Google released a security advisory on Monday that says a security bug exists in the company’s Bluetooth Titan Security Key. The flaw could potentially enable someone to gain access to a user’s account or device while remaining in close physical proximity. The tech giant claims this is a result of a ‘misconfiguration’ in the keys’ Bluetooth pairing protocols, however, the keys are still great at protecting users against phishing attacks.
Google will offer a free replacement key to all existing users. The issue is limited to the Titan Bluetooth keys which means if you’re using the Titan USB keys, you shouldn’t be worried. Google sells its Titan Bluetooth keys for $50 (roughly Rs. 3,500). To recall, Google’s Titan Security Keys for two-factor authentication had been launched in August last year.
The company further explained in its security advisory that an attacker will need to be within Bluetooth range (around 30 feet) to exploit the security flaw. The attacker can only make use of the misconfigured protocol when a user presses the button on the Titan Bluetooth key to activate it. This way they’ll be able to connect their device to the key before yours.
Since a user’s security key must be paired with their device before it can be used, an attacker could also exploit this by using their device and masking it as your security key. But for all this to be exploited, the attacker must also know your credentials.
Google maintains that its Titan Bluetooth keys still protect users against phishing attacks and that users can still use them until the company ships a free replacement. In its announcement, Google claims physical security keys still offer the strongest protection against phishing. Users with ‘T1’ or ‘T2’ on their Google Titan Key are eligible for a replacement.
The company which makes Google’s Titan Security Key, Feitian, has also issued a similar statement, disclosing the vulnerability as well as offering a free replacement for its users. The company also sells physical security keys under its own brand.
The vulnerability doesn’t affect the recent feature on Android phones that can be used as a physical security key, apart from Titan USB keys.