A flaw in Google Titan Security Keys expose users to Bluetooth Attacks

Titan Security Keys are affected by a severe vulnerability, for this reason, Google announced it is offering a free replacement for vulnerable devices.

Google announced it is offering a free replacement for Titan Security keys affected by a serious vulnerability that could be exploited by to carry out Bluetooth attacks.

The Titan Security Keys were introduced by Google in July 2018 to provide an additional layer of security to its users and protect them from Phishing and MiTM attacks.

The Titan Security Key is based on the Fast IDentity Online (FIDO) Alliance, U2F (universal 2nd factor) protocol and was entirely designed by Google.

The Titan Security Keys are available in both USB and Bluetooth versions, 

The vulnerability affects the Bluetooth Low Energy (BLE) version of T1 and T2 Titan Security Keys, both USB and NFC security keys are not impacted.

Google users can refer a page set up by the company to discover if their devices are affected by the flaw and receive instructions to replace them.

The vulnerability is a misconfiguration issue in the Titan’s Bluetooth pairing protocols that was discovered by Microsoft. Google explained that the attack is hard to exploit, an attacker physically close to the victim could trigger the flaw only in under specific conditions.

The attacker has to connect their device to the victim’s security key before the legitimate device connects, moreover he has to launch the attack exactly when the victim presses the button on their dongle.

“Due to a misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols, it is possible for an attacker who is physically close to you at the moment you use your security key — within approximately 30 feet — to (a) communicate with your security key, or (b)communicate with the device to which your key is paired.” reads the advisory published by Google.

Below the conditions that the attacker would match to carry out the attack:

• When you’re trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects. In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly.
  
• Before you can use your security key, it must be paired to your device. Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.

The attacker can also use its own device to connect to the victim’s device when the button is pressed on the key. Once connected, the hacker can set the device to a Bluetooth mouse or keyboard and perform actions on the victim’s device.

Even if the keys are vulnerable to Bluetooth attacks, they remain the strongest protection against phishing attacks.

“Security keys remain the strongest available protection against phishing; it is still safer to use a key that has this issue, rather than turning off security key-based two-step verification (2SV) on your Google Account or downgrading to less phishing-resistant methods (e.g. SMS codes or prompts sent to your device),” continues Google.

Mobile users have been advised to use their Titan Security Keys only when cannot be in physical proximity of a potential attacker.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Titan Security Keys, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]