Microsoft has found a vulnerability in Google’s Bluetooth Titan Security Keys. The issue seems to be very serious as Google announced it would replace the keys for free. A misconfiguration was found in the keys’ Bluetooth pairing protocols, Google said. What this means is that an attacker can access your account or device under specific circumstances. But the situation is dangerous enough. The vulnerability was also disclosed by Feitian- the company that manufactures the Google Titan Key and also sells these keys under its own brand name.
Security and its mounting vulnerabilities
Google is actually disclosing two vulnerabilities. Firstly, it’s an issue with proximity. If you press your button to authenticate- and if an attacker is within the 30-foot Bluetooth Low Energy range, then he can connect his device to your key. The second possibility of an attacker gaining access is when you pair the key for the first time. Google says an attacker could “masquerade as your affected security key and connect to your device.” He would then have access to your device.
The Titan Security Keys are the crusade for Google’s two-factor authentication. However, when it pushes for higher security, it’s bound to have potential vulnerabilities like this incident. If your attacker was aware of this vulnerability and was around the precise moment you connect it, then you’re certainly under threat. Those are a lot of ‘ifs’, but Google isn’t holding back and has promised replacement T1 and T2 Titan Security Keys.