After a pompous launch last July, Google announced today that it will replace Titan security keys due to a vulnerability the company discovered in the keys' Bluetooth pairing process.
Google said the security flaw allows attackers to take over users' devices and/or log into users' accounts, although the keys should be safe to use under certain conditions.
All users who own Titan security keys that can pair (connect) with a device via Bluetooth are now eligible for a free replacement.
Titan security keys without Bluetooth capabilities are not affected, such as those that work via NFC or USB.
Owners of Bluetooth-capable Titan keys can access this page to see if their device is vulnerable, where they'll receive instructions on how to apply and receive a replacement.
"If it has a 'T1' or 'T2' on the back of the key, your key is affected by the issue and is eligible for free replacement," Google said today in a blog post.
Google's Titan-branded keys are only sold in the US. The same keys are sold in other countries under their original Feitian brand. A Google spokesperson told ZDNet that non-US users can use the same google.com/replacemykey page to check if their Feitian keys are affected, but Feitian will handle the replacement process if users are impacted and eligible for a new key.
The security flaw
According to Google, the security flaw is due to "a misconfiguration in the Titan Security Keys' Bluetooth pairing protocols."
This flaw can be exploited by an attacker who is physically present (within approximately 30 feet) of a Titan user, and when users are using the key normally, or when they are first pairing it to their computer.
For example, when a user first pairs their Titan security key to their device, an attacker can exploit the flaw in the Bluetooth pairing protocol to hijack this process and also pair a rogue Bluetooth device to the user's computer. The attacker can later re-assign this rogue device as a Bluetooth keyboard, which they can later use to run malicious commands to hijack users' devices.
In addition, when a device owner presses the activation button on the Titan security key to sign into an online account, an attacker can also authorize a rogue device to access that account --as long as the attacker also has a valid password.
Google: Users should continue using the keys
It's because of these reasons that Google is now replacing these keys. However, the company recommended that users do not stop using the keys until they get a replacement, as they can provide enhanced security, compared to not using a security key after all.
"It is still safer to use a key that has this issue, rather than turning off security key-based two-step verification (2SV) on your Google Account or downgrading to less phishing-resistant methods (e.g. SMS codes or prompts sent to your device)," Google said.
Google announced the Titan security keys last July. The company published the following advice for owners of faulty Bluetooth-powered Titan security keys, until replacements arrive.
On devices running iOS version 12.2 or earlier, we recommend using your affected security key in a private place where a potential attacker is not within close physical proximity (approximately 30 feet). After you've used your key to sign into your Google Account on your device, immediately unpair it. You can use your key in this manner again while waiting for your replacement, until you update to iOS 12.3.
Once you update to iOS 12.3, your affected security key will no longer work. You will not be able to use your affected key to sign into your Google Account, or any other account protected by the key, and you will need to order a replacement key. If you are already signed into your Google Account on your iOS device, do not sign out because you won't be able to sign in again until you get a new key. If you are locked out of your Google Account on your iOS device before your replacement key arrives, see these instructions for getting back into your account. Note that you can continue to sign into your Google Account on non-iOS devices..
On Android and other devices:
We recommend using your affected security key in a private place where a potential attacker is not within close physical proximity (approximately 30 feet). After you've used your affected security key to sign into your Google Account, immediately unpair it. Android devices updated with the upcoming June 2019 Security Patch Level (SPL) and beyond will automatically unpair affected Bluetooth devices, so you won't need to unpair manually. You can also continue to use your USB or NFC security keys, which are supported on Android and not affected by this issue.
Article updated with Google comment regarding Feitian-branded keys.
More vulnerability reports:
- How to test MDS (Zombieload) patch status on Windows systems
- Security flaws in 100+ Jenkins plugins put enterprise networks at risk
- Thrangrycat flaw lets attackers plant persistent backdoors on Cisco gear
- Intel CPUs impacted by new Zombieload side-channel attack
- Patch status for the new MDS attacks against Intel CPUs
- Microsoft May 2019 Patch Tuesday arrives with fix for Windows zero-day, MDS attacks
- KRACK attack: Here's how companies are responding CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic