• Uncategorised

Google Recalls Bluetooth Titan Security Key Over Exploitable Bug

Google Titan Pairing

Google is recalling its Bluetooth Titan Security Keys due to a bug that can make the devices open to exploitation in the event a hacker is nearby.

The problem deals with a misconfiguration in the product’s Bluetooth pairing protocol. Normally, the key should work like this: You hold it close to your PC or smartphone and the key will communicate over Bluetooth to unlock access to your online account. However, Google discovered it’s possible for an attacker to step in and hijack the Bluetooth pairing process during sign-in.

“When you’re trying to sign into an account on your device, you are normally asked to press the button on your [Bluetooth Low Energy] security key to activate it. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects,” Google product manager Christiaan Brand wrote in a blog post about the vulnerability.

Titan Security Key Bundle

(Bluetooth Titan Key on the left; USB Titan Key on the right.)

Still, it should be noted that this attack would be hard to pull off. You’d need to be within 30 feet of the security key and present during the sign-in process. You’d also have to know the victim’s username and password.

That said, Google has been selling its security key technology to businesses, which have to worry about insider threats and corporate espionage. The company told PCMag the bug was actually reported by Microsoft.

The same bug can also pave the way for a hacker to briefly impersonate a victim’s Titan Security Key over Bluetooth using a rogue device. “After that, [the hacker] could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device,” Brand said.

In response, Google is offering free replacement keys to affected owners. You can find out if you own a faulty Bluetooth Titan Security Key by checking the back of the device. If it has a “T1” or “T2” at the the bottom, then your key suffers from the bug.

Bluetooth Titan Faulty Key

Affected owners can also continue using the Bluetooth Titan Security Key, but Google recommends doing so only in private spaces. “After you’ve used your key to sign into your Google Account on your device, immediately unpair it,” Brand said in the blog post. Both iOS 12.3 and an upcoming June security patch to Android will also automatically unpair the affected security keys after they’ve been used to sign into an account.

Last year, Google began selling the product as part of a $50 bundle containing one Bluetooth-enabled key and one standard USB security key. The company declined to offer details about today’s bug and how it plans to fix it over fears hackers will try to exploit the vulnerability.

The manufacturer of Google’s security keys is Chinese vendor Feitian. At the moment, it isn’t clear if Feitian’s own Bluetooth-enabled security keys suffer from the same bug.

Rival vendor Yubico has refrained from offering a Bluetooth security key, claiming the technology “does not meet our standards for security, usability, and durability.” “BLE (Bluetooth Low Energy) does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience,” the company said last year.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

       
Apps & Games Clothing Electronics & Photo Large Appliances
Baby Womens Apparel Garden Lighting
Beauty Mens Apparel Outdoors Luggage
Books Girls Apparel Health & Personal Care Pet Supplies
Car Boys Apparel Home Shoes & Bags
Motorbike Computers & Accessories Kitchen Equipment Sports & Outdoors
Fashion DIY & Tools Jewellery Toys & Games