, ON TOP OF being an informed user. If you want to wait for perfection, your wait will never end.
     
  4. jobeard

    jobeard TS Ambassador Posts: 12,749   +1,490

    Clearly you didn't understand my post.

    I'm not dissing MFA, but rather that Phishing can never be protected by any authentication technique as it impacts our emotional response to bad news. We get driving by emotion to open the document loaded with an attack.
     

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...