Titan-ic disaster: Bluetooth blunder sinks Google's 2FA keys, free replacements offered
A pairing problem makes an account compromise possible, although improbable
Google is offering free replacements of its Titan Security Keys, used for two-factor authentication, after learning the widgets' Bluetooth connections could be compromised by nearby hackers.
The Chocolate Factory on Wednesday advised customers with certain Bluetooth Low-Energy (BLE) versions of Titan Security Keys – marked T1 and T2 on the key back – to return them for a replacement. Sales of the new keys ($50 and tax) has now been restarted with secure hardware.
But there's no charge for the replacement. Google's web form asks for a credit card number but adds a promo code discount that brings the net cost to zero.
Feitian Technologies BLE security keys – sold for Google's Advanced Protection Program prior to the Titan-branded models – share this flaw and are also eligible for replacement. USB and NFC keys are not affected.
Redmond lends a hand (and a side of schadenfreude)
Microsoft, the subject of more than a few vulnerability disclosures from Chocolate Factory researchers, alerted Google to the issue, which is down to a misconfiguration in the way the keys handle Bluetooth pairing protocols.
The vulnerability is not easy to exploit. First the attacker has to be within 30 feet of the Titan Key user. In that situation, the attacker can attempt to connect a BLE device to the victim's key before the victim's device connects. If the attacker also knows the victim's username and password and can time the attack properly, then the account could be compromised.
There's also a scenario in which a nearby attacker could spoof a key and connect to the victim's device at the moment the key button is pressed. If successful, the attacker could attempt to convert the hostile device to a Bluetooth keyboard or mouse to direct input to the compromised device.
Frankly, an attacker might do better to grab the device in question and run.
Cache of the Titans: Let's take a closer look at Google's own two-factor security keysREAD MORE
"This security issue does not affect the primary purpose of security keys, which is to protect you against phishing by a remote attacker," said Google Cloud product manager Christiaan Brand in a blog post, noting that even flawed security keys are better than giving up on two-step authentication.
To minimize potential risk – Google's Advanced Protection Program is intended specifically for those likely to be targeted by cyber attacks – Google is advising iOS and Android users to login to their devices in protected places where no attacker is likely to be nearby. And after logging into a Google Account, key holders are advised to unpair the key, repeating this process until a replacement model has been obtained.
iOS users who have updated to iOS 12.3, released on Monday, may have discovered that affected security keys no longer work. Google advises those with affected keys who have installed the update to remain logged in to their Google Accounts until a replacement arrives. Those already logged out have to follow account recovery instructions or use a non-iOS device to log in again.
Android users can look forward to the upcoming June 2019 Security Patch Level (SPL) to address the issue without account lockout concerns. ®