Google warns that the Bluetooth Low Energy version of the Titan security key, which it sells for two-factor authentication, can be hijacked by nearby attackers. Users are encouraged to purchase a free replacement device with which the vulnerability is addressed.
Incorrect configuration of the key's Bluetooth pairing protocols allows attackers to communicate with either the key or its associated device, Google Cloud Product Manager, within 30 feet. Christiaan Brand wrote in a post published Wednesday.
The Bluetooth-enabled devices are a plethora of low-cost security keys that, as Ars reported in 201
The attack described by Brand abuses the pairing process when an attacker conducts a series of events in close co-ordination within 30 feet:
- If you try to sign in to an account on your device, you will normally asked Press the key on your BLE security key to activate it. An attacker who is in close proximity at this time may be able to connect his or her own device with your affected security key before connecting to your own device. Under these circumstances, if the attacker has already received your username and password and can schedule these events accurately, the attacker will be able to log in to their account using their own device.
- Before you can use your security key, it must be paired with your device. Once connected, an attacker who is in close proximity to you can disguise your device as the affected security key and connect to your device when prompted to press the key on your key. After that, they may try to change their device to show it as a Bluetooth keyboard or mouse and may perform actions on your device.
For the account to succeed, the attacker must also know the username and password of the target.  To determine if a titanium key is vulnerable, check the back of the device. If it has a "T1" or "T2", it is vulnerable to attacks and can be replaced for free. Brand said that security keys continue to be one of the most meaningful ways to protect accounts, and advised that users continue to use the keys while waiting for a new one. Titan Security Keys are sold on the Google Store for $ 50.
While people are waiting for a replacement, Brand recommends that users use the keys in a private location that is not within 30 feet of a potential attacker. After logging in, users should immediately un-pair the security key. An Android update scheduled for next month will automatically de-link Bluetooth security keys so users will not have to do it manually.
Brand stated that iOS 12.3, which Apple introduced on Monday, does not work with vulnerable security keys. This has the unfortunate consequence of excluding people from their Google Accounts when they log out. Persons recommended by Brand do not unsubscribe from their account. A good security measure would be to use a backup authentication app or skip the advice of Brand at least until a new key arrives, and simply use an authentication app as a primary means of two-factor authentication.
This episode has been unfortunate since then. According to Broad Notes, physical security keys are still the strongest protection against phishing and other types of account takeovers currently available. The announcement on Wednesday led to critics of Bluetooth in social media for security-related functions strong.
With what kind of idiot protocol can users negotiate a "maximum key size" that can only be 1 byte. (A guideline that fortunately should be higher in newer versions.) pic.twitter.com/7yFJqaMJLI
– Matthew Green (@matthew_d_green) May 15, 2019
The Threat The The fact that the key has been hijacked and the current incompatibility with the latest version of iOS will certainly create further resistance of users against the use of BLE-based keys. The threat also explains why Apple and alternative key maker Yubico have long refused to support BLE.