How to replace your Google Titan Hackable Bluetooth Security Key

If you use one of Google's Titan Bluetooth security keys to log in to all your two-factor protected accounts, there is good news and bad news. As you can probably guess, the bad news is that Google has announced the discovery of a vulnerability allowing a person to potentially access your accounts. The good news is that Google has identified the problem and will send you a free replacement that closes the loophole.

The Google Titan Bluetooth Security Key is a physical security token that, when paired with a phone or tablet, provides one of the two passwords required to unlock an account protected by authentication. two factors. It replaces the random password that you could receive from a two-factor authentication application or via a text message. As many have pointed out, including Google, the use of a physical token that automatically transmits these codes is much safer than a random password sent to your device.

According to Google's security blog, Titan keys using the Bluetooth Low Energy architecture are vulnerable to attack during the Bluetooth pairing process. During pairing, an attacker can intercept the device's signal up to 30 feet away, allowing them to send data to the key and any device already associated with it. Technically, this could allow them to access your device protected by two factors, provided that they synchronize their access with yours. It would take real skills, but it is possible.

And because of this, Google has issued a reminder of the affected security keys. To check if your device needs to be replaced, look for a drop-down list of letters and numbers on the back of the key, down. If your key says "T1" or "T2," it's exposed and you need to go to Google's Reminder Management site. You will need to sign in to your Google Account when you access the site to claim your replacement. (Google checks to see if you have a synced key with your account). If this is not possible, you can send an email directly to Google at [email protected]. (For all to go well, I recommend you have a serial number and a receipt at hand).

Until your replacement key is delivered, Google recommends that all users avoid using Titan in public places where someone could approach and / or see when using your key. If you have not connected your Titan to your Google Account, Google recommends that you do so and then unlink it from your device. Google noted that affected Titan keys would stop working if they were paired with Apple devices running iOS 12.3, and that Android devices automatically cancel the appearance of the affected keys once the June security patch is received.