Google Recalls Titan Security Key Over a Bluetooth Flaw

WIRED | 5/15/2019 | Lily Hay Newman
nallynally (Posted by) Level 4
Click For Photo: https://media.wired.com/photos/5cdc56268e3893122fe4235d/191:100/pass/Titan-hero_2x.jpg

As part of its expanded anti-phishing and account security measures, Google offers extensive support for physical authentication tokens. In a surprising setback, though, the company announced today that it has discovered a vulnerability in the Bluetooth version of its own Titan Security Key—which pairs to devices through the wireless Bluetooth Low Energy protocol, rather than through NFC or physical insertion into a port.

Google began selling the Titan-branded keys last August, outsourcing the hardware from Chinese manufacturer Feitian while managing the cryptographic keys itself. Anyone can use the dongles with their Google accounts for an extra layer of protection, but they're especially favored by users at particular risk of having their accounts targeted by attackers, like public figures, human rights activists, and political dissidents. Google specifically recommends the BLE dongles for its Advanced Protection Program, which offers even more aggressive account protections. In other words, the people most affected by the bug are the ones most concerned about their security.

"Bluetooth is easy to misconfigure."

The "misconfiguration," as Google calls it, would allow an attacker who gets within 30 feet of someone using a security key to communicate with that key, or with the device the key is paired to. That makes it a difficult vulnerability to exploit. In addition to the physical proximity, an attacker would need to quickly connect their own device to a dongle in the seconds that a target initiates the pairing process.

Attacker - Target - Password - Victim - Google

If successful, though, an attacker that already had the target's username and password could then sign into the victim's Google account on her own device. Additionally, once the attacker paired to the target's Bluetooth key, Google suggests that she could also pull a sort of bait-and-switch as the victim attempts...
(Excerpt) Read more at: WIRED
Wake Up To Breaking News!
He is faithful!
Sign In or Register to comment.

Welcome to Long Room!

Where The World Finds Its News!