Published: Fri, May 17, 2019
Tech | By

Security flaw found in Google's Titan Security Keys

Security flaw found in Google's Titan Security Keys

That said, Google has been selling its security key technology to businesses, which have to worry about insider threats and corporate espionage.

"This security issue does not affect the primary objective of security keys, which is to protect you against phishing by a remote attacker", said Google Cloud product manager Christiaan Brand in a blog post, noting that even flawed security keys are better than giving up on two-step authentication. Always use it in a private place where nobody is within 30 feet of you, and once you've signed into your device with it, unpair it through the device settings. Just take extra precautions, such as using your security key away from other people and immediately unpairing it after you sign-in to your Google account.

This vulnerability is hard to exploit, the company said, and would require an outsider to already have obtained a victim's username and password to access their account.

Where Titan distinguished itself, however, was adding Bluetooth functionality - essentially giving the option to use the key from within around 9.14m.

The attacker already knows your username and password, and when you first pair the device they could connect after you press the pairing button, but before your device connects. "After that, [the hacker] could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device", Brand said.

You can request a replacement by heading over to a website Google has set up for this specific issue, and if you're logged into your Google account when you visit it, it'll even automatically check to see if any affected keys are associated with your account.


The bug affects the Bluetooth variant of the Titan Security Keys, not the USB version.

Last Summer, Google launched the Titan Security Key, a physical device that can be used for online security.

The company also provided a number of steps created to make it possible for users of iOS (12.2 or earlier) and Android devices and of BLE version of Titan Security Keys to minimizing the security risks until they receive their replacement security keys. A Google spokesperson told ZDNet that non-US users can use the same google.com/replacemykey page to check if their Feitian keys are affected, but Feitian will handle the replacement process if users are impacted and eligible for a new key. Physical security keys are much more secure than texted temporary codes, which can be intercepted over the air. Brand said that security keys continued to represent one of the most meaningful ways to protect accounts and advised that people continue to use the keys while waiting for a new one. The key uses BLE to connect with your computer or mobile device and send it the secret. However, the company recommended that users do not stop using the keys until they get a replacement, as they can provide enhanced security, compared to not using a security key after all. "Security keys are the same level of security used internally at Google".

Users of iOS 12.3 "will not be able to use your affected key to sign into your Google Account, or any other account protected by the key, and you will need to order a replacement key".

It also affects Feitian BLE security keys.

Like this: