Google will replace Bluetooth Titan Security Keys due to a security flaw
Last Summer, Google launched the Titan Security Key, a physical device that can be used for online security. One of the features of the Titan Security Key is the ability to pair with devices over Bluetooth LE, as opposed to NFC or USB. It turns out that has caused an issue as Google is replacing all keys due to a vulnerability.
Google discovered a security flaw that is due to a misconfiguration in the Titan Security Key’s Bluetooth pairing protocol. This flaw makes users vulnerable to attackers within 30 feet during the use of the key. The attacker could communicate with the key or the device paired with the key.
It would be possible for the attacker to exploit the flaw during the Bluetooth pairing protocol and connect a Bluetooth device of their own to the user’s device. That opens up the user to a whole host of potential attacks. Even more dangerous is the vulnerability to accounts. When you press the activation button on the key to sign in securely to an online account, the attacker could authorize a device to access that account (assuming they have your username and password as well).
So, what is Google doing about it? As mentioned, this only affects Titan Security Keys with the Bluetooth capabilities. Those that work with NFC or USB are not affected. If your Titan Security Key has a “T1” or “T2” on the back, it is affected and you can get a free replacement by visiting this website. Google is also still recommending that people use the keys in their current state as some protection is better than none. They recommend using the key in a private place that is not within close proximity of other people. Also, immediately unpair the key after you have used it to sign in.