Thursday, March 28, 2024

Google recalls Bluetooth version of Titan Security Key due to hijack risk

Share

Google has offered free replacements to owners of the Bluetooth Low Energy version of the Titan Security Key, after a vulnerability was discovered in the device.

Google introduced the Titan Security Key at its Google Cloud Next ’18 convention as a physical USB-based device that eliminated the need to input usernames and passwords. The security key is easy to set up, taking only a few minutes to provide better protection against phishing attacks compared to other two-step authentication methods.

The technology was developed by Google and Yubico, which also helped build a security key with a Bluetooth Low Energy component. Yubico, however, decided not to release such a product because it did not meet the company’s standards for “security, usability, and durability,” and that it was not as secure as NFC and USB.

Yubico’s concern turned out to be well-founded and is exactly what happened with the Bluetooth version of the Titan Security Key, which is sold alongside the USB-based version. According to Google, a misconfiguration in its Bluetooth pairing protocols makes it possible for an attacker to communicate with the security key or communicate with the device to which the security key is being paired.

The catch, however, is that the attacker must be within about 30 feet from the target to exploit the vulnerability. In addition, the process of taking advantage of the misconfiguration is difficult. Hackers must be able to time things exactly right to either connect their device to the security key (though they will need to know the target’s username and password to access the victim’s account), or to masquerade their device as the security key, to take actions on the victim’s device.

Google said that the vulnerability does not affect the main purpose of the Titan Security Key which is to protect its owners from phishing attacks. The company recommended the continued usage of the device to maintain that protection, but suggested people to avail of the free replacements if they are eligible to do so.

The affected version of the Bluetooth Titan Security Key has a T1 or T2 at the back of the device. The free replacement may be requested through Google’s dedicated website for the recall.

Editors’ Recommendations

  • Big phish: Report shows PayPal, Bank of America, Apple are top phishing targets
  • After camera hacks, Nest locks customers out until they change their password
  • Check your ports! Researchers find scary vulnerability in Thunderbolt accessories
  • Internet-connected Mr. Coffee machines have security vulnerability, McAfee says
  • Browsing may soon be free of passwords as WebAuthn gains approval







Read more

More News