Google warns that the Bluetooth Low Energy version of Titan's security key it sells for two-factor authentication may be hijacked by nearby attackers and the company is urging users to get a free replacement device that fixes vulnerability.
An error configuration in the key's Bluetooth pairing protocol allows attackers within 30 feet to either communicate with the key or with the device with which it is associated, Google Cloud Product Manager Christiaan Brand wrote in a post published Wednesday.
The Bluetooth-enabled devices are a variety of security keys that, as Ars reported in 201
The attack described by Brand involves hijacking the mating process when an attacker within 30 feet performs a series of events in close coordination:
- When you try to log in to an account on your device, you are normally asked to press the button on your BLE security key to activate it. An attacker in close physical proximity at that moment could potentially connect his own device to your affected security key before your own device connects. Under these circumstances, the attacker can log in to your account using a separate device if the attacker has in any way already received your username and password and can make these events accurate.
- Before you can use your security key, it must be connected to your device. Once connected, an attacker in close physical proximity to you can use his device to mask as your concerned security key and connect to the device when prompted to press the button on your button. Then, they can try to change the device to appear as a Bluetooth keyboard or mouse and possibly take action on your device.
In order for the transfer of the account to succeed, the attacker must also know the target user name and password.  If you want to know if a Titan key is vulnerable, check the back of the device. If it has a "T1" or "T2", it is susceptible to the attack and is eligible for a free replacement. Brand said the security keys continued to represent one of the most meaningful ways to protect accounts and advised people to continue using the keys while waiting for a new one. Titan's security keys sell for $ 50 in the Google Store.
While people are waiting for a replacement, Brand recommended that users use keys in a private site that is not within 30 meters of a potential attacker. After logging in, users should immediately uninstall the security key. An Android update scheduled for next month will automatically disconnect Bluetooth security keys so users don't have to do it manually.
Brand said that iOS 12.3, which Apple started rolling out on Monday, does not work with vulnerable security keys. This has the unfortunate result that you lock people out of their Google accounts if they sign out. Brand recommended people do not log out of their account. A good security measure would be to use an authentication app, at least until a new key comes, or to skip Brand's advice and simply use an authentication app as the primary means of two-factor authentication.
This section is unfortunate since, as broad notes, physical security keys are the strongest protection currently available to phishing and other types of account transfers. Wednesday's information received social media because of criticism from Bluetooth for security-sensitive features.
What kind of idiot protocol lets users negotiate a "maximum key size" that can be as small as 1 byte. (A standard that should happily be higher in the latest versions.) pic.twitter.com/7yFJqaMJLI
– Matthew Green (@matthew_d_green) May 15, 2019
Threat to have the key hijacked and the current incompatibility with the latest version of iOS is sure to generate additional user resistance to use the BLE-based keys. The threat also helps explain why Apple and alternative key-maker Yubico refused to support BLE for a long time.