May 16, 2019 at
Google has recently issued a warning for Titan security key users who purchased its Bluetooth Low Energy version, claiming that its two-factor authentication is not as safe as it may seem. According to the warning, the Bluetooth version of Titan can be hijacked by hackers. Users are advised to get a replacement device, which can be obtained for free. The replacement device has already implemented a fix for the newly discovered flaw.
What is the problem?
The problem appears to lie in a
misconfiguration of the security key’s Bluetooth pairing protocols. The
misconfiguration allows hackers to communicate with the key if they happen to
approach within 30 feet. However, they can also gain access to the device that
the key is paired with by using the same method. The warning about the flaw was published
yesterday, May 15th, by Google Cloud Product Manager, Christiaan Brand.
Bluetooth version came after it was discovered that this variety of
low-cost security keys appears to be the best way of preventing account
takeovers of websites that support the protection. Accounts would normally be
protected by password, created by users themselves. However, by adding the
security key, the user would secure their account with a secondary measure, the
so-called ‘cryptographic assertation.”
This has proven to be the best way to
completely secure the account, as it makes it impossible for any attacker to
guess. Even phishing has proven to be an ineffective method against this type
of security measure. Further, the security keys, which typically use Near Field
Communication or a simple USB, would remain completely unaffected.
However, Brand has now reported a type of
attack which would allow bad actors to hijack the pairing process, provided
that the attacker is relatively close — within 30 feet. While this is a
specific requirement, it is still more than possible, which poses a significant
danger to Titan’s users.
How does the attack work?
Brand reports that an attempt to sign in into
an account on a user device requires the user to press the button on their BLE
security key. This is how the device is activated.
However, if an attacker happens to be within 30 feet at the time when the key is activated, they might connect their own device to the flawed security key. If they manage to connect before the user themselves, they would be able to sign in on the user’s account via their own device. Of course, the attacker would still need to have the user’s username and password, and time the events perfectly.
Another issue that Brand has reported is that,
prior to using the security key, the user needs to pair it to their device. However,
if the attacker gets to be the first to pair with the key, they could use their
own device to imitate the user’s security key. The user would, unknowingly,
pair with the attacker, and possibly grant them access to their device.
What if your Titan key is
The big question now is whether you have the
affected device or the one with a fix. Luckily, it is quite easy to check.
Simply check the back of your device, and see whether it has a ‘T1’ or a ‘T2’
mark. If any of these are there, the device is vulnerable and can be replaced
Meanwhile, Brand urges the users of Titan and other security keys not to be discouraged by this experience. According to him, security keys are still the best way to protect your account, and they should be used. Titan itself is rather affordable, too, with a price of only $50 in the Google Store. If the users are currently not able to immediately replace their devices, Brand suggests that they try to use their security key only within safe environments, with no one within 30 feet who might act as a potential attacker.
Further, users should remember to unpair their
devices as soon as they sign in. There is an Android update, currently in
development, which should arrive within a month or so. Once it is released, the
update will unpair the Bluetooth security key automatically. But, until it gets
out, users should try to remember to do it manually.
As for iOS users, Brand pointed out that iOS
12.3, which has already been released this Monday, does not work with the
vulnerable key. However, this also means that users will be locked out of their
Google accounts if they sign out, so Brand suggests not to do it, if possible.
Another additional security measure could be the use of a backup authenticator
app. This may serve until the new security key arrives, or users could simply
opt to use it instead of a security key.
Meanwhile, the discovery of a flaw sparked a
lot of criticism of devices that use Bluetooth to bring extra security, despite
Brand’s claims that they are still the best option available. While BLE-based
keys were already barely inspiring trust, their reputation will likely be
additionally damaged by this flaw. Additionally, the situation provides a
better understanding of Apple’s and Yubico’s decision not to support
BLE-enabled keys — something that many have been wondering about for a while.