Google Titan Security Key Recalled After Bluetooth Pairing Bug

Posted on May 18, 2019

Google Titan Security Key Recalled After Bluetooth Pairing Bug

Google’s Titan Security Key, launched in the U.S. market last August, is a USB dongle that offers an added layer of security features for Google accounts, such as two-factor authentication and protections from phishing attacks. Specifically impacted is the version of the Titan Security Key with Bluetooth Low Energy (BLE) – not the NFC version of the security keys. The vulnerability stems from a misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols, said Brand.

Despite Google’s recall of the device, exploit of the key protocol pairing flaw appears to be non-trivial. An attacker must first be physically close to the key – within approximately 30 feet. And, he or she would need the victim’s username and password for logging into the key account.

Making matters more difficult, an adversary would need to launch the exploit in a very specific time frame – in the moment that the victim activates the BLE security key – in order to take advantage of the misconfigured pairing protocol and pair the key to their own device. From there, it’s possible to sign in to the victim’s key account.