Misconfigured Bluetooth pairing protocols in Google’s Titan Security Keys may allow attackers to communicate with users’ security key or with the device their key is paired with, Google has warned.
The bug can’t be fixed with a security update so Google is asking users to check whether their key is affected and, if it is, to ask for a replacement one to be sent to them free of charge.
About the Titan Security Key
Almost a year ago, Google made available its own line of physical security keys to improve anti-phishing protection of its employees and users.
The Titan Security Key is manufactured by Chinese infosec device maker Feitian, but its firmware was engineered by Google. These keys can perform authentication via Bluetooth Low Energy (BLE), USB or NFC.
The Titan-branded keys are only available to users in the US. Before their release, Google pointed users of its Advanced Protection Program towards Feitian’s security keys.
What’s the problem?
Exploitation of the misconfiguration depends on how close the attacker is to the target and how well they can coordinate certain actions.
“When you’re trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects. In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly,” Google explained.
“Before you can use your security key, it must be paired to your device. Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.”
The close proximity Google is referring to is 30 feet (9 meters) or less.
But, the company notes, the security issue does not affect the primary purpose of security keys: protection against phishing by a remote attacker. Still, until the replacement key arrives, they can minimize the risk of compromise by using the key at a safe distance from potential attackers and unpairing the key after signing into their Google account (detailed instructions for iOS and Android users are available here).
Mark Miller, Director of Enterprise Security Support at Venafi, noted that this misconfiguration seems relatively easy to exploit.
“The fact you must be within 30 feet of the security key isn’t an issue, especially when you consider how fast compiled and scripted software can run. In addition, lots of people conduct business in public places like coffee shops and airports, so connecting a dongle to a device isn’t that farfetched,” he pointed out.
“From a technology perspective, these keys are amazing; they make security easier to a lot easier to consume. However, there is no such thing as perfect technology, so I’m glad Google is taking the initiative and recalling these keys.”
Do you need to ask for a key replacement?
The misconfiguration issue does not affect USB or NFC security keys, just the BLE version of Titan Security Keys. Those have “T1” or “T2” on their backs:
It also affects Feitian BLE security keys.
The easiest way for users to check whether their key is affected is by visiting this page.
Google will replace the keys for Titan Security Key users, while Feitian will do the same for users who use non-Google-branded security keys.