Google is offering customers with the Bluetooth variant of its Titan Security Key a free replacement after it learned of a flaw that could allow a nearby attacker to sign into a key-protected account, undermining one of the main purposes of the hardware key.
Google says the Bluetooth variant of Titan keys still provide the best protection against remote phishing attackers, however it revealed today that “a misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols” made it possible for a nearby attacker to compromise a connection when pairing, potentially allowing an attacker to sign in to a Titan key-protected account.
This could allow an attacker to “communicate with your security key, or communicate with the device to which your key is paired.”
This means that an attacker can, from about 30 feet (9 metres), jump in at the time of key-to-device pairing and connect their own device to a key before the legitimate user’s device successfully pairs.
The attacker would still need a username and password, but if they had that information already they could use the captured data to sign into a Google account with their device.
Additionally, on currently paired keys and devices, an attacker could also use the flaw to make their device appear to the target as if it was a Bluetooth-connected keyboard or mouse, allowing for other mischievousness.
Google started selling a pair of Titan security keys last August for $50, which included a key that connected via USB-C and NFC, and a separate key for pairing wirelessly over the Bluetooth Low Energy protocol. The main online services it provides protection for are Google services, such as Gmail.
The Bluetooth option appeared to cater specifically to Apple’s iOS for the iPhone, which only has limited support for NFC and USB and left Bluetooth as the best available option for bringing Titan key protection to Google accounts on the iPhone. Android phones have long-supported NFC.
Security keys like Titan and Yubico's YubiKey, which Google has used to successfully thwart phishing attacks on it, offer much better protection against remote phishing attacks. An attacker would need to be in possession of the physical key as well as a username and password in order to compromise an account.
However, Yubico opted not to provide Bluetooth functionality in its keys because the company claimed it didn’t meet the security levels of NFC and USB. Plus Bluetooth demanded batteries, which less ideal for keys.
Google technically hasn’t initiated a product recall over the Bluetooth security flaw, however the company notes that once an iPhone has been updated to iOS 12.3, which Apple released on Monday, the iPhone won’t be able to pair with the Bluetooth Titan keys anymore.
Android phones didn’t need Bluetooth support due to existing NFC support while Windows and other PCs support USB.
Google argues the Bluetooth flaw still doesn’t undermine Titan's primary purpose, which is to protect against phishing from attackers on the internet. Nonetheless, the free replacement indicates the issue is big, be it iOS 12.3 or the slim chance of an attacker being within 30 feet and having a user's credentials already.
On the other hand, the keys were designed to support Google’s Gmail Advanced Protection Program for high-risk users whose attackers could very well know a target’s movements enough to be within 30 feet and probably the target’s credentials too.
Google’s answer for Android devices is less drastic than Apple's, and involves automatically unpairing a device that's been paired with a key.
For Android users Google recommends "using your affected security key in a private place where a potential attacker is not within close physical proximity (approximately 30 feet)."
"After you’ve used your affected security key to sign into your Google Account, immediately unpair it. Android devices updated with the upcoming June 2019 Security Patch Level (SPL) and beyond will automatically unpair affected Bluetooth devices, so you won’t need to unpair manually. You can also continue to use your USB or NFC security keys, which are supported on Android and not affected by this issue."
The Bluetooth security scare has the potential to damage the industry-wide push for users to adopt two-factor authentication (2FA). Very few people enable 2FA or in Google terminology “two-step verification” (2SV) even today.
Google urges users not to turn off key-based 2FA since it still a more secure than other options, like SMS codes.