Google is offering free replacements to the company's Bluetooth Titan Security Keys due to a bug that can make the devices open to exploitation in the event a hacker is nearby.
The problem deals with a misconfiguration in the product's Bluetooth pairing protocol. Normally, the key should work like this: You hold it close to your PC or smartphone and the key will communicate over Bluetooth to unlock access to your online account. However, Google discovered it's possible for an attacker to step in and hijack the Bluetooth pairing process during sign-in.
"When you're trying to sign into an account on your device, you are normally asked to press the button on your [Bluetooth Low Energy] security key to activate it. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects," Google product manager Christiaan Brand wrote in a blog post about the vulnerability.
(Bluetooth Titan Key on the left; USB Titan Key on the right.)
Still, it should be noted that this attack would be hard to pull off. You'd need to be within 30 feet of the security key and present during the sign-in process. You'd also have to know the victim's username and password.
That said, Google has been selling its security key technology to businesses, which have to worry about insider threats and corporate espionage. The company told PCMag the bug was actually reported by Microsoft.
The same bug can also pave the way for a hacker to briefly impersonate a victim's Titan Security Key over Bluetooth using a rogue device. "After that, [the hacker] could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device," Brand said.
In response, Google is offering free replacement keys to affected owners. You can find out if you own a faulty Bluetooth Titan Security Key by checking the back of the device. If it has a "T1" or "T2" at the the bottom, then your key suffers from the bug.
Affected owners can also continue using the Bluetooth Titan Security Key, but Google recommends doing so only in private spaces. "After you've used your key to sign into your Google Account on your device, immediately unpair it," Brand said in the blog post. Both iOS 12.3 and an upcoming June security patch to Android will also automatically unpair the affected security keys after they've been used to sign into an account.
Last year, Google began selling the product as part of a $50 bundle containing one Bluetooth-enabled key and one standard USB security key. The company declined to offer details about today's bug and how it plans to fix it over fears hackers will try to exploit the vulnerability.
The manufacturer of Google's security keys is Chinese vendor Feitian, which said its own Bluetooth-enabled security keys suffer from the same bug. The company is also offering free replacement keys to affected owners.
Rival vendor Yubico has refrained from offering a Bluetooth security key, claiming the technology "does not meet our standards for security, usability, and durability." "BLE (Bluetooth Low Energy) does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience," the company said last year.
Editor's Note: This story has been corrected to note Google is not recalling the product, but offering free replacements.
How Your Password Was Stolen
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
