When Google introduced the Titan Security Key at Cloud Next 2018 last August, the Mountain View company pitched the bundled dongles as ironclad protections against data compromise. Ironically, it now appears that at least one of them became an attack enabler rather than a deterrent.
Google today detailed a flaw (discovered by Microsoft) in the Bluetooth Low Energy (BLE) version of the Titan Security Key that could allow a nearby person (within about 30 feet) to communicate with the key or with the device to which it’s paired. There’s a narrow window of opportunity during account sign-in and setup.
“When you’re trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it,” explained Google. “An attacker … can potentially connect their device to your affected security key before your device connects [and] sign into your account … if [they] obtained your username and password. [Also,] before you can use your security key, it must be paired to your device. Once paired, an attacker … could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key.”
For the uninitiated, the $50 Titan Security Key is Google’s take on a FIDO (Fast Identity Online) key, a device used to authenticate logins physically. The company stressed last year that it’s not meant to compete with other FIDO keys on the market, but is aimed instead at “customers who … trust Google.”
Google’s decision to support Bluetooth wasn’t without controversy. In a prescient statement following the Titan Security Key’s announcement, Yubico CEO Stina Ehrensvard said that it “does not provide the security assurance levels of NFC and USB” and that its battery and pairing requirements offer “a poor user experience.”
Google notes that the above-mentioned vulnerability doesn’t affect the USB or NFC Titan Security Key nor the “primary purpose” of security keys. Indeed, it recommends using affected keys rather than turning off security key-based two-step verification altogether. “It is much safer to use the affected key instead of no key at all,” said Google. “Security keys are the strongest protection against phishing currently available.”
Still, it’s offering free replacement keys through the Google Play Store. (Impacted keys have a “T1” or “T2” etched into the back.) And in the meantime, Google is recommending that Android and iOS (version 12.2) users activate their affected security keys in “private place[s]” away from potential attackers and immediately unpair them after sign-in. Android devices updated with the upcoming June 2019 Security Patch Level (SPL) and beyond will automatically unpair affected Bluetooth devices, and affected keys on iOS 12.3 will no longer work.
Feitian, the company that manufactures Google’s Titan Security Key, says its Bluetooth keys are affected by the same vulnerability, and it’s extending a similar replacement offer to its customers.