Google's Titan Security Keys Hacked

Google's Titan Security Keys Hacked
Owners are being offered free replacements and are recommended to use caution when using them.

(CCM) — Google has been left red-faced following the admission on its security blog that the Bluetooth Low Energy (LE) version of its Titan Security Key has a fatal flaw. The company is offering free replacements to all owners in the U.S.

It does not affect the NFC or USB versions of the Titan products, and only devices which have a T1 or T2 printed on the back are vulnerable.

"Due to a misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols, it is possible for an attacker who is physically close to you at the moment you use your security key -- within approximately 30 feet -- to (a) communicate with your security key, or (b) communicate with the device to which your key is paired," Christiaan Brand, a Google product manager, explained in a blog post.

This could allow an attacker to sign into a Titan Security Key user's accounts from their own device, or to access the user's computer.

Brand says that it is still more secure to use the affected Titan devices than to stop using them altogether, but recommends using them in a private place where no potential attacker is within close physical proximity, and to unpair them immediately after signing in to an account.

Image: © Google.