Oh goody! Google’s 2FA security keys have a security flaw

Physical security keys have been heralded as a cure for the ills of account hacking and phishing, providing a means for web users to add an extra layer of protection when logging in. However, what happens when those security keys are, themselves, vulnerable to attack?

Google has revealed one of its Titan security keys – designed to offer users two factor authentication on logins – has a security issue that leaves the device open to hacking.

The company says the Bluetooth Low Energy versions of the Titan key are saddled with misconfigured Bluetooth pairing protocols. That means, an attacker can use an additional security key to pose as your device, if they’re within 30-feet of you at the time.

It’s a peculiar flaw that seems unlikely to be executed given the need for such close physical proximity. However, it’s worrying in a “Who watches the Watchmen?” kinda way, isn’t it? Ironically, Google says it was altered to the issue by none other than Microsoft.

In a post on the Google security blog, Google points out the issue only affects the Bluetooth-based Titan rather than the USB-based version of the device. The company also explained the two ways the devices could be exploited by the weird little flaw.

Related: Best VPN 2019

In the blog post, Google wrote: “When you’re trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects. In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly.

“Before you can use your security key, it must be paired to your device. Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.”

Affected users will receive replacement keys if they apply for them online at this website. The company maintains that this issue doesn’t mean owners shouldn’t use their device in the meantime.

“It is much safer to use the affected key instead of no key at all. Security keys are the strongest protection against phishing currently available,” the company added.

Why we’re different

Unlike other sites, we thoroughly review everything we recommend. We use industry standard tests to evaluate products in order to assess them properly. We’ll always tell you what we find. Tell us what you think - send your emails to the Editor.