Google is recalling Bluetooth versions of its Titan Security Key after finding a vulnerability that allows attackers in close proximity to take control of the device.
Google’s Titan Security Key, launched in the U.S. market last August, is a USB dongle that offers an added layer of security features for Google accounts, such as two-factor authentication and protections from phishing attacks. Specifically impacted is the version of the Titan Security Key with Bluetooth Low Energy (BLE) – not the NFC version of the security keys.
“This bug affects Bluetooth pairing only, so non-Bluetooth security keys are not affected,” said Christiaan Brand, product manager with Google Cloud, in a Wednesday post. “Current users of Bluetooth Titan Security Keys should continue to use their existing keys while waiting for a replacement, since security keys provide the strongest protection against phishing.”
The vulnerability stems from a misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols, said Brand.
Despite Google’s recall of the device, exploit of the key protocol pairing flaw appears to be non-trivial. An attacker must first be physically close to the key – within approximately 30 feet. And, he or she would need the victim’s username and password for logging into the key account.
Making matters more difficult, an adversary would need to launch the exploit in a very specific time frame – in the moment that the victim activates the BLE security key – in order to take advantage of the misconfigured pairing protocol and pair the key to their own device. From there, it’s possible to sign in to the victim’s key account.
“In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly,” said Brand.
Once an attacker carries out these steps and exploits a key paired to the device, he or she can then masquerade their own device as the victim’s device: “After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse, and potentially take actions on your device,” according to Google.
Titan Security Keys users should look for a “T1” on the back of their dongle (indicating that it’s a Bluetooth version) to see whether a device is impacted. Meanwhile, Google is sending out replacement keys to those affected (users can visit here to apply for the free replacement).
Despite the flaw, and given the difficulty in exploiting it, Google stressed that “It is much safer to use the affected key instead of no key at all. Security keys are the strongest protection against phishing currently available.”
Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.