Google employees internally use Titan Security Keys to store credentials. The Titan Security Keys has also been sold by Google to third party users. Unfortunately, Google had to admit a security issue in the Bluetooth part of some Titan Security Keys. These Titan Security Keys are to be exchanged.
Advertising
Google's Titan Security Keys
The company had introduced Titan Security Keys at the Google Cloud Next '18 Convention in San Francisco. The USB solution, similar to Yubico's YubiKey, is designed to provide hardware-based two-factor authentication for online accounts with the highest level of protection against phishing attacks. Google has used this solution on its own employees in the past.
Google 'Titan Security Key' Is Now On Sale For $50 https://t.co/asXH96IjuD
— bhendrick (@bhendrick) 3. September 2018
Titan Security Keys has been sold for 50 US $ in the USA via Google Store since September 2018 – bit it seems, that the product is no more offered. Actually, a good thing to prevent password theft.
Unfortunately, there's a security issue
In a blog post Advisory: Security Issue with Bluetooth Low Energy (BLE) Titan Security Keys, dated May 16, 2019, Google had to admit a security issue with the Titan Security Key. Google became aware of a problem, which concerns the Bluetooth Low Energy (BLE) version of the Titan Security Key.
Due to a misconfiguration in the Bluetooth pairing protocols of the Titan Security Keys, an attacker, who is physically close to the key, can hijack the Bluetooth communication between the security key and the users device. Then the attacker can communicate with the Titan Security Key, or with the device to which the security key is connected. For the misconfiguration to be exploited, an attacker would need to closely coordinate a number of events.
Advertising
- During authentication via Bluetooth the user is asked to press the button on the Titan Security Key to activate it. An attacker in close physical proximity (30 feet) at that moment in time can potentially connect their own device to an affected security key before the user's own device connects. In this set of circumstances, the attacker could sign into the account using their own device if the attacker somehow already obtained your username and password and could time these events exactly.
- A security key paired via Bluetooth with a device is also at risk. Once paired, an attacker in close physical proximity to a security key could use their device to masquerade as the affected security key and connect to the user's device at the moment the user is asked to press the button on the security key. After that, the attacker could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on a device.
Google estimates the risk as low and says this security issue does not affect the primary purpose of security keys, which is to protect you against phishing by a remote attacker. So it is still safer to use a key that has this issue, rather than turning off security key-based two-step verification (2SV) for an online account.
This Bluetooth problem with the Titan Security Key does not affect USB or NFC security keys. To determine if a Titan Security Key is affected, check the back of the key. If it has a "T1" or "T2" on the back of the key, the key is affected by the issue and is eligible for free replacement. Google propose additional steps like to use the Titan Security Key in a private environment and unpair the key after authentification. Google recommend that everyone with an affected BLE Titan Security Key get a free replacement by visiting google.com/replacemykey. More details can be found here.
