Google announced that it will be replacing its Titan security keys because of a vulnerability found in the keys’ Bluetooth pairing process. The tech giant states that the security flaw permitted attackers to take control over users’ devices and log into their accounts even though the keys are safe to use under certain conditions.
Those users with Titan security keys that can connect with a device via Bluetooth can now get a free replacement.
Titan security keys without Bluetooth option are not affected, such as those that work via NFC or USB. According to a blog post by Google, if the key has a ‘T1’ or ‘T2’ on its back then it is affected by the issue and is eligible for free replacement.
The security keys were launched in July last year. The Titan-branded keys are only sold in the US while the same keys are sold in other countries under their original Feitian brand.
Those with bluetooth-capable Titan keys can access the page, ”google.com/replacemykey” to check if their device is vulnerable. The instructions on how to apply and receive a replacement will be provided in it. The non-US users can also use the same page to check if their Feitian keys are affected, but the replacement process will be taken care of by Feitian if users are impacted and eligible for a new key.
Google reports that the security flaw is due to “a misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols.” It is possible for an attacker to exploit this flaw, while physically present at a distance within 30 feet of a Titan user, and when users are using the key normally, or when they are first pairing it to their computer.
When a user first pairs their Titan security key to their device, an attacker can hijack this process and pair a rogue Bluetooth device to the user’s computer. He can then later re-assign this rogue device as a Bluetooth keyboard and use it to run malicious commands to hijack users’ devices. Besides, when a device owner presses the activation button on the Titan security key to sign into an online account, an attacker can also authorize a rogue device to access that account, as long as he also has a valid password.
These are the reasons why the company is replacing these keys. Google however, recommends that users must continue to use the keys until they get a replacement, as they can provide enhanced security, compared to not using a security key after all.
Google published the following advice for owners of faulty Bluetooth-powered Titan security keys, until replacements arrive.
For the devices running iOS version 12.2 or earlier, it is recommended to use the vulnerable security key in a private place where an attacker is not within close physical proximity (approximately 30 feet). After using the key to sign into your Google Account on your device, immediately unpair it. It is possible to use the key in this way until you get a replacement or until you update to iOS 12.3.
After updating to iOS 12.3, the affected security key will no longer work. If you are already signed into your Google Account on your iOS device, do not sign out as you will not be able to sign in again until you get a new key.
In case of Android and other devices users, it is recommended to use the affected security key in a private place where an attacker is not within close physical proximity (approximately 30 feet). After you’ve used your affected security key to sign into your Google Account, immediately unpair it.
Android devices updated with the upcoming June 2019 Security Patch Level (SPL) and beyond will automatically unpair affected Bluetooth devices and so you need not unpair it manually. It is also possible to continue using your USB or NFC security keys, which are supported on Android and not affected by this issue.