Tech

Google recalls Titan Bluetooth keys after finding security flaw

Google recalls Titan Bluetooth keys after finding security flaw

What about the USB and NFC keys in the Titan Security Key package?

Google said the security flaw allows attackers to take over users' devices and/or log into users' accounts, although the keys should be safe to use under certain conditions.

Google is warning that the Bluetooth Low Energy version of the Titan security key it sells for two-factor authentication can be hijacked by nearby attackers, and the company is advising users to get a free replacement device that fixes the vulnerability.

For Android users and anyone using iOS 12.2 or earlier, Google recommends not using an affected Titan wireless security key in any location where strangers could be within Bluetooth range - about 30 feet. When you press the activation button on the key to sign in securely to an online account, the attacker could authorize a device to access that account (assuming they have your username and password as well).

That said, the attacker would need to time the hack precisely and would likely need a user's account username and password. Though Google recommends that you continue using your keys while you wait for a replacement, it has outlined some steps you can take to better protect yourself in the meantime, which can be viewed in the security blog post linked above. The company warned that if you're using the security key's Bluetooth pairing, you should make sure you're in a private place where a potential attacker couldn't be within 30 feet.

Once connected, hackers could manipulate your device by changing their device to appear as a Bluetooth keyboard or mouse.

You can request a replacement by heading over to a website Google has set up for this specific issue, and if you're logged into your Google account when you visit it, it'll even automatically check to see if any affected keys are associated with your account.

The bug can't be fixed with a security update so Google is asking users to check whether their key is affected and, if it is, to ask for a replacement one to be sent to them free of charge.

More news: PS Plus Free Games UPDATE as PlayStation Dauntless release news is revealed

Not all Titan Security Keys have the bug, which Google says is due to a misconfiguration in the key's Bluetooth pairing protocols.

"The fact you must be within 30 feet of the security key isn't an issue, especially when you consider how fast compiled and scripted software can run". Google announced today that it will issue replacement keys to anyone who wants one and has a defective key.

This episode is unfortunate since, as Broad notes, physical security keys remain the strongest protection now available against phishing and other types of account takeovers.

The Titan security key bundle.

Once you update to iOS 12.3, your affected security key will no longer work. After signing in, users should immediately unpair the security key. You will not be able to use your affected key to sign into your Google Account, or any other account protected by the key, and you will need to order a replacement key.

As if the world isn't scary enough: According to Google, your most trusted security measures could actually be secret vulnerabilities.

Article updated with Google comment regarding Feitian-branded keys.