Google to replace Titan keys for free after uncovering Bluetooth flaw

Google Titan's Bluetooth Security Key Can Be Used to Hack Paired Devices

You Need to Replace Your Google Bluetooth Titan Security

Not all Titan Security Keys have the bug, which Google says is due to a misconfiguration in the key's Bluetooth pairing protocols. The circumstances that would have to align include an attacker in close proximity (less than 30 feet or so), who is able to time their attack to the exact moment that you connect with your security key. If you use an iOS device with your key, it will stop working once you update to version 12.3. if you use an Android device with your key, it will stop working with the June 2019 Security Patch. Indeed, Google says that these issues don't affect the primary objective of security keys - defending against remote attackers - and that they don't apply to USB or NFC keys.

For example, when a user first pairs their Titan security key to their device, an attacker can exploit the flaw in the Bluetooth pairing protocol to hijack this process and also pair a rogue Bluetooth device to the user's computer. "You can also continue to use your USB or NFC security keys, which are supported on Android and not affected by this issue", it said. "After that, [the hacker] could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device", Brand said. Users of the affected keys have received an email with full details, but if you're unsure the affected keys are marked at T1 or T2 on the rear. Normally, the key should work like this: You hold it close to your PC or smartphone and the key will communicate over Bluetooth to unlock access to your online account. After you've used your affected security key to sign into your Google Account, immediately unpair it. Google advises those with affected keys who have installed the update to remain logged in to their Google Accounts until a replacement arrives.

Google Cloud Product Manager Christiaan Brand says in the vulnerability announcement that non-Bluetooth security keys - such as USB or NFC - are not affected by the software flaw.

While people wait for a replacement, Brand recommended that users use keys in a private place that's not within 30 feet of a potential attacker. That's plenty of time to get a free replacement, which you can do by visiting google.com/replacemykey.

Advanced protection users will have their data walled off from access by any non-Google third-party applications, such as the Apple iOS mail client or Microsoft Outlook.

Titan is one of several key-shaped products created to add an extra layer of security beyond a user's password. After you've used your key to sign into your Google Account on your device, immediately unpair it.

Rival vendor Yubico has refrained from offering a Bluetooth security key, claiming the technology "does not meet our standards for security, usability, and durability". An Android update scheduled for next month will automatically unpair Bluetooth security keys so users won't have to do it manually.

Security keys add another layer of authentication to a user's device, requiring users to have their physical key on their person in order to login to an account. This has the unfortunate result of locking people out of their Google accounts if they sign out.

Altre Notizie