Today, Google revealed that a Bluetooth bug is found in its Titan security key and issued a warning. The bug could allow the attacker in close physical proximity to rename any Bluetooth device with the Titan Security Key’s name and trick the user into connecting to that fraudulent device instead. Once the device is connected to the victim’s gadget through Bluetooth, the hacker then would be able to anything in that device.
Google warned us about another attack scenario that if the attacker could connect to a person’s Bluetooth security key before the real owner did. In the situation, the hacker would know about the login credentials and could access the account in no time. The bug affects all the Titan keys that have a “T1” or “T2” on the back or sell in a $50 package with a standard USB/NFC key.
For the time being, Google advised to unpair the Bluetooth key and requesting a replacement immediately. Google warned that if you are still using the security key Bluetooth pairing then you have to be in a private place where the hacker would not be able to attack you within the 30 feet. The attacker could then use the misconfigured protocol to connect their own device to the key before you connect yours. Then they have your username and password and could easily login to your account.
“It is much safer to use the affected key instead of no key at all,” Christiaan Brand, Google Cloud’s product manager, said in the company’s post about the bug. “Security keys are the strongest protection against phishing currently available.”
Google clarifies that Bluetooth bug affecting Titan security key will not change the company’s mission which is to guard against phishing attacks. Google has been selling its Titan branded keys since last August as a part of its anti-phishing and account security measures. Google offers extensive support for physical authentication tokens.
Some of the company’s competitors in the security keyspace including Yucibo planned not to make any devices with Bluetooth connection because of various security issues, as Google had already being criticized for making a Bluetooth key.