Google's Bluetooth Titan 2FA keys have a weird security vulnerability

By Eric Abent/May 15, 2019 2:02 pm EST

Last year, Google released its Titan security keys in two different varieties: USB and Bluetooth Low Energy. The idea behind Titan is the same as any security key, which was to give people a hardware two factor authentication method. Everything was all fine and dandy for a while, but then today, Google alerted users to a rather peculiar flaw in its BLE Titan keys.

As it turns out, some of those BLE keys have misconfigured Bluetooth pairing protocols and can potentially allow someone who is physically nearby to hijack your login attempts. For instance, someone who already has your username and password could – in theory – pair their device to your security key at the moment you press the button on your Titan to validate your credentials. If they do that, then they've just been granted access to your account using the security key that was supposed to add another layer of protection.

Another example of this vulnerability, as outlined by Google on its security blog, involves an attacker again being in "close physical proximity" using a device of their own to masquerade as your Titan at the moment you press the authentication button. That would allow them to connect to your device and gain access to it.

Since both of these vulnerabilities require the attacker to have precise timing and be within 30 feet (the maximum range of Bluetooth Low Energy devices like the Titan), it seems unlikely that it's ever going to be a major cause for concern among BLE Titan owners. Indeed, Google says that these issues don't affect the primary purpose of security keys – defending against remote attackers – and that they don't apply to USB or NFC keys.

Still, no matter how likely or unlikely it is that someone will take advantage of this, it's a vulnerability that needs to be addressed. Google announced today that it will issue replacement keys to anyone who wants one and has a defective key. To tell if your key needs to be replaced, look at the back of it. If you see a "T1" or a "T2" near the bottom of the key, it's defective and should be replaced.

You can request a replacement by heading over to a website Google has set up for this specific issue, and if you're logged into your Google account when you visit it, it'll even automatically check to see if any affected keys are associated with your account. Though Google recommends that you continue using your keys while you wait for a replacement, it has outlined some steps you can take to better protect yourself in the meantime, which can be viewed in the security blog post linked above.