As part of its expanded anti-phishing and account security measures, Google offers extensive support for physical authentication tokens. In a surprising setback, though, the company announced today that it has discovered a vulnerability in the Bluetooth version of its own Titan Security Key—which pairs to devices through the wireless Bluetooth Low Energy protocol, rather than through NFC or physical insertion into a port.
Google began selling the Titan-branded keys last August, outsourcing the hardware from Chinese manufacturer Feitian while managing the cryptographic keys itself. Anyone can use the dongles with their Google accounts for an extra layer of protection, but they're especially favored by users at particular risk of having their accounts targeted by attackers, like public figures, human rights activists, and political dissidents. Google specifically recommends the BLE dongles for its Advanced Protection Program, which offers even more aggressive account protections. In other words, the people most affected by the bug are the ones most concerned about their security.
The "misconfiguration," as Google calls it, would allow an attacker who gets within 30 feet of someone using a security key to communicate with that key or with the device the key is paired to. That makes it a difficult vulnerability to exploit. In addition to the physical proximity, an attacker would need to quickly connect their own device to a dongle in the seconds that a target initiates the pairing process.
If successful, though, an attacker that already had the target's username and password could then sign into the victim's Google account on ..