Google today revealed a security error in its Bluetooth Titan Security Key that could allow an attacker in close physical proximity to bypass the security that the key should provide. The company says the error is due to an "error configuration in the Titan Security Key's" Bluetooth pairing protocol "and that even the wrong keys still protect against phishing attacks. The company still provides a free replacement key to all existing users.
The error affects all Titan Bluetooth keys that sell for $ 50 in a package that also includes a standard USB / NFC key that has a "T1" or "T1" "T2" on the back.
attackers within the Bluetooth area (about 30 feet) and act quickly when you press the button on the button to activate it, and the attackers can then use the error-configured protocol to connect their own device to the key before your own device connects. assume they already have your username and password – they could log in to your account.
Google also notes that before you can use your key, it must disconnect An attacker can also exploit this error by using his own device and masking it as your security key to connect to the device when you press the button on the key. By doing so, the attackers can then change the device to look like a keyboard or mouse and remotely control your laptop, for example.
All this must happen at exactly the right time and the attacker must already know your details. A persistent attacker can do that work.
Google claims that the problem does not affect the main task of the Titan key, which is to protect against phishing attacks and claim that users should continue to use the buttons until they receive a replacement. " It's much safer to use the hit key instead of no key at all. Security keys are the strongest protection against phishing that is currently available, " writes the company in today's announcement.
The company also offers some tips to mitigate the potential security issues here.
Some of Google's competitors in the security key space, including YubiCo, decided to use Bluetooth because of potential security issues and criticized Google for launching a Bluetooth key. "While Yubico initiated the development of a BLE security key and contributed to the work with BLE U2F standards, we decided not to start the product because it does not meet our standards for safety, usability and sustainability," wrote YubiCo founder Stina Ehrensvard when Google launched its Titan keys.