Bluetooth pairing bug forces Google to recall select Titan Security Keys

Alfred Osborne
May 17, 2019

Last Summer, Google launched the Titan Security Key, a physical device that can be used for online security. Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key.

This vulnerability is hard to exploit, the company said, and would require an outsider to already have obtained a victim's username and password to access their account.

Google's Titan Security Keys offer a convenient and secure method for securing devices that relies on two-factor authentication and some advanced Google-grown cryptography. The matter doesn't affect the device's primary objective - thwarting phishing attempts - but could allow an attacker within physical proximity when it is used to gain access to it or its paired device. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device. Users of the affected keys have received an email with full details, but if you're unsure the affected keys are marked at T1 or T2 on the rear.

The Titan security key bundle. And after logging into a Google Account, key holders are advised to unpair the key, repeating this process until a replacement model has been obtained.

To tell if you might be affected, check the back of your key.

"It is much safer to use the affected key instead of no key at all", Christiaan Brand, Google Cloud's product manager, said in the company's post about the bug. To get a replacement, you should head to google.com/replacemykey. Those already logged out have to follow account recovery instructions or use a non-iOS device to log in again.

WHO Issues Guide to Cut Risks of Dementia
As for its causes, Alzheimer's disease is one of the most common causes of dementia and is the leading cause of death in the U.S. These includes regular exercise, not drinking and smoking and adopting a healthy "Mediterranean-like" diet.

Washington orders suspension of all flights between US & Venezuela
Embassy in Venezuela to leave the country , a day after President Nicolas Maduro said he was giving diplomats 72 hours to leave. Conditions in Venezuela "threaten the safety and security of passengers, aircraft, and crew", the department said.

Utah man among six killed in plane collision in Alaska
Princess Cruises said in a statement that it is extending its support to travelling companions of people in the crash. Three of the four who died were among the five people aboard the Beaver, according to Coast Guard Lt.

Unlike SMS two-factor authentification (2fa), which is vulnerable to countermeasures like SIM swapping, without possession of the key, obtaining access to the target account is extremely hard. Google provides the Titan key for accessing your Google accounts, but you can also use it with other accounts that support the FIDO U2F standard for hardware keys.

Brand said that iOS 12.3, which Apple started rolling out on Monday, won't work with vulnerable security keys.

This flaw can be exploited by an attacker who is physically present (within approximately 30 feet) of a Titan user, and when users are using the key normally, or when they are first pairing it to their computer.

Rival vendor Yubico has refrained from offering a Bluetooth security key, claiming the technology "does not meet our standards for security, usability, and durability".

"After you've used your affected security key to sign into your Google Account, immediately unpair it". Android devices updated with the upcoming June 2019 Security Patch Level (SPL) and beyond will automatically unpair affected Bluetooth devices, so you won't need to unpair manually.

The company also provided a number of steps created to make it possible for users of iOS (12.2 or earlier) and Android devices and of BLE version of Titan Security Keys to minimizing the security risks until they receive their replacement security keys. This has the unfortunate result of locking people out of their Google accounts if they sign out.

Other reports by

Discuss This Article

FOLLOW OUR NEWSPAPER