The Bluetooth Low Energy (BLE) version of Google’s Titan Security Key that is being sold in USA is affected by a security issue, which lets an attacker who is within a range of 30 feet use your security key.
This issue is being caused due to the misconfiguration in the Bluetooth pairing protocols of the Titan Security Key. The attacker can communicate with your security key as well as with the device to which the key is paired.
The bug only affects the keys with Bluetooth pairing; the non-Bluetooth ones remain unaffected. Google is offering free replacement for the affected Titan security keys and recommend that you keep using your existing keys until the replacement arrives.
If you’re using the Titan security key with on Android or other devices, try to do so in a private space where there is no potential attacker within 30 feet and unpair the affected key immediately after using it. Android devices that are updated with the June security patch will unpair the affected key immediately after its work is done.
If you’re using Titan security key with an iOS device running version 12.2 or earlier, do the same as you would do in the case of an Android device — as mentioned above. However, if you’ve updated to iOS 12.3, the affected security key will no longer work with the device — for signing into Google or any other account. If you’ve been locked out of your Google account because of this, check out more instructions here. Also, you can still sign into your Google account on a non-iOS device.
Is your Titan Security Key affected?
As mentioned before, the non-Bluetooth versions of the Titan Security Key haven’t been affected by this bug. To find out if your Bluetooth version has been affected, check the back of the key for ‘T1’ or ‘T2’ marking. If the key has either of these markings, then it is affected by and is eligible for a free replacement.
Everyone eligible for a replacement can get one here.
How does the bug make your device vulnerable?
According to Google, here are the two scenarios that will allow an attacker to exploit this vulnerability in the security key.
“When you’re trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects. In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly.”
“Before you can use your security key, it must be paired to your device. Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.”
This said, the company reaffirms that this security bug does not affect the primary purpose of the keys — to safeguard you from phishing attacks. The affected key is a safer bet than no key at all.