Google to replace faulty Titan security keys

Doris Richards
May 17, 2019

The idea behind Titan is the same as any security key, which was to give people a hardware two factor authentication method.

"This security issue does not affect the primary goal of security keys, which is to protect you against phishing by a remote attacker", the company said in a blog post.

The bug could allow an attacker that is in range - within approximately 30 feet - of the device when it is used to communicate with the key or the device it is paired to. In the meantime, Google recommends you continue to use your key since the security protection provided generally outweighs the chances that you'll fall victim to this particular vulnerability.

'In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly'.

This vulnerability is hard to exploit, the company said, and would require an outsider to already have obtained a victim's username and password to access their account.

This flaw can enable an attacker who is within 30 feet of you while you're using the key to communicate with it or with the device it is paired to. The company warned that if you're using the security key's Bluetooth pairing, you should make sure you're in a private place where a potential attacker couldn't be within 30 feet. If successful, the attacker could attempt to convert the hostile device to a Bluetooth keyboard or mouse to direct input to the compromised device. To check whether your device needs to be replaced, look for a letter and number combo on the back of the key near the bottom.

The bug can't be fixed with a security update so Google is asking users to check whether their key is affected and, if it is, to ask for a replacement one to be sent to them free of charge. Google has a few suggestions for those who use the affected Bluetooth keys.

Considering the very slim chance of such an attack and the fact that this "security issue does not affect the primary objective of security keys, which is to protect you against phishing by a remote attacker", the company advises BLE-enabled Titan Security Key users to continue using the devices. Android devices updated with the upcoming June 2019 Security Patch Level (SPL) and beyond will automatically unpair affected Bluetooth devices, so you won't need to unpair manually.

Editor's Note: This story has been corrected to note Google is not recalling the product, but offering free replacements. Immediately after, they should unpair the security key [Android, iOS].

Google's Titan-branded keys are only sold in the US. After you've used your key to sign into your Google Account on your device, immediately unpair it.

As if the world isn't scary enough: According to Google, your most trusted security measures could actually be secret vulnerabilities. Google is also still recommending that people use the keys in their current state as some protection is better than none. If you need to use it again, fix it and unpair when you're finished.

Article updated with Google comment regarding Feitian-branded keys.

Other reports by Iphone Fresh

Discuss This Article