View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Google’s Titan Security Key Has a Bluetooth Security Issue

Attacker would need to be within 30 feet

By CBR Staff Writer

Google is replacing its Bluetooth-enabled Titan security key for US customers after identifying a security failing that could allow a third-party attacker to connect their own device to the security key – used for two-factor authentication (2FA) – and access the user’s account.

Exploiting the security failing would take a determined and focussed attacker: they would need to already have the user’s account login and password details (or be ready to brute force the latter), be within 30 feet of their target and time the attack to perfection.

The Titan security key is a 2FA device that Google descries as helping “protect high-value users such as IT admins”. The keys work with most browsers and are built with a hardware chip that includes firmware engineered by Google to verify the integrity of the key.

titan security keyFor the acutely security conscious, any such flaw is unacceptable and Google says it is shipping replacements to those affected: those with the Bluetooth Low Energy (BLE) version of the Titan Security Key in the US – specifically the versions with a “T1” or “T2” on the back.

In a blog published today, Christiaan Brand, Product Manager, Google Cloud, said: “This security issue does not affect the primary purpose of security keys, which is to protect you against phishing by a remote attacker. Security keys remain the strongest available protection against phishing; it is still safer to use a key that has this issue, rather than turning off security key-based two-step verification (2SV) on your Google Account or downgrading to less phishing-resistant methods (e.g. SMS codes or prompts sent to your device).”

He added: “This local proximity Bluetooth issue does not affect USB or NFC security keys.”

For those with both iOS and Android keys Google recommends using it in a private place (not potential attacker within 30 feet) and immediately unpairing the key after signing in.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Android devices updated with the upcoming June 2019 Security Patch Level (SPL) and beyond will automatically unpair affected Bluetooth devices, so users won’t need to unpair manually.

Those with an affected BLE Titan Security Key can get a replacement at google.com/replacemykey.

Read this: Yubico in Google Disclosure Row

 

 

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU