Google announced it is offering a free replacement for Titan Security keys affected by a serious vulnerability that could be exploited by to carry out Bluetooth attacks.
The Titan Security Keys were introduced by Google in July 2018 to provide an additional layer of security to its users and protect them from Phishing and MiTM attacks.
The Titan Security Key is based on the Fast IDentity Online (FIDO) Alliance, U2F (universal 2nd factor) protocol and was entirely designed by Google.
The Titan Security Keys are available in both USB and Bluetooth versions,
The vulnerability affects the Bluetooth Low Energy (BLE) version of T1 and T2 Titan Security Keys, both USB and NFC security keys are not impacted.
Google users can refer a page set up by the company to discover if their devices are affected by the flaw and receive instructions to replace them.
The vulnerability is a misconfiguration issue in the Titan’s Bluetooth pairing protocols that was discovered by Microsoft. Google explained that the attack is hard to exploit, an attacker physically close to the victim could trigger the flaw only in under specific conditions.
The attacker has to connect their device to the victim’s security key before the legitimate device connects, moreover he has to launch the attack exactly when the victim presses the button on their dongle.
“Due to a misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols, it is possible for an attacker who is physically close to you at the moment you use your security key — within approximately 30 feet — to (a) communicate with your security key, or (b)communicate with the device to which your key is paired.” reads the advisory published by Google.
Below the conditions that the attacker would match to carry out the attack:
The attacker can also use its own device to connect to the victim’s device when the button is pressed on the key. Once connected, the hacker can set the device to a Bluetooth mouse or keyboard and perform actions on the victim’s device.
Even if the keys are vulnerable to Bluetooth attacks, they remain the strongest protection against phishing attacks.
“Security keys remain the strongest available protection against phishing; it is still safer to use a key that has this issue, rather than turning off security key-based two-step verification (2SV) on your Google Account or downgrading to less phishing-resistant methods (e.g. SMS codes or prompts sent to your device),” continues Google.
Mobile users have been advised to use their Titan Security Keys only when cannot be in physical proximity of a potential attacker.
(SecurityAffairs – Titan Security Keys, hacking)