Google Titan's Bluetooth Security Key Can Be Used to Hack Paired Devices

(Image credit: Tom's Hardware)

When I first tried out the Google Titan Security Key, my biggest concern was how easily it got scratched (you should see it today, nearly nine months later) and Bluetooth connectivity issues with my iPhone. Little did I know those were just minor flaws compared to the key’s security vulnerabilities Google announced today.

The security flaw affects the Bluetooth Low Energy (BLE) versions of the security key, hardware you must touch in order to log into supporting applications. One easy way to tell if you’re affected if your Bluetooth key says "T1" or "T2" on the back. As a result of this discovery, Google is offering replacement keys via this website.

Google explained the security issue in its blog post.

"Due to a misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols, it is possible for an attacker who is physically close to you at the moment you use your security key -- within approximately 30 feet -- to (a) communicate with your security key, or (b) communicate with the device to which your key is paired," it said.

Google noted that there needs to be a perfect storm of conditions in order for a hacker to infiltrate the Titan’s defenses. First, they’d have to be physically close to you at the moment when an app prompts you to press the Bluetooth key’s button to log in. "In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly,” Google explained. Afterwards, they could “change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.”

No Big Surprise

The news comes almost a year after a statement by Yubico, (which Google used to buy security keys from before developing its own) questioning the strength of Bluetooth-based security keys.

"While Yubico previously initiated development of a [Bluetooth] security key and contributed to the [Bluetooth] U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability. [Bluetooth] does not provide the security assurance levels of NFC and USB and requires batteries and pairing that offer a poor user experience," it said at the time. 

How to Mitigate Risk

Google said using its Titan keys is still safer than not using a security key at all (although it conveniently left out the option of seeking a competitor, like a YubiKey). Note this security flaw does not apply to USB or NFC security keys.

While you’re awaiting a replacement key, however, there are steps you can take to mitigate your risk, depending on whether you’re using an iOS or Android Device.

iOS 12.2 or earlier

Google recommended these users use their key in a "private place" where any potential hackers are over 30 feet away.

"After you’ve used your key to sign into your Google account on your device, immediately unpair it. You can use your key in this manner again while waiting for your replacement, until you update to iOS 12.3," Google said.

However, when you update to iOS 12.3 your security key will no longer work, so those users should stay logged in to their accounts so that they aren't locked out.

Android and other devices

Google again recommended keeping hackers at a 30-feet distance.

"After you’ve used your affected security key to sign into your Google Account, immediately unpair it. Android devices updated with the upcoming June 2019 Security Patch Level (SPL) and beyond will automatically unpair affected Bluetooth devices, so you won’t need to unpair manually. You can also continue to use your USB or NFC security keys, which are supported on Android and not affected by this issue," it said.

Scharon Harding

Scharon Harding has a special affinity for gaming peripherals (especially monitors), laptops and virtual reality. Previously, she covered business technology, including hardware, software, cyber security, cloud and other IT happenings, at Channelnomics, with bylines at CRN UK.