Titan Bluetooth Security Key Vulnerability – Google Offers Free Exchange



[ad_1]

Some models of the Bluetooth variant of Google's Titan security keys contain a vulnerability that has caused the company to launch a free and full exchange action. Incorrectly configuring the Bluetooth key pairing protocol can theoretically allow an attacker to establish Bluetooth communication between the key and the connected device.

Google's Titan Security Key is a USB security solution that (as well as Yubico and Feitian's competition) provides hardware-based two-factor authentication for FIDO-standard online accounts. The Titan security key can connect to the device requiring authentication in three ways: USB, NFC, and Bluetooth.

Google introduced the security key in July 2018 at the company's Next Cloud Conference and offered it in the US edition of the Google Store for $ 50 at the end of the month. # 39; August. Sometimes, there was also a sales page in the Google Store in German, which is no longer available.

As among others GoogleWatchBlog Google reported that the key was removed in February 2019, without giving reasons. In the United States, it is available again. The German-speaking sales page still exists, but the "buy now" button does not work.

In a blog post, Google gives details about the affected keys and attack scenarios and makes recommendations to the owners.

As a result, the vulnerability affects only the Bluetooth variant ("Bluetooth Low Energy", BLE) and not the USB variant of the Titan security keys. According to Google, only keys distributed in the United States are vulnerable. However, as German users can currently rely only on imports from the United States and the key has been available for a few months in that country, this statement needs to be treated with caution.

If you prefer playing safety, take a look at the back of your security key. If a "T1" or a "T2" is printed, it is one of the copies concerned.

Google has set up a website allowing the free exchange of such keys.

However, according to Google, an attack on Bluetooth communication via the vulnerability is possible only from short distance, with a maximum distance of 10 meters. This would be conceivable, for example, in public places, where an attacker can get close enough to his victim without being noticed. According to Google, there are two scenarios of attack:

  • If a user wants to login to his online account, he must press a button on the Titan security key to activate it. During this phase, an attacker could theoretically establish a Bluetooth connection with the key before it connects to the device of the user. This would allow the attacker, using this vulnerability, to connect to the user's online account via his own device. But this requires perfect synchronization and knowledge of the access data.
  • In the second scenario of attack, the attacker uses a device that initially claims to be a Titan security key and connects to the user's machine when he is prompted to press the key button. If this succeeds, the attacking device will then emulate Bluetooth devices (mouse or keyboard) to perform actions on the device of the user.

Google says that it's always safer to use the affected key than working with a clbadic pbadword ID. Nevertheless, users should quickly take advantage of the free exchange option.

In the meantime, the company recommends that you do not use Bluetooth pairing, but allow the Titan security key to communicate with the device via NFC or the USB port. Because then the vulnerability could not be exploited. Bluetooth pairing with mobile devices should only be done by users to free exchange if no attacker approaches sufficiently. Following the successful login procedure, users must, in accordance with Google's recommendation, manually stop pairing the device with the Titan security key for security reasons.

Google has also announced two security measures to minimize risk for mobile devices:

  • Apple Mobile Devices: Until iOS 12.2, manual disconnection between Titan Security Key and the iOS device was still required. Starting with iOS 12.3, Bluetooth pairing with vulnerable Titan security keys stops working.
  • Android Mobile Devices: As part of a security update, Google plans to automatically unlink the device after logging into its Google Account in June 2019.

(Günter Born) /


(OVW)



[ad_2]
Source link