Google recalls Titan security keys after it discovers Bluetooth flaw

Google is recalling some of its Titan Security Keys after it discovered that they could be hijacked by nearby hackers  A misconfiguration in the key's Bluetooth pairing protocols made it possible for a hacker who is within 30 feet of the user to either communicate with the security key or the device it's paired with, Google said on Wednesday The bug only affects the Bluetooth variant of Google's Titan Security Keys, not the USB version   Scroll down for video  A flaw in the Bluetooth pairing protocols made it possible for a hacker who is within 30ft of the user to either communicate with the security key or the device it's paired withIn order for the attack to work, the hacker would have to be nearby to you the moment you press the button on your key to turn it on  They'd also have to know your username and password.  'An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects,' Christiaan Brand, a product manager at Google Cloud, said in a blog post  'In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly ' Once connected, hackers could manipulate your device by changing their device to appear as a Bluetooth keyboard or mouse  To determine if a Titan Security Key is affected, Google said users can check the back of the device  If the key says 'T1' or 'T2', then it's affected by the bug.  The bug affects the Bluetooth variant of the Titan Security Keys, not the USB version In order for the attack to work, the hacker would need to be near the user the moment it is activatedGoogle is offering free replacement keys for users who are affected by the security flaw   The search giant began selling the Titan Security Key last July, offering the Bluetooth and USB versions as a bundle for $50, or $20 to $25 individually  Security keys add another layer of authentication to a user's device, requiring users to have their physical key on their person in order to login to an account  This makes it difficult for hackers to target a user, since they won't be able to login without the physical key  It's the most robust form of defense against phishing, one of the most common attacks meant to steal your password, giving hackers access to your account and data   Google noted that the bug doesn't impact the primary function of its Titan Security Keys, which is prevent phishing  'Security keys remain the strongest available protection against phishing; it is still safer to use a key that has this issue, rather than turning off security key-based two-step verification (2SV) on your Google Account or downgrading to less phishing-resistant methods (e g. SMS codes or prompts sent to your device),' Brand added.     HOW DO I USE GOOGLE'S ADVANCED PROTECTION SYSTEM? The advanced protection features include an option to require a physical USB security key to connect to a desktop computer before each log-in as a way to verify a user's identity  Mobile log-ins will require a Bluetooth wireless device.Two Security Keys are required to enroll so that you'll have a backup key in case you lose your main key  A wireless-enabled key that can connect to both your computer and mobile devices should act as your main key, Google says Advanced protection users will have their data walled off from access by any non-Google third-party applications, such as the Apple iOS mail client or Microsoft Outlook The program also includes a more laborious and detailed account recovery process to prevent fraudulent access by hackers who try to gain access by pretending they have been locked out Google created a web page to walk users through setting up advanced protection, including where to purchase USB and Bluetooth security keys on Amazon .

Comments (0)

No comments yet

Leave a Comment