Titan security keys in two different varieties: USB and Bluetooth Low Energy. The idea behind Titan is the same as any security key, which was to give people a hardware two factor authentication method. Everything was all fine for a while, but then today, Google alerted users to a rather peculiar flaw in its BLE Titan keys.
The bug could allow an attacker that is in range – within approximately 30 feet – of the device when it is used to communicate with the key or the device it is paired to. In order to exploit the misconfiguration, an attacker would have to time events perfectly as Google outlines:
When you’re trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects. In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly.
Before you can use your security key, it must be paired to your device. Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.
No matter how likely or unlikely it is that someone will take advantage of this, it’s a vulnerability that needs to be addressed. Google announced today that it will issue replacement keys to anyone who wants one and has a defective key. To tell if your key needs to be replaced, look at the back of it. If you see a “T1” or a “T2” near the bottom of the key, it’s defective and should be replaced.
You can request a replacement by heading over to a website Google has set up for this specific issue, and if you’re logged into your Google account when you visit it, it’ll even automatically check to see if any affected keys are associated with your account. Though Google recommends that you continue using your keys while you wait for a replacement, it has outlined some steps you can take to better protect yourself in the meantime, which can be viewed in the security blog post linked above.