Bluetooth-enabled Titan security keys found with a serious security hole, Google offers free replacement

• The Bluetooth Low Energy version of the product is impacted by a misconfiguration flaw.
• As a result, attackers could gain access to a Google account by hijacking the security key.

Titan Security Keys, Google’s security product meant for two-factor authentication (2FA), was found to have a security vulnerability. The Bluetooth Low Energy (BLE) version of the security key could be exploited by an outsider to sign into user accounts and possibly control devices connected to them. Currently, Titan security keys are available in the US market only.

According to a blog published by Christiaan Brand, Product Manager for Google Cloud Platform, an attacker at a distance approximately 30 feet from the user could intercept the security key or the device on which it is paired. However, Brand mentions that the attackers can only achieve this if they meet certain conditions.

In order to mitigate this flaw, Google has offered free replacements for users with Titan security keys.

How could it be exploited?

• The method described by Brand involves an attacker being in close physical proximity with the user who tries to sign on a device with the Bluetooth security key. The attacker could connect their devices to the key at this time before the user does.
• Attackers could also disguise their devices as security keys during the time when users pair their devices with the key. If users accidentally connect to the attacker(s)’ device, the latter could potentially take over the user account as well as their device.

Free replacement

Google is issuing free replacements for Bluetooth Titan security keys. Users are advised to avail them as soon as possible. However, the tech giant suggested using these keys until users get the replacement.

“Current users of Bluetooth Titan Security Keys should continue to use their existing keys while waiting for a replacement, since security keys provide the strongest protection against phishing,” suggested Brand, in his blog.