Users of the BLE variant of Google’s Titan Security Keys will want to get their gadget replaced as quickly as possible due to a phishing vulnerability recently discovered and reported by the search giant. Affected devices are easily discernible by the “T1” or “T2” markings on the back side of the key itself and only the Bluetooth versions of those devices, sold in the US, are impacted.
The company will be replacing those at no cost and says that USB or NFC security keys are completely unaffected.
The underlying problem is caused by a misconfiguration in the pairing protocols of the keys in question and it’s a two-fold issue. Namely, it allows the key to be synced up and for that to be linked through to access the device it’s been connected to.
Now, the steps to accomplish that aren’t going to be an easy feat for the average bad actor to get through but that doesn’t make it any less serious. When using the BLE Titan Security Key to sign in, users most often need to press a physical button on the key to activate it.
Another person within close enough proximity can -- if they happen to know the appropriate login credentials already -- step in and log in with the key before the user manages to.
Conversely, a bad actor could also use their own device to “masquerade” as the affected security key and connect to the device a user is trying to log into. That would need to be done at the moment a user is asked to press the button on their key but, after being used in that method, that attacker could potentially use their device as a Bluetooth Keyboard and mouse to take over.
In the meantime...
In the interim, Google says that it is still better to continue using affected devices since it's better to have some kind of security key than none but it does have some tips while users wait for their replacement to arrive. Those are slightly different depending on which mobile operating system happens to be in use.
For both Android and iOS users, the first step to minimizing exposure to risk is to minimize where users are signing in with the BLE Titan Security Key. They should avoid using those in areas where the potential attacks are more likely to occur, such as in a busy coffee shop or other location where an attacker could both be in close proximity and view the key being used.
Once sign-in is complete, Google recommends unpairing the security key to break the connection.
After an update to either iOS 12.3, the keys will no longer work with devices on that OS. Users will still be able to log into other devices if they need to recover or set up a new way to access their account. Following the June 2019 Android Security Patch Level, the affected keys will automatically unpair instead of requiring that to be done manually.
Regardless, obtaining a free replacement from Google is going to be the best option. Users will need to be logged into the same account as the one used with the Titan Security Key in question while claiming their replacement.