A team of security researchers at Microsoft discovered a potentially serious vulnerability in the Bluetooth-supported version of Google’s Titan Security Keys that could not be patched with a software update.
However, users do not need to worry as Google has announced to offer a free replacement for the affected Titan Security Key dongles.
In a security advisory published Wednesday, Google said a “misconfiguration in the Titan Security Keys Bluetooth pairing protocols” could allow an attacker who is physically close to your Security Key (~within 30 feet) to communicate with it or the device to which your key is paired.
Launched by Google in August last year, Titan Security Key is a tiny low-cost USB device that offers hardware-based two-factor authentication (2FA) for online accounts with the highest level of protection against phishing attacks.
Titan Security Key, which sells for $50 in the Google Store, includes two keys—a USB-A security key with NFC, and a battery-powered, Micro-USB-equipped Bluetooth/NFC key—for secure two-factor authentication.
According to Google, the vulnerability only affects the BLE version of Titan Security Keys that have a “T1” or “T2” sign on the back of it, and other non-Bluetooth security keys, USB or NFC supported versions, are safe to use.
Here’s the attack scenarios Google Cloud Product Manager Christiaan Brand described in a blog post:
“When you’re trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects. In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly.”
“Before you can use your security key, it must be paired to your device. Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.”
Microsoft originally discovered the vulnerability and disclosed it to Google, as well as Feitian, the company that makes Titan Keys for Google and also sells the same product (ePass) under its own brand.
Feitian also made a coordinated disclosure about this vulnerability the same day as Google and is offering a free replacement program for its users.
Since the issue only affects the Bluetooth Low Energy pairing protocol and not the cryptographic security of the key itself, Google recommends affected users to continue using their existing keys until they get a replacement.
Google also says that the Bluetooth security key is still more secure than turning it off altogether or relying on other two-factor authentication methods like SMS or phone call.
However, it would be best if you take some extra measures while using the security keys, like using them only in a private place and immediately unpairing them.