Google warns Titan Security Key has Bluetooth bug that leaves it vulnerable

Google Titan Security key

Microsoft, the subject of more than a few vulnerability disclosures from Chocolate Factory researchers, alerted Google to the issue, which is down to a misconfiguration in the way the keys handle Bluetooth pairing protocols.

"This security issue does not affect the primary objective of security keys, which is to protect you against phishing by a remote attacker", the company said in a blog post.

Google is recalling the Bluetooth Low Energy (BLE) version of its Titan Security Key, and is offering free replacements to owners. It allows a so-called Man in The Middle (MiTM) attack, in which someone could get between your Titan key and the device it's communicating with. Just take extra precautions, such as using your security key away from other people and immediately unpairing it after you sign-in to your Google account.

This flaw can enable an attacker who is within 30 feet of you while you're using the key to communicate with it or with the device it is paired to. The circumstances that would have to align include an attacker in close proximity (less than 30 feet or so), who is able to time their attack to the exact moment that you connect with your security key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device. To check whether your device needs to be replaced, look for a letter and number combo on the back of the key near the bottom. If it's marked T1 or T2, Google will replace it for free.

NY mayor threatens to fine Trump Organization over pollution
Some Trump supporters joined the protesters who booed and yelled, "You suck!" as the mayor tried to talk over the noise. De Blasio, a Democrat who won a second term as mayor in 2017, has been openly mulling a presidential bid.

"Due to a misconfiguration in the Titan Security Keys' Bluetooth pairing protocols, it is possible for an attacker who is physically close to you at the moment you use your security key - within approximately 30 feet - to (a) communicate with your security key, or (b) communicate with the device to which your key is paired", it said. Security keys that use USB or Near Field Communication are unaffected.

The Titan security key bundle.

The threat of having the key hijacked and the current incompatibility with the latest release of iOS are sure to generate further user resistance to using the BLE-based keys. However, the company recommended that users do not stop using the keys until they get a replacement, as they can provide enhanced security, compared to not using a security key after all. After you've used your key to sign into your Google Account on your device, immediately unpair it. Brand said that security keys continued to represent one of the most meaningful ways to protect accounts and advised that people continue to use the keys while waiting for a new one. "While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability". You will need to sign into your Google account when you access the site to claim your replacement. If you don't do that and own a phone that'll pick-up the June security patch next month, your phone will automatically unpair it.

It also affects Feitian BLE security keys.

Related:

Comments

Latest news

American justice system 'largely evil', says Conrad Black after Trump's pardon
Nolan has been a vocal advocate for criminal justice reform since he spent more than two years in federal prison during the 1990s. He eventually spent three-and-a-half years in prison, and was deported from the United States.

Super Mario Maker 2 Has A Story Mode And Much More
When the game was revealed in February they teased that levels from the Wii U and Switch Mario titles will be available. The custom scroll addition lets users customize the scroll in a scrolling course, including speed and trajectory.

Realme to launch 5G smartphone with Snapdragon 855 SoC later in 2019
It adds a special optimization at the system level, application level, and especially the gaming experience is much improved. Coming to Realme X India launch, Realme CEO Madhav Seth is already arranged a special media meeting in Beijing, China.

Russia not 'fire brigade' to save Iran deal, says Putin
The move was reportedly a response to Tehran's alleged plans to carry out attacks on U.S. forces and allies in the Middle East. He later called on "every country that's interfering in Venezuela to cease doing that".

USA issues security alert ordering non-emergency staff to depart Iraq
The sources were not authorized to discuss the matter and were granted anonymity. There has been a marked increase in U.S.

Selena Gomez and Bill Murray’s playful side at Cannes Film Festival
The I Can't Get Enough singer kept in tune with her tailored look and wore her hair in a low chignon with a sleek middle part. It's unbelievable to use your platform, but it does scare me when you see how exposed these young girls and young boys are.

Farmer Gruesomely Saves His Own Life After Getting Stuck in Equipment
I didn't know what to do. "It just sucked my leg in, and I was trying to pull it out, and it kept pulling", he told the station. With the bone sticking out of his ankle, Kaser crawled about 150 feet to get to a phone, where he was able to call for help.

US blacklists China's Huawei as trade dispute clouds global outlook
-China tariff war " a little squabble ", even as his administration readies 25% duties on all remaining Chinese imports. The Trump administration had pledged up to $12 billion in aid to help offset losses resulting from Chinese tariffs.

Did Le'Veon Bell cost former Jets GM his job?
ESPN suggests the GM position could be taken up by Philadelphia Eagles executive Joe Douglas, who has some ties to Gase. The Jets and Bell agreed to a four year, $52.5 million contract in March that includes $25 million guaranteed.

Five dead after two planes carrying cruise ship passengers collide mid-air
That group was returning from a sightseeing tour of Misty Fjords when the crash occurred, Taquan said in a statement. Taquan Air, a regional airline flying one of the planes, canceled all flights while the crash is being investigated.

Alarming new report boosts fears about measles in Travis County
Measles was once common in the United States but gradually became rare after vaccination campaigns that started in the 1960s. Joel Forman , who was just starting his pediatric residency at Mount Sinai Hospital in New York City in the summer 1990.

Facebook to Put Extra Limits on Livestream, Ads Over Christchurch Massacre
In the first 24 hours after the Christchurch attack, Facebook removed the shooter's video 1.5 million times as people continuously uploaded it.

Woman faces murder count in death of man, 74, shoved off bus
Fournier leaves behind a wife, who is disabled. "People need a little more patience than what they have these days". Police said she was seen in the security video, which has yet to be released, walking away holding the boy's hand.

Monster-Hunting RPG 'Dauntless' Heading to Xbox One Next Week
According to the press release , this new monster hunting title will launch on May 21st on the PC via the Epic Games Store . They are waiting for you: regular updates, seasonal events, new Behemoths and much more in a rich and ever-changing world.

Microsoft Releases Patches for a Critical Windows Flaw Allowing WannaCry-Style Attacks
It is wormable, meaning that it allows any malware exploiting the flaw to be able to spread from one vulnerable system to another. It also affects Windows 2003 and Windows XP-older versions of Windows that Microsoft doesn't typically patch.

Other news