Flaws Found in Google’s Titan Security Key

Google recalled their Titan hardware security keys this week after discovering serious vulnerabilities. The vulnerability existed due to a misconfiguration in the keys, which allowed attackers to hijack the security keys.  

The Titan security keys are physical devices which offer two-factor authentication (2FA) for Google account users. When users try to access online services and have given their username and password, they can use the key for as a second password. This offers an extra layer of physical authentication for users. The keys work with Google accounts, as well as accounts that support the FIDO U2F standard for hardware keys.  

Google began offering two types of hardware keys in July 2018. A USB key, which plugs into a computer for authentication and a Bluetooth Low Energy (BLE) version which connects wirelessly to your computer for authentication. The vulnerability discovered by Microsoft found that the flaws existed in the Bluetooth version.  

The flaws are present in the misconfiguration of Bluetooth pairing protocols.  Anyone within thirty feet of a person using the BLE device can intercept communications. Malicious actors can either communicate with the key or the computer the key is connected to. To exploit the communications, the attacker would have to connect to the security key when the victim turns on the key for pairing. Before the key connects to the user’s device, the attacker needs to connect his own device. Once the attacker’s own device is connected, the attacker gains access to the victim’s accounts, username, and password.

Another way the attacker can exploit the flaws is when the victim connects to the key for the first time. The attacker can “masquerade as your affected security key and connect to your device”. The attacker can then pose as a Bluetooth mouse or keyboard.  

At this timeGoogle is offering a replacement to all users with the BLE device.  Further, they are recommending users to continue using their device, until their new ones arrive. Google commented saying: 

“Current users of Bluetooth Titan Security Keys should continue to use their existing keys while waiting for a replacement, since security keys provide the strongest protection against phishing.” 

 

 

Contact LIFARS today for secure code review services