Google is replacing its Bluetooth-enabled Titan security key for US customers after identifying a security failing that could allow a third-party attacker to connect their own device to the security key – used for two-factor authentication (2FA) – and access the user’s account.
Exploiting the security failing would take a determined and focussed attacker: they would need to already have the user’s account login and password details (or be ready to brute force the latter), be within 30 feet of their target and time the attack to perfection.
The Titan security key is a 2FA device that Google descries as helping “protect high-value users such as IT admins”. The keys work with most browsers and are built with a hardware chip that includes firmware engineered by Google to verify the integrity of the key.
For the acutely security conscious, any such flaw is unacceptable and Google says it is shipping replacements to those affected: those with the Bluetooth Low Energy (BLE) version of the Titan Security Key in the US – specifically the versions with a “T1” or “T2” on the back.
In a blog published today, Christiaan Brand, Product Manager, Google Cloud, said: “This security issue does not affect the primary purpose of security keys, which is to protect you against phishing by a remote attacker. Security keys remain the strongest available protection against phishing; it is still safer to use a key that has this issue, rather than turning off security key-based two-step verification (2SV) on your Google Account or downgrading to less phishing-resistant methods (e.g. SMS codes or prompts sent to your device).”
He added: “This local proximity Bluetooth issue does not affect USB or NFC security keys.”
For those with both iOS and Android keys Google recommends using it in a private place (not potential attacker within 30 feet) and immediately unpairing the key after signing in.
Android devices updated with the upcoming June 2019 Security Patch Level (SPL) and beyond will automatically unpair affected Bluetooth devices, so users won’t need to unpair manually.