Google's Titan Security Bluetooth keys vulnerable to proximity attack; replacement issued

News by Robert Abel

Google is replacing its Titan Security Bluetooth keys due to a vulnerability which could allow attackers within range unauthorised access to use someone else's key.

Google is replacing its Titan Security Bluetooth keys due to a vulnerability which could allow attackers within range unauthorised access to use someone else’s key.

The issue specifically affects Titans Security Keys’ BLE version that can be identified by either a T1 or T2 stamped on the back of the key.

A misconfiguration in the key’s Bluetooth pairing protocols allow an attacker to communicate with the security key or the device which the key was paired to in cases when the rightful user is attempting to pair their device under a specific set of circumstances, according to a 15 May Google security update.

"An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects," the update said. "In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly."

The vulnerability would also allow a threat actor to use their device to masquerade as the affected device and connect to the victim’s device the moment they are asked to press the button on the key. In addition, The flaw could allow an attacker to attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on the affected device.

IOS users looking to minimise their risks are advised to only use their keys in a private setting where a potential attack cant get within range (approximately 30 feet) and immediately unpair the device after use. Another tip from Google is once the user updates to iOS 12.3, the vulnerable security key will no longer work and provided instructions on how users can get back into their Google accounts if they get locked out before their replacement key arrives.

Anyone with an affected key can get a free replacement by visiting google.com/replacemykey and Google emphasised that its still safer to use the affected key than no key at all as they offer the strongest defence against phishing that is currently available.

Venafi director of enterprise security support Mark Miller said the misconfiguration seems relatively easy to exploit.

"The fact that you must be within 30 feet of the security key isn’t an issue, especially when you consider how fast compiled and scripted software can run," Miller said. "In addition, lots of people conduct business in public places like coffee shops and airports, so connecting a dongle to a device isn’t that farfetched."

Miller added that from a technology perspective, the keys are amazing and that they make security easier to consume but added that users must beware that no technology is perfect while applauding Google for its initiative to correct the situation.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop