Google recalls some Titan security keys after it discovers Bluetooth flaw that could be exploited by hackers
- Google is recalling the Bluetooth variant of its Titan physical security keys
- A flaw could let hackers within 30 feet of users compromise their paired device
- The company is offering free replacement keys to users affected by the issue
Google is recalling some of its Titan Security Keys after it discovered that they could be hijacked by nearby hackers.
A misconfiguration in the key’s Bluetooth pairing protocols made it possible for a hacker who is within 30 feet of the user to either communicate with the security key or the device it’s paired with, Google said on Wednesday.
The bug only affects the Bluetooth variant of Google’s Titan Security Keys, not the USB version.
A flaw in the Bluetooth pairing protocols made it possible for a hacker who is within 30ft of the user to either communicate with the security key or the device it’s paired with
In order for the attack to work, the hacker would have to be nearby to you the moment you press the button on your key to turn it on.
They’d also have to know your username and password.
‘An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects,’ Christiaan Brand, a product manager at Google Cloud, said in a blog post.
‘In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly.’
Once connected, hackers could manipulate your device by changing their device to appear as a Bluetooth keyboard or mouse.
To determine if a Titan Security Key is affected, Google said users can check the back of the device.
If the key says ‘T1’ or ‘T2’, then it’s affected by the bug.
The bug affects the Bluetooth variant of the Titan Security Keys, not the USB version. In order for the attack to work, the hacker would need to be near the user the moment it is activated
Google is offering free replacement keys for users who are affected by the security flaw.
The search giant began selling the Titan Security Key last July, offering the Bluetooth and USB versions as a bundle for $50, or $20 to $25 individually.
Security keys add another layer of authentication to a user’s device, requiring users to have their physical key on their person in order to login to an account.
This makes it difficult for hackers to target a user, since they won’t be able to login without the physical key.
It’s the most robust form of defense against phishing, one of the most common attacks meant to steal your password, giving hackers access to your account and data.
Google noted that the bug doesn’t impact the primary function of its Titan Security Keys, which is prevent phishing.
‘Security keys remain the strongest available protection against phishing; it is still safer to use a key that has this issue, rather than turning off security key-based two-step verification (2SV) on your Google Account or downgrading to less phishing-resistant methods (e.g. SMS codes or prompts sent to your device),’ Brand added.
HOW DO I USE GOOGLE’S ADVANCED PROTECTION SYSTEM?
The advanced protection features include an option to require a physical USB security key to connect to a desktop computer before each log-in as a way to verify a user’s identity.
Mobile log-ins will require a Bluetooth wireless device.
Two Security Keys are required to enroll so that you’ll have a backup key in case you lose your main key.
A wireless-enabled key that can connect to both your computer and mobile devices should act as your main key, Google says.
Advanced protection users will have their data walled off from access by any non-Google third-party applications, such as the Apple iOS mail client or Microsoft Outlook.
The program also includes a more laborious and detailed account recovery process to prevent fraudulent access by hackers who try to gain access by pretending they have been locked out.
Google created a web page to walk users through setting up advanced protection, including where to purchase USB and Bluetooth security keys on Amazon.