Security flaw found in Google's Titan Security Keys
Google’s Titan Security Keys offer a convenient and secure method for securing devices that relies on two-factor authentication and some advanced Google-grown cryptography. However, Google announced yesterday that a major flaw in the Bluetooth Low Energy version of the Titan Security Key opens the small devices (and those using them) to attack.
According to Google, a “misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols” allowed an attacker with about 30 feet the ability to communicate with both the security key and the device with which the key was pairing at the moment the key was activated. When the security key is used to log into an account, an attacker could use their own device to connect to the user’s computer and log into the account.
That said, the attacker would need to time the hack precisely and would likely need a user’s account username and password. Since the Titan Security Key’s main purpose is to prevent phishing attacks, Google has stated that even using an affected key is safer than no key at all.
Still, Google understands the potential security risks caused by the flaw and has offered to replace any T1 or T2 Bluetooth Low Energy Titan Security Keys, free of charge. Google also stated that using an NFC or USB Titan Security Key was more secure, as those keys require close physical proximity (less than an inch or a direct connection, respectively) to work.