Google will replace Bluetooth Titan Security Keys due to a security flaw

Google will replace Bluetooth Titan Security Keys due to a security flaw

Google disclosed a local proximity vulnerability impacting Bluetooth Low Energy (BLE) Titan Security Keys sold in the USA stemming from a "misconfiguration in the Titan Security Keys' Bluetooth pairing protocols".

This issue affects the BLE version of Titan Security Keys. That's plenty of time to get a free replacement, which you can do by visiting google.com/replacemykey.

Little did I know those were just minor flaws compared to the key's security vulnerabilities Google announced today. The key has a security bug in how it pairs with a device over Bluetooth, and how that pairing is authenticated. The attacker can later re-assign this rogue device as a Bluetooth keyboard, which they can later use to run malicious commands to hijack users' devices. When you press the activation button on the key to sign in securely to an online account, the attacker could authorize a device to access that account (assuming they have your username and password as well).

It's because of these reasons that Google is now replacing these keys. Users of the affected keys have received an email with full details, but if you're unsure the affected keys are marked at T1 or T2 on the rear.

But the scope of the threat impacting the Titan security keys appears to be pretty small, according to Lauren Weinstein of People for Internet Responsibility. And after logging into a Google Account, key holders are advised to unpair the key, repeating this process until a replacement model has been obtained. Google recommends using your bad key to sign-in one last time from a secure space where no one is within 30 feet, and then immediately unpairing it. Also, immediately unpair the key after you have used it to sign in. Google advises those with affected keys who have installed the update to remain logged in to their Google Accounts until a replacement arrives.

White House refuses to sign global statement on online extremism
In a nod to what Facebook is expected to sign up for in the Christchurch Call To Action, Rosen said this was only the beginning. Ardern meets with British Prime Minister Theresa May in Paris.

Video shows moment helicopter goes down in Hudson River
At a news conference, authorities said the pilot had just taken off from the helipad after refueling when something went wrong. As you can see below, onlookers also caught the crash on video so people have been freaking out on Twitter about it.

Trump calls trade war with China 'little squabble;' says talks ongoing
This move was in retaliation to the White House raising duties on $200 billion in Chinese goods to 25% from 10%. It said a June 17 hearing would be held before Washington decides how to proceed.

Brand said that iOS 12.3, which Apple started rolling out on Monday, won't work with vulnerable security keys. You will not be able to use your affected key to sign into your Google Account, or any other account protected by the key, and you will need to order a replacement key.

While you're awaiting a replacement key, however, there are steps you can take to mitigate your risk, depending on whether you're using an iOS or Android Device.

What should you do if you have a bad key? This has the unfortunate result of locking people out of their Google accounts if they sign out.

It would be possible for the attacker to exploit the flaw during the Bluetooth pairing protocol and connect a Bluetooth device of their own to the user's device. To determine if your key is affected, check the back of the key. Android devices updated with the upcoming June 2019 Security Patch Level (SPL) and beyond will automatically unpair affected Bluetooth devices, so you won't need to unpair manually. Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key.

Related Articles