Posted On 20 Jun 2019
Google has issued a warning that the BLE iteration of its Titan security key, used for two-factor authentication, is open to hijacking from hackers in its immediate vicinity. The key has a misconfiguration in its Bluetooth pairing protocol which allows a hacker within 30 feet to access the key or the device it’s connected to. The company has issued a free of charge replacement that solves the problem.
Security keys are the best way of preventing hackers accessing sites that offer this level of protection; the user not only has to enter their password but allow the website to access the key which provides encrypted information that is virtually impossible to hack. While keys employing Near Field Communication or USB connections are still safe, a hacker in the vicinity could activate their own BLE security key when a victim attempts to login; if the hacker already possesses the victim’s username and password they could then take over the device.
The vulnerable devices are ones with either T1 or T2 written on the back; those who have these devices should apply to Google for free replacement. However, Google advises that despite the threat these devices still provide the best possible security available and that they can still be used while waiting for a replacement. It is recommended that the vulnerable keys should only be used in private with no potential attacker within 30 feet and that the security key should be unpaired as soon as the user is logged in.
Next month Android will be releasing an update that will unpair Bluetooth security keys once the user is logged in automatically, however, the latest iOS 12.3 will refuse to work with compromised security keys, and so Google users who have logged out will not be able to log back in until they receive a new key. Best advice in this case would be to remain logged in to your account or to use an authenticator app as backup or your main form of authentication.
The unfortunate incident has provoked criticism from many who have long held that it is inappropriate to use Bluetooth for security devices, due to their vulnerabilities. Apple and the security key maker Yubico do not support BLE security keys for this reason.