When Google introduced the Titan Security Key at Cloud Next 2018 last August, the company pitched the bundled FIDO (Fast Identity Online) keys as ironclad protections against data compromise. Somewhat ironically, it appears that at least one of them has become an attack enabler rather than a deterrent.
Google today said that it uncovered a flaw in the Bluetooth Low Energy (BLE) version of the Titan Security Key that could allow an attacker in close proximity (within about 30 feet) to communicate with the key or with the device to which the key is paired. There’s a narrow window of opportunity during account sign-in and setup, it says.
“When you’re trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it,” explained Google. “An attacker … can potentially connect their own device to your affected security key before your device connects [and] sign into your account … if [they] obtained your username and password. [Also,] before you can use your security key, it must be paired to your device. Once paired, an attacker … could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key.”
For the uninitiated, the Titan Security Key is Google’s take on a FIDO key, a physical device used to authenticate logins over Bluetooth. It stressed last year that it’s not meant to compete with other FIDO keys on the market, but instead is aimed at “customers who … trust Google.”
Google’s decision to support Bluetooth wasn’t without controversy. In a prescient statement following the Titan Security Key’s announcement, Yubico CEO Stina Ehrensvard said that it “does not provide the security assurance levels of NFC and USB” and that its battery and pairing requirements offer “a poor user experience.”
Google notes that the issue doesn’t affect the USB or NFC functions of the Titan Security Key nor the “primary purpose” of security keys. Indeed, it recommends using an affected key rather than turning off security key-based two-step verification or downgrading to less phishing-resistant methods. Still, it’s offering free replacement keys through the Google Play Store. (Impacted keys have a “T1” or “T2” etched into the back.)
In the meantime, Google’s recommending that on Android and iOS (version 12.2) users activate their affected security keys in “private place[s]” away from potential attackers and immediately unpair them after sign-in. Android devices updated with the upcoming June 2019 Security Patch Level (SPL) and beyond will automatically unpair affected Bluetooth devices, and affected keys on iOS 12.3 will no longer work, Google says. iOS users who sign out of their Google accounts won’t be able to sign back in (without a workaround) until they secure a replacement key.