Google recalls some Titan security keys after finding Bluetooth vulnerability

Remigio Civitarese
Mag 16, 2019

"After you've used your key to sign into your Google Account on your device, immediately unpair it", Brand said in the blog post. You'd need to be within 30 feet of the security key and present during the sign-in process. The attacker could communicate with the key or the device paired with the key. You can also check the back of the keyfob, at the bottom, to see if a tiny "T1" or "T2" is printed into the plastic; if so, you qualify and should email replacemykey@google.com for further instructions.

The manufacturer of Google's security keys is Chinese vendor Feitian.

Feitian Technologies BLE security keys - sold for Google's Advanced Protection Program prior to the Titan-branded models - share this flaw and are also eligible for replacement.

The Bluetooth-enabled devices are one variety of low-priced security keys that, as Ars reported in 2016, represent the single most effective way to prevent account takeovers for sites that support the protection.

After pairing, the attacker could masquerade as your key at the exact time you are using it to authenticate, then configure his or her device as a Bluetooth keyboard or mouse and have access to your phone.

Google disclosed a local proximity vulnerability impacting Bluetooth Low Energy (BLE) Titan Security Keys sold in the US stemming from a "misconfiguration in the Titan Security Keys' Bluetooth pairing protocols".

Before you can use your security key, it must be paired to your device. Google's use of Bluetooth is a way around that. When you press the activation button on the key to sign in securely to an online account, the attacker could authorize a device to access that account (assuming they have your username and password as well). They recommend using the key in a private place that is not within close proximity of other people. An Android update scheduled for next month will automatically unpair Bluetooth security keys so users won't have to do it manually. You can use your key in this manner again while waiting for your replacement, until you update to iOS 12.3.

The bug could allow an attacker that is in range - within approximately 30 feet - of the device when it is used to communicate with the key or the device it is paired to.

Once you update to iOS 12.3, your affected security key will no longer work.

It would be possible for the attacker to exploit the flaw during the Bluetooth pairing protocol and connect a Bluetooth device of their own to the user's device. You will not be able to use your affected key to sign into your Google Account, or any other account protected by the key, and you will need to order a replacement key. Most Yubico USB-based security keys also include NFC, and you can get a combination USB-NFC security key from Amazon for less than $20.

Editor's Note: This story has been corrected to note Google is not recalling the product, but offering free replacements. "BLE does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience", wrote the company in a blog post past year.

While you're awaiting a replacement key, however, there are steps you can take to mitigate your risk, depending on whether you're using an iOS or Android Device.

The company also provided a number of steps created to make it possible for users of iOS (12.2 or earlier) and Android devices and of BLE version of Titan Security Keys to minimizing the security risks until they receive their replacement security keys.

Altre relazioniGrafFiotech

Discuti questo articolo

Segui i nostri GIORNALE