Google’s Bluetooth Titan Security Keys are vulnerable to hijacks by attackers, to be replaced for free

The Bluetooth Low Energy version of the security key under question can be replaced for free

Google has posted a technical advisory stating that its Titan Security Keys are vulnerable to attacks. The two-factor authentication device has a Bluetooth Low Energy (BLE) version that is affected by this vulnerability. Google is offering free replacements that will take care of the vulnerability.

Google’s Bluetooth Titan Security Keys are vulnerable to hijacks by attackers, to be replaced for free

The Google logo is pictured atop an office building in Irvine, California, U.S. August 7, 2017. Image: Reuters

The other versions of the security keys aren’t affected since the bug only acts up during Bluetooth pairing. Google said in its blog that the vulnerability arises from a “misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols.” Any attacker within a range of 30 feet can possibly communicate with the key or the device with which the key has been paired.

For those who want to verify whether their key is affected, turn over the key and look for ‘T1’ or ‘T2’ at the bottom. If it does have those tags then the key can be replaced for free.

Google's Titan Security Key.

Google's Titan Security Key.

Until the keys are replaced, Google has also posted a few extra suggestions. iOS users running version 12.2 should sign in into their Google account in a “private place where a potential attacker is not within close physical proximity.” Once the sign in is done, the key should be unpaired. After the iOS 12.3 update, the security key won’t work so you have to ensure that you don’t sign out of your account.

For Android and other devices, Google advises the same measures of signing in at a private place and then immediately unpairing the key. After the June 2019 Security Patch Level (SPL) arrives, all the affected Bluetooth devices will be unpaired automatically.

Google still stresses that using the affected Bluetooth Low Energy version of the Titan Security key is still safer to prevent phishing attacks than not using any at all.

Tech2 is now on WhatsApp. For all the buzz on the latest tech and science, sign up for our WhatsApp services. Just go to Tech2.com/Whatsapp and hit the Subscribe button.






also see

science