A team of security researchers at Microsoft discovered a potentially serious vulnerability in the Bluetooth-supported version of Google's Titan Security Keys that could not be patched with a software update.
However, users do not need to worry as Google has announced to offer a free replacement for the affected Titan Security Key dongles.
In a security advisory published Wednesday, Google said a "misconfiguration in the Titan Security Keys Bluetooth pairing protocols" could allow an attacker who is physically close to your Security Key (~within 30 feet) to communicate with it or the device to which your key is paired.
Launched by Google in August last year, Titan Security Key is a tiny low-cost USB device that offers hardware-based two-factor authentication (2FA) for online accounts with the highest level of protection against phishing attacks.
Titan Security Key, which sells for $50 in the Google Store, includes two keys—a USB-A security key with NFC, and a battery-powered, Micro-USB-equipped Bluetooth/NFC key—for secure two-factor authentication.
According to Google, the vulnerability only affects the BLE version of Titan Security Keys that have a "T1" or "T2" sign on the back of it, and other non-Bluetooth security keys, USB or NFC supported versions, are safe to use.
Here's the attack scenarios Google Cloud Product Manager Christiaan Brand described in a blog post:
"When you're trying to sign into an account on your device, you ..