On Wednesday Google published an advisory of a “misconfiguration in the Titan Security Keys Bluetooth pairing protocols”, This vulnerability means an attacker who is physically within 30 feet of your Security Key can communicate with it or the device it is paired with and use it to access your sites.
Who discovered the Flaw
A team of security researchers at Microsoft discovered the vulnerability in the Bluetooth-supported version of Google’s Titan Security Keys which Google sells for $50 in the Google Store, the vulnerability could not be patched with a software update.
What are the risks
Google Cloud Product Manager Christiaan Brand says
“When you’re trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects. In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly.”
“Before you can use your security key, it must be paired to your device. Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.”
Am I affected?
This issue affects the BLE version of Titan Security Keys. To determine if your key is affected, check the back of the key. If it has a “T1” or “T2” on the back of the key, your key is affected.
What can I do
If you have a device that is vulnerable you are eligible for free replacement from Google. If you want to minimize the remaining risk until you receive your replacement keys, Google says you can perform the following additional steps:
On devices running iOS version 12.2 or earlier, we recommend using your affected security key in a private place where a potential attacker is not within close physical proximity (approximately 30 feet). After you’ve used your key to sign into your Google Account on your device, immediately unpair it. You can use your key in this manner again while waiting for your replacement, until you update to iOS 12.3.
Once you update to iOS 12.3, your affected security key will no longer work. You will not be able to use your affected key to sign into your Google Account, or any other account protected by the key, and you will need to order a replacement key. If you are already signed into your Google Account on your iOS device, do not sign out because you won’t be able to sign in again until you get a new key. If you are locked out of your Google Account on your iOS device before your replacement key arrives, see these instructionsfor getting back into your account. Note that you can continue to sign into your Google Account on non-iOS devices..
On Android and other devices:
We recommend using your affected security key in a private place where a potential attacker is not within close physical proximity (approximately 30 feet). After you’ve used your affected security key to sign into your Google Account, immediately unpair it. Android devices updated with the upcoming June 2019 Security Patch Level (SPL) and beyond will automatically unpair affected Bluetooth devices, so you won’t need to unpair manually. You can also continue to use your USB or NFC security keys, which are supported on Android and not affected by this issue.
How do I replace my key
You can replace your key by visiting google.com/replacemykey.