Today, Google announced a security bug in its Bluetooth Low Energy (BLE) Titan Security Keys. This issue is due to a misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols, which is currently affecting the BLE versions in the U.S. Google has provided users with quick actions to protect themselves against the attack and to gain a free replacement key.
However, the bug affects Bluetooth pairing only, so non-Bluetooth security keys are not affected. “Current users of Bluetooth Titan Security Keys should continue to use their existing keys while waiting for a replacement since security keys provide the strongest protection against phishing”, the official post reads.
Attackers can only gain access to a user’s device if they are within close proximity (approximately 30 feet) while the user is using the security key. With this, the attacker can easily communicate with a user’s security key or also communicate with the device to which the user’s key is paired.
The two cases an attacker might use to exploit the security keys in the BLE are:
Google also mentions that this issue does not affect the primary purpose of security keys (to protect you against phishing by a remote attacker). They also suggest that security keys remain the strongest available protection against phishing and it is still safer to use a key that has this issue, rather than turning off security key-based two-step verification (2SV) on one’s Google Account or downgrading to less phishing-resistant methods (e.g. SMS codes or prompts sent to a user’s device). This local proximity Bluetooth issue does not affect USB or NFC security keys.
“To determine if your key is affected, check the back of the key. If it has a “T1” or “T2” on the back of the key, your key is affected by the issue and is eligible for free replacement”, the official post states.
Mark Risher, Director of Product Management at Google tweeted:
https://twitter.com/mrisher/status/1128703153397030913
Google has also provided some additional steps that users can take to minimize the remaining risk until they receive their replacement keys on their official blog post.
To know more about this news in detail, head over to Google’s official blog post.
Go 1.11.3 and Go 1.10.6 released with fixes to security issues
Amazon FreeRTOS adds a new ‘Bluetooth low energy support’ feature
Google I/O 2019: Flutter UI framework now extended for Web, Embedded, and Desktop