Google has issued a security advisory for its Bluetooth Titan Security Keys that is serious enough for it to replace them for free. The company says that there is a “misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols” that could potentially allow an attacker to get access to your account or device — though only in a couple of specific (and specifically difficult to pull off) circumstances.
The company tells us that the news today is a coordinated disclosure — which means in part that the companies that make affected products are disclosing the issue at the same time. Feitian, which is the company that makes Google’s Titan Key but also sells keys under its own brand, disclosed the same vulnerability today and is offering a replacement program for its users.
Microsoft originally discovered the vulnerability and disclosed it to the companies that make the affected products, Google says.
Google has been leading the charge for two-factor authentication (2FA) for a long time now. In particular it has been pushing its Titan Security Keys as a more secure way to enable 2FA than simply an authentication app (or, even worse, SMS). Google is not wrong about that, but given that it’s meant to provide a higher level of security, there’s going to be a higher level of scrutiny on any potential security vulnerabilities.
There are two vulnerabilities that Google is disclosing. First, if an attacker is within the 30-foot Bluetooth Low Energy range of your key when you press the button to authenticate a login, they could connect their device to your security key. If they have your password, they could gain access to your account. The second possible case is that when you pair a key for the first time, an attacker could “masquerade as your affected security key and connect to your device,” and then do the same things on your device that other Bluetooth devices can do, like act as a keyboard or mouse.
So: the attacker will need to be aware of this vulnerability, have software able to exploit it, and will need to execute their attack at precisely the right moment. It’s a series of unlikely events, but again physical security keys like the Titan need to meet a higher standard in order to maintain people’s trust.
As TechCrunch points out, Yubico’s founder criticized Google for launching a BLE key because he believed it wouldn’t be as secure as either USB or NFC. Google’s disclosure about the Titan Security Key Bluetooth vulnerability does not affect the recently launched ability to use your Android phone as a physical security key. That method doesn’t rely on Bluetooth pairing in the same way that the Titan and Feitian keys do.
If you have a “T1” or “T2” on your Titan Key, you’re eligible for a replacement. It might seem obvious, but these FIDO keys are designed to not be software upgradeable as a security measure. While you wait for it to arrive, Google is recommending that you continue to use your security key. It still is likely to be more secure than other 2FA methods — and absolutely more secure than not using 2FA at all.