UPDATED 23:36 EST / MAY 15 2019

SECURITY

Google recalls Titan security keys with potential Bluetooth vulnerability

Google LLC is recalling some of its Titan Security Key products, which are used by enterprises as a more secure alternative to two-factor authentication, after learning of a possible exploit that could be accessed via its Bluetooth feature.

The Titan Security Keys are designed to limit access to computers by physical proximity, meaning that any would-be hackers must be within 30 feet of it to have any hope of gaining access. In theory this provides greater security than two-factor authentication, which is vulnerable to countermeasures such as SIM swapping.

But some of Google’s Titan keys rely on Bluetooth connections to ensure the user is close by the computer they protect, and that could be a potential problem, Google has found.

“Due to a misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols, it is possible for an attacker who is physically close to you at the moment you use your security key — within approximately 30 feet — to (a) communicate with your security key, or (b) communicate with the device to which your key is paired,” the company said in an advisory posted on its security blog.

A second possible vulnerability exists when a key is paired with a computer for the first time. If an attacker is nearby, they could “masquerade as your affected security key and connect to your device,” Google said.

That said, the chances of a successful attack using either of these methods are close to zero. To pull it off, attackers would not only need to be aware of the vulnerability and have the necessary software to exploit it, but they would also need to do so at just the right moment. It’s highly unlikely anyone would be able to do so, and Google said it’s not aware of any successful attacks. But still, a premium security product such as Titan needs to meet the highest possible standards, so Google is offering to replace all affected keys free of charge.

The episode is embarrassing for Google as well, not least because its biggest rival in the two-factor authentication device market, a company called Yubico Inc., warned about this kind of attack when Titan was launched.

“Google’s offering includes a Bluetooth (BLE) capable key,” Yubico Chief Executive Officer Stina Ehrensvard wrote in a blog post last year. “While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability.”

This isn’t the only time Titan has come under scrutiny either. Last year, questions were raised about the possibility of the keys being vulnerable to Chinese hackers, since the devices are manufactured in that country by a company called Feitian Technologies Co. Ltd. Although no one offered any evidence to substantiate those claims, there exists a certain amount of paranoia in the U.S. about Chinese-made technology products because of the suspected influence that the Beijing government holds over local companies.

Google said alternative Titan security keys that rely on USB and NFC connections are not affected and do not need to be recalled. The company said those using Bluetooth Titan keys can check on this page to see if their device is vulnerable, and learn how to apply for a replacement device.

“If it has a ‘T1’ or ‘T2’ on the back of the key, your key is affected by the issue and is eligible for free replacement,” Google said in its advisory.

While waiting for a replacement key, Google said, it’s probably OK for companies to continue using their affected keys since the exploit doesn’t affect its primary purpose, which is to protect against “phishing” attacks by remote attackers.

Photo: Google

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU