Google recalls its Titan Bluetooth security keys because of a security bug – TechCrunch

Google revealed today a security bug related to its Titan Bluetooth security key, which could allow an attacker in the physical vicinity to bypass the security that the key is supposed to provide. The company says the bug is due to a "misconfiguration in the Titan security key's Bluetooth pairing protocols," and that even defective keys still protect against phishing attacks. Nevertheless, the company provides a free replacement key to all existing users.

The bug affects all Titan Bluetooth keys, which sell for $ 50 in a package that also includes a standard USB / NFC key, with a "T1" or a "T2" on the back.

To exploit the bug, an attacker should be within range of Bluetooth (about 13 meters) and act quickly when you press the button to activate it. Attackers can then use the wrongly configured protocol to connect their own device to the key before your own device connects. With that – and assuming they already have your username and password – they could log into your account.

Google also notes that before you can use your key, it must be associated with your device. An attacker could also potentially exploit this bug by using his own device and pretending to be your security key to connect to your device when you press the button on the key. By doing this, attackers can then change their device to look like a keyboard or mouse and remotely control your laptop, for example.

However, all of this must happen at exactly the right time, and the attacker must already know your credentials. A persistent attacker might still be able to do this job.

Google claims that this issue does not affect the main mission of the Titan key, which is to guard against phishing attacks, and that users should continue to use keys until they are replaced. "It is much safer to use the affected key rather than no key at all. Security keys are the most effective protection currently available against phishing."The company writes in today 's announcement.

The company also offers some tips to mitigate potential security issues.

Some of Google's security key competitors, including YubiCo, have decided not to use Bluetooth due to potential security issues and have blamed Google for launching a Bluetooth key. "While Yubico had previously initiated the development of a BLE security key and contributed to the work on the U2F BLE standards, we decided not to launch the product because it does not meet our standards for security, of use and sustainability, "said YubiCo's founder, Stina Ehrensvard, at Google launched its Titan keys.