In brief: Google recently became aware of a security issue impacting select Titan Security Keys. The matter doesn't affect the device's primary purpose - thwarting phishing attempts - but could allow an attacker within physical proximity when it is used to gain access to it or its paired device.
A misconfiguration in the wireless pairing protocols of the Bluetooth Low Energy (BLE) version of the Titan Security Key has forced Google to recall the device.
The bug could allow an attacker that is in range – within approximately 30 feet – of the device when it is used to communicate with the key or the device it is paired to. In order to exploit the misconfiguration, an attacker would have to time events perfectly as Google outlines:
- When you’re trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects. In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly.
- Before you can use your security key, it must be paired to your device. Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.
To determine if your key is affected, check the back of the device. If you see “T1” or “T2” then your key is impacted and you are eligible for a free replacement. Because the bug only affects Bluetooth pairings, non-Bluetooth versions of the security key aren’t affected.
Christiaan Brand, a product manager with Google Cloud, said current users of Bluetooth Titan Security Keys should continue to use them as they wait for their replacement as security keys provide the strongest protection against phishing. In this case, the security issue does not affect the device's primary purpose.
Lead image courtesy zimmytws via Shutterstock