Vulnerability could allow attackers to remotely access devices
Google has recalled its Bluetooth-enabled Titan Security Keys after they were discovered to be exploitable by remote attackers.
A bug in the Bluetooth Low Energy (BLE) versions of the two-factor authentication (2FA) product means that a potential attacker could communicate with both the key and the device that it is paired with.
When signing into an account on a mobile device, the user is prompted to press a button on the BLE key to activate it.
If an attacker is within 30 feet, they could potentially then connect to the device before the user’s device is paired.
The actor could even sign into the device – granted that they already know the user credentials, that is.
Another attack vector could see the actor masquerade their own device as the user’s security key, which would trick the victim into connecting to a malicious device rather than the legit Google product.
They could then pose as a Bluetooth keyboard or mouse and take control of the device.
This issue only affects the BLE version of Google’s security keys. Affected devices have ‘T1’ or ‘T2’ written on the back.'
Google has recommended that users only use their keys if they are sure they aren’t within proximity to a potential attacker.
The company said users shouldn’t sign out on their device, as they may be locked out of their account until a new security key arrives.
Impacted users are being offering new keys, free of charge.
Launched in July 2018, Titan Security Keys are anti-phishing devices that provide users with a second factor of authentication – similar to other products developed by Yubico, Nitrokey, and others.
As the await a replacement, Google stressed that continued use of the vulnerable security key is better than using no key at all, claims Google, which has recommended that product owners continue to use the keys to sign in until they’re able to be replaced.
“It is much safer to use the affected key instead of no key at all. Security keys are the strongest protection against phishing currently available,” a security bulletin reads.
“Current users of Bluetooth Titan Security Keys should continue to use their existing keys while waiting for a replacement, since security keys provide the strongest protection against phishing.”