Security issue with the Titan security keys

Titan security keys. © Google.

Google’s Titan Security Keys come in two versions: the USB version for computers and the Bluetooth LE version for IOS and Android devices. The latter version is the one that has revealed a security flaw that is rather embarrassing for a product that is supposed to bolster security. Due to a misconfiguration of the Bluetooth LE pairing protocols, it is possible for an attacker who is physically close at the moment the security key is used -- within approximately 10 m -- to communicate with the security key or with the device to which the key is paired. Google has temporarily stopped selling the Bluetooth LE keys and is offering a free replacement. The iOS 12.3 system, which Apple started deploying on Monday, doesn’t work with Google’s vulnerable keys, which has the unfortunate result of locking people out of their Google account when they disconnect. The company recommends users not disconnect until they’ve obtained a new key.

⇨ Google Security Blog, “Advisory: security issue with Bluetooth Low Energy (BLE) Titan security keys.”

⇨ Ars Technica, “Google warns Bluetooth Titan security keys can be hijacked by nearby hackers.”