If you use one of Google’s Titan Security Keys for two-factor authentication, you probably think your account was as secure as it can be. On its website, in fact, Google promises that Titan Security Keys “are the same level of security used internally at Google” and “keep out anyone who shouldn’t have access to your online accounts.”
Make that most people. In a post on its security blog, Google divulged Wednesday that it has discovered a “misconfiguration” with the Bluetooth Low Energy version of its Titan Security Key that could allow a nearby attacker to “communicate with your security key, or communicate with the device to which your key is paired.”
As Google explains, there are two ways an attacker can strike. While pairing the key with your PC or phone, someone could “potentially connect their own device to your affected security key before your own device connects (and) sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly.”
Furthermore, if you are using the device to obtain authentication, an attacker “could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.”
What this means for you: While certainly a rare case—since it’s a Bluetooth key, an attacker would need to be with 30 feet of you when you press the button—it’s still likely to be alarming for anyone who purchased a key to secure the account. Rather than try to patch the vulnerability via software, Google will replace all affected security keys free of charge. To check if your key is among the affected units, look at the small number above the USB port on the back. If it reads T1 or T2, your key needs to be replaced.
Google recommends using the NFC- or USB-based security authentication until the replacement arrives, as these methods are not affected by the issue. Additionally, the upcoming June 2019 security patch for Android devices will automatically unpair affected Bluetooth security keys to eliminate the risk of attack.
All affected users can request a free replacement by visiting google.com/replacemykey.