Google has now issued a security advisory for people who use its Bluetooth Titan Security Keys and said it will offer free replacements.
Google says the keys have a security bug, or more specifically, "misconfiguration in the Titan Security Keys' Bluetooth pairing protocols," that might allow an attacker who's close to circumvent it.
Google Confirms Titan Key Security Bug
This bug apparently affects all Bluetooth Titan Security Keys, which cost $50 in a package that also comes with a standard USB or NFC key, that have either a "T1" or "T2" on the back. Google explains that the bug is possibly exploited through a person being within Bluetooth range, or about 30 feet, and acting swiftly as the owner presses the button to activate the key. The attacker may use the misconfigured protocol to connect their own device to the key before the owner's device connects. In turn, this means they could get access to that person's account.
An attacker may also exploit the bug by using their own device and disguising it as the owner's security connect to their device when the button is pressed. This way, the attacker may then change their device to appear as a keyboard or mouse, which in turn grants them the ability to control the laptop remotely.
Suffice it to say that these are critical issues, especially on a device meant to offer top-tier, foolproof security. So much so that Google, as previously mentioned, is willing to offer free replacements for all existing Titan Key users. While the process needed to exploit the key seems laborious and would have to happen at the exact right time, a persistent attacker could still manage to pull it off.
Google Says You Should Still Use It
As TechCrunch notes, Google says this security flaw doesn't affect the main goal of its Titan Keys, which is to guard against phishing attacks. It also advises users to keep using the key until they receive a replacement.
"It is much safer to use the affected key instead of no key at all. Security keys are the strongest protection against phishing currently available," the company says. It also offers several tips for migrating the potential security issues.
It was Microsoft who originally discovered the exploit and disclosed it to the companies that make the Titan Keys, according to Google.
Google has long been an advocate for two-factor authentication, or 2FA. For the uninitiated, 2FA is a system that adds a layer of security to an account. Instead of just being able to log in using a password, 2FA requires another keypass of some sort, such as a code sent to the user's own phone number, or in this case, the Titan Keys. Google has been pushing these keys as a more secure way to enable 2FA than merely using an authentication app.
Make sure to check back with Tech Times as we learn more.