Sunday, 26 May 2019
Latest news
Main » Bluetooth pairing bug forces Google to recall select Titan Security Keys

Bluetooth pairing bug forces Google to recall select Titan Security Keys

17 May 2019

Titan - the physical security Google rolled out previous year - was built to "protect high-value users". "You can also continue to use your USB or NFC security keys, which are supported on Android and not affected by this issue", it said.

However, Google announced yesterday that a major flaw in the Bluetooth Low Energy version of the Titan Security Key opens the small devices (and those using them) to attack.

Whenever you want to access the web-based service, you enter your username and password as you would normally, but the site also asks you to use your hardware key.

We recommend using your affected security key in a private place where a potential attacker is not within close physical proximity (approximately 30 feet).

More news: Bitcoin passes $7,000 level as winning streak continues

Google released the key-shaped Titan last August, offering the physical authentication tool as a remedy to phishing and other attacks. For instance, someone who already has your username and password could - in theory - pair their device to your security key at the moment you press the button on your Titan to validate your credentials. If successful, the attacker could attempt to convert the hostile device to a Bluetooth keyboard or mouse to direct input to the compromised device. If you are locked out of your Google Account on your iOS device before your replacement key arrives, see these instructions for getting back into your account.

Nearly a year ago, Google made available its own line of physical security keys to improve anti-phishing protection of its employees and users.

Google is offering free replacements of its Titan Security Keys, used for two-factor authentication, after learning the widgets' Bluetooth connections could be compromised by nearby hackers. Android devices updated with the upcoming June 2019 Security Patch Level (SPL) and beyond will automatically unpair affected Bluetooth devices, so you won't need to unpair manually. That's plenty of time to get a free replacement, which you can do by visiting google.com/replacemykey. Brand said that security keys continued to represent one of the most meaningful ways to protect accounts and advised that people continue to use the keys while waiting for a new one.

"From a technology perspective, these keys are unbelievable; they make security easier to a lot easier to consume".

More news: Cubs' Zobrist remains on leave amid divorce

Lots of things have to line up just right for this exploit to be effective, and Google is not aware of this exploit being used to gain access to user data in the wild.

The Titan security key bundle. That person could then intercept communications from the key and use them to sign in as you.

Once you update to iOS 12.3, your affected security key will no longer work.

Users of iOS 12.3 "will not be able to use your affected key to sign into your Google Account, or any other account protected by the key, and you will need to order a replacement key". And after logging into a Google Account, key holders are advised to unpair the key, repeating this process until a replacement model has been obtained.

More news: Super Mario Maker 2 co-op and multiplayer details revealed

It also affects Feitian BLE security keys.

Bluetooth pairing bug forces Google to recall select Titan Security Keys