Microsoft found vulnerability in Google Titan Security Key

Last year, Google launched the Titan entity security key for multi-factor authentication of some accounts. The advantage of the physical security key is that it is not afraid of passwords being leaked. At the same time, Titan entity security keys have been widely used within Google, and most Google employees have equipped this key to improve the security of their accounts. However, Microsoft recently discovered that there is a serious vulnerability in the Bluetooth Low Energy (BLE) version of the Titan Security Key.

Image: googleblog

Because of the Bluetooth protocol configuration used by the Titan Security Key, this allows an attacker to pair directly with the Titan Security Key when approaching the user. When a user attempts to log in to an account on their own computer, the Titan Security Key will ask the user to press the physical button on the key to activate the key.

Christiaan Brand, Product Manager, Google Cloud wrote,

“When you’re trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects. In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly.”

“Before you can use your security key, it must be paired to your device. Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.”

If the Titan Security Key you are using is a Bluetooth Low Energy version, check if there is a T1/T2 on the back of the key, and if so, the instructions are affected. For the affected Titan Security Key, Google will offer a free replacement policy, and users can go to the Google Help page to retrieve the steps required for a free replacement.

If the user is using iOS 12.2 and earlier, Google recommends using the security key in a private location to avoid all potential attackers in the public domain. If the user is using iOS version 12.3, the key is no longer valid and the user will not be able to log in to Google or other bundled accounts using the affected key.

On Android and other devices, users only need to use it in a private place. It is also recommended to cancel the Bluetooth pairing and anti-phishing device immediately after logging in to the account. In addition, users can continue to use the USB or NFC version of the Titan Security Key. The above Titan Security Key is not affected by this Bluetooth pairing protocol issue.