Google recalls Bluetooth version of Titan Security Key after discovering hacking vulnerability
Google is recalling the Bluetooth Low Energy (BLE) version of its Titan Security Key, and is offering free replacements to owners.
The recall comes after the company became aware of a security issue which could allow a nearby hacker to hijack the security device. Google says that the security issue only affects the Bluetooth versions of the 2FA device sold in the US.
In a blog post, Google Cloud product manager Christiaan Brand explains that the vulnerability stems from a misconfiguration in the Titan Security Keys' Bluetooth pairing protocols. This not only makes it possible to communicate with the key itself, but also the computer it is connected to.
Google says that "an attacker would have to align a series of events in close coordination" to exploit the vulnerability:
- When you're trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects. In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly.
- Before you can use your security key, it must be paired to your device. Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.
Google insists that the problem does not affect the protection offered against phishing, and advises people to continue to use their Titan Security Keys until they are able to get a replacement. Affected units can be identified by looking for T1 or T2 printed on the rear.
You can obtain a replacement by heading to google.com/replacemykey.
Google offers the following advice to iOS and Android users:
On devices running iOS version 12.2 or earlier, we recommend using your affected security key in a private place where a potential attacker is not within close physical proximity (approximately 30 feet). After you’ve used your key to sign into your Google Account on your device, immediately unpair it. You can use your key in this manner again while waiting for your replacement, until you update to iOS 12.3.
Once you update to iOS 12.3, your affected security key will no longer work. You will not be able to use your affected key to sign into your Google Account, or any other account protected by the key, and you will need to order a replacement key. If you are already signed into your Google Account on your iOS device, do not sign out because you won’t be able to sign in again until you get a new key. If you are locked out of your Google Account on your iOS device before your replacement key arrives, see these instructions for getting back into your account. Note that you can continue to sign into your Google Account on non-iOS devices.
On Android and other devices:
We recommend using your affected security key in a private place where a potential attacker is not within close physical proximity (approximately 30 feet). After you’ve used your affected security key to sign into your Google Account, immediately unpair it. Android devices updated with the upcoming June 2019 Security Patch Level (SPL) and beyond will automatically unpair affected Bluetooth devices, so you won’t need to unpair manually. You can also continue to use your USB or NFC security keys, which are supported on Android and not affected by this issue.