Google is offering free replacements for Bluetooth-enabled Titan Security Keys following the discovery of a misconfiguration in its pairing protocols that could potentially give attackers access to user accounts under (very) precise circumstances, the company announced this week.
The Titan Security Key, a two-factor authentication device built to FIDO standards, was made available to Google Cloud customers in July 2018. This particular issue affects the Bluetooth Low Energy (BLE) version available in the US. Non-Bluetooth keys (those using NFC or USB) are not affected. Google outlines two cases in which this vulnerability can put users at risk if an attacker is within approximately 30 feet from their targets at the moment they use their keys.
When a user signs into an account, that person is prompted to active the security key by pressing a button. If an attacker is nearby and has exact timing, they could connect their own device to the target's affected security key before the target's device connects. If the attacker has the target's username and password, they could use their device to log into the target's accounts.
An attacker in close proximity could also take advantage of this bug by disguising their device as a target's vulnerable security key, and connecting to their device when they're asked to press the button during the pairing process. If successful, the attacker could change their device to appear as a Bluetooth device and potentially take actions on a target's machine, writes Christiaan Brand, product manager for Google Cloud, in a blog post on the ..