Today, Google announced a security bug in its Bluetooth Low Energy (BLE) Titan Security Keys. This issue is due to a misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols, which is currently affecting the BLE versions in the U.S. Google has provided users with quick actions to protect themselves against the attack and to gain a free replacement key.
However, the bug affects Bluetooth pairing only, so non-Bluetooth security keys are not affected. “Current users of Bluetooth Titan Security Keys should continue to use their existing keys while waiting for a replacement since security keys provide the strongest protection against phishing”, the official post reads.
Attackers can only gain access to a user’s device if they are within close proximity (approximately 30 feet) while the user is using the security key. With this, the attacker can easily communicate with a user’s security key or also communicate with the device to which the user’s key is paired.
The two cases an attacker might use to exploit the security keys in the BLE are:
- While trying to sign into an account on the device, a user is normally asked to press the button on their BLE security key to activate it. At this time, the attacker will have to connect their own device to the user’s affected security key before the user’s own device connects, for the bug to be exploited. However, this case is only possible if they have already obtained the victim’s username and password.
- The attacker could also use their device to masquerade as the user’s affected security key and connect to the user’s device at the moment the user is asked to press the button on the key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on the user’s device.
Google also mentions that this issue does not affect the primary purpose of security keys (to protect you against phishing by a remote attacker). They also suggest that security keys remain the strongest available protection against phishing and it is still safer to use a key that has this issue, rather than turning off security key-based two-step verification (2SV) on one’s Google Account or downgrading to less phishing-resistant methods (e.g. SMS codes or prompts sent to a user’s device). This local proximity Bluetooth issue does not affect USB or NFC security keys.
“To determine if your key is affected, check the back of the key. If it has a “T1” or “T2” on the back of the key, your key is affected by the issue and is eligible for free replacement”, the official post states.
Mark Risher, Director of Product Management at Google tweeted:
We are working on inventory issues, including sites around the world. Visit https://t.co/YzUZnP9DuX and you should find a link for non-US fulfilment
— mark risher (@mrisher) May 15, 2019
Google has also provided some additional steps that users can take to minimize the remaining risk until they receive their replacement keys on their official blog post.
To know more about this news in detail, head over to Google’s official blog post.