Google Announces Security Flaw That Could Let An Attacker Access Your Device

Yolanda Curtis
May 17, 2019

Google is offering free replacements of its Titan Security Keys, used for two-factor authentication, after learning the widgets' Bluetooth connections could be compromised by nearby hackers. The company warned that if you're using the security key's Bluetooth pairing, you should make sure you're in a private place where a potential attacker couldn't be within 30 feet.

"When you're trying to sign into an account on your device, you are normally asked to press the button on your [Bluetooth Low Energy] security key to activate it".

Google also noted another attack scenario, where a nearby attacker could connect to a person's Bluetooth security key before the real owner did. If the attacker also knows the victim's username and password and can time the attack properly, then the account could be compromised.

If you've got a Titan Security Bundle from Google, you might have to replace the wireless Bluetooth/NFC keyfob device that came as part of the package.

Google said the security flaw allows attackers to take over users' devices and/or log into users' accounts, although the keys should be safe to use under certain conditions. The attacker can later re-assign this rogue device as a Bluetooth keyboard, which they can later use to run malicious commands to hijack users' devices. If your key says "T1" or "T2", the key is exposed and you should go to Google's recall management site. Everything was all fine and dandy for a while, but then today, Google alerted users to a rather peculiar flaw in its BLE Titan keys. And after logging into a Google Account, key holders are advised to unpair the key, repeating this process until a replacement model has been obtained.

To tell if a Titan key is vulnerable, check the back of the device.

Unlike SMS two-factor authentification (2fa), which is vulnerable to countermeasures like SIM swapping, without possession of the key, obtaining access to the target account is extremely hard. It allows a so-called Man in The Middle (MiTM) attack, in which someone could get between your Titan key and the device it's communicating with. It turns out that has caused an issue as Google is replacing all keys due to a vulnerability.

"However, there is no such thing as flawless technology, so I'm glad Google is taking the initiative and recalling these keys". If they are not already signed into their Google Account on the iOS device and are locked out, they can use the instructions available HERE to get back into their accounts.

"We decided not to launch the [BLE security key] product as it does not meet our standards for security, usability and durability", Yubico co-founder Stina Ehrensvard wrote in a blog posting in July 2018. Google is also still recommending that people use the keys in their current state as some protection is better than none. Android devices updated with the upcoming June 2019 Security Patch Level (SPL) and beyond will automatically unpair affected Bluetooth devices, so you won't need to unpair manually. In this case, the security issue does not affect the device's primary goal. This has the unfortunate result of locking people out of their Google accounts if they sign out.

Other reports by iNewsToday