Google today announced that it had identified a security vulnerability in the Bluetooth edition of its Titan Security Key that may permit attackers within 30 feet of a target to evade the security the key is presumed to provide. The company is offering free replacement keys for Titan-branded keys that have a “T1” and “T2” etched into the back.
Notably, the company states that the vulnerability is a result of a misconfiguration in the products’ Bluetooth pairing protocols and that even defective keys will still protect against phishing attacks launched by attackers.
Google introduced and started selling the $50 Titan-branded keys last August at Cloud Next 2018, outsourcing the hardware from Chinese manufacturer Feitian but still overseeing the cryptographic keys themselves. Any user may utilize the physical security keys with their Google accounts to protect against sophisticated phishing attacks, but they particularly benefit users who are more likely to be at risk of targeted attacks — like public figures, journalists, and activists.
Google particularly recommends using physical BLE security keys for its Advanced Protection Program, which provides significant account protections against sophisticated attacks.
Exploiting the vulnerability is relatively tricky as an attacker would not only have to be present within 30 feet but also need to swiftly connect their own device to a dongle within seconds that the victim starts the pairing process. The attacker would also need to have the target’s Google account credentials already before they even have a chance to sign into the account.
At the right moment, the attacker could potentially deceive the victim’s device into pairing with their own Bluetooth dongle instead of the Titan key, hence acquiring access to the user’s Google account and that particular device. Thus, the attacker may alter their device to resemble a keyboard and remote control a target’s system.
Google emphasizes that users should keep using the keys as they still protect against phishing attacks until they receive a replacement. In the meantime, the company recommends that Android and iOS (version 12.2) users activate their impacted keys in private areas away from potential adversaries and instantly unpair them after signing in.
Note that impacted keys on iOS 12.3 will no more work and Android devices upgraded with the forthcoming June 2019 Security Patch Level (SPL) will automatically unpair impacted Bluetooth devices.