Google's 2FA keys can be hacked due to Bluetooth config borkage

Titan Security Key Replacement

Not all Titan Security Keys have the bug, which Google says is due to a misconfiguration in the key's Bluetooth pairing protocols. When you press the activation button on the key to sign in securely to an online account, the attacker could authorize a device to access that account (assuming they have your username and password as well). Indeed, Google says that these issues don't affect the primary objective of security keys - defending against remote attackers - and that they don't apply to USB or NFC keys.

That said, the attacker would need to time the hack precisely and would likely need a user's account username and password.

For example, when a user first pairs their Titan security key to their device, an attacker can exploit the flaw in the Bluetooth pairing protocol to hijack this process and also pair a rogue Bluetooth device to the user's computer. Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. If successful, the attacker could attempt to convert the hostile device to a Bluetooth keyboard or mouse to direct input to the compromised device.

The Titan security key bundle. YubiCo, Google's competitor in the security key space, criticized Google for launching a Bluetooth-enabled security key. Affected units can be identified by looking for T1 or T2 printed on the rear.

To see if you qualify for a replacement Titan wireless key, go to https://myaccount.google.com/replacemykey on a browser on which you're signed into your Google account.

Nearly a year ago, Google made available its own line of physical security keys to improve anti-phishing protection of its employees and users. This flaw makes users vulnerable to attackers within 30 feet during the use of the key.

Google noted that there needs to be a ideal storm of conditions in order for a hacker to infiltrate the Titan's defenses.

And because of that, Google has issued a recall of the affected Security Keys. The good news is Google identified the issue and will send you a free replacement that closes the loophole. They recommend using the key in a private place that is not within close proximity of other people. If they are not already signed into their Google Account on the iOS device and are locked out, they can use the instructions available HERE to get back into their accounts.

Once you update to iOS 12.3, your affected security key will no longer work. You will need to sign into your Google account when you access the site to claim your replacement.

It's the most robust form of defense against phishing, one of the most common attacks meant to steal your password, giving hackers access to your account and data. This has the unfortunate result of locking people out of their Google accounts if they sign out.

The company also provided a number of steps created to make it possible for users of iOS (12.2 or earlier) and Android devices and of BLE version of Titan Security Keys to minimizing the security risks until they receive their replacement security keys. An Android update scheduled for next month will automatically unpair Bluetooth security keys so users won't have to do it manually.

Related:

Comments

Latest news

World’s first 1TB microSD card goes on sale
With a UHS speed class of 3 (U3) and a video speed class of 30 (V30), the card is ready to handle 4K UHD video recording. The card is also quite a performance powerhouse, offering read speed up to 90MB/s and write speed of up to 60MB/s.

Doug Baldwin appears to announce retirement on Twitter
That scoring total includes a 2015 season when he led the National Football League with 14 touchdown catches. He also praised his coaches. "Because the end of one journey sees the beginning of another", Baldwin added .

Trump to lay out immigration policy in coming days -senators
In his speech, Trump is unlikely to propose changes in the existing number - 1.1 million - of green cards issued each year. Trump's advisers also have been working on provisions for guest workers for farms and other seasonal employers.

Philippine ambassador, consuls recalled over Canada’s failure to take back trash
During a speech in April, Duterte threatened to unilaterally ship the garbage back to Canada, saying: "Let's fight Canada". However, Locsin said in another tweet this morning that he does not consider this an extension of the May 15 deadline.

Huawei P20 Lite 2019 Price, Specifications, and Renders Surface Online
As for the specifications, the Huawei P20 Lite 2019 will feature a 5.84-inch FHD+ LCD display . Still, the phone will include Android 9 Pie straight out the box, and Bluetooth 5.0 support.

Other news