Google is recalling its Titan security key after discovering a Bluetooth vulnerability that could allow a hacker located within roughly 30 feet of the device to communicate with it, the company announced Wednesday.
As the company states, potential attackers who manage to get within Bluetooth range - roughly 30 feet - while the security key is used can communicate with both the security key and the device to which it is paired. When the security key is used to log into an account, an attacker could use their own device to connect to the user's computer and log into the account.
Google also noted another attack scenario, where a nearby attacker could connect to a person's Bluetooth security key before the real owner did. "In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly", Google explained.
Feitian Technologies BLE security keys - sold for Google's Advanced Protection Program prior to the Titan-branded models - share this flaw and are also eligible for replacement. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.
While you're awaiting a replacement key, however, there are steps you can take to mitigate your risk, depending on whether you're using an iOS or Android Device.
Emissions From Trump’s NYC Properties Could Lead to Millions in Fines
Roughly 70 percent of NYC's greenhouse gas emissions are attributable to energy usage from its more than 1 million buildings. The New York mayor, Bill de Blasio , will hold a rally outside Trump Tower seeking to highlight looming penalties.
The bug can't be fixed with a security update so Google is asking users to check whether their key is affected and, if it is, to ask for a replacement one to be sent to them free of charge.
Considering the very slim chance of such an attack and the fact that this "security issue does not affect the primary goal of security keys, which is to protect you against phishing by a remote attacker", the company advises BLE-enabled Titan Security Key users to continue using the devices. Security keys that use USB or Near Field Communication are unaffected.
Google recommended unpairing the Bluetooth key and requesting a replacement.
This episode is unfortunate since, as Broad notes, physical security keys remain the strongest protection now available against phishing and other types of account takeovers.
However, when you update to iOS 12.3 your security key will no longer work, so those users should stay logged in to their accounts so that they aren't locked out. Google has more specific instructions for iOS and Android devices, which you can read here. "While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability". You will not be able to use your affected key to sign into your Google Account, or any other account protected by the key, and you will need to order a replacement key. Most Yubico USB-based security keys also include NFC, and you can get a combination USB-NFC security key from Amazon for less than $20.
Article updated with Google comment regarding Feitian-branded keys.