Google has issued a recall for its Bluetooth-enabled Fast Identity Online (FIDO) security key, Titan, after it discovered a security flaw which allows an attacker in close physical proximity to communicate with both the security key and its paired host device.
Designed to protect Google accounts against phishing attacks, the Titan security key family is Google's implementation of the Fast Identity Online (FIDO) standard: A secure enclave on the key holds a certificate which is used to verify the identity of the holder in addition to a username and password. No key, no login. Like rival devices from companies including Yubikey, the Titan family includes both USB-connected and wireless Bluetooth Low Energy variants - but Google has warned of a flaw in the latter that can open devices up to attack from a suitably-located miscreant.
'Due to a misconfiguration in the Titan Security Keys' Bluetooth pairing protocols, it is possible for an attacker who is physically close to you at the moment you use your security key - within approximately 30 feet - to (a) communicate with your security key, or (b) communicate with the device to which your key is paired,' explains Google Cloud product manager Christaan Brand. 'This security issue does not affect the primary purpose of security keys, which is to protect you against phishing by a remote attacker. Security keys remain the strongest available protection against phishing; it is still safer to use a key that has this issue, rather than turning off security key-based two-step verification (2SV) on your Google Account or downgrading to less phishing-resistant methods (e.g. SMS codes or prompts sent to your device).'
To be successfully exploited, the flaw requires the attacker to connect to the security key ahead of the actual host device. If said attacker is close enough and quick enough to do that, and they already somehow have the target's username and password, they could authenticate against the target account. A secondary attack could allow for a malicious device to masquerade as the security key, then switch once paired to a human interface device (HID) and potentially take control of the target system.
Of those two attacks, the latter is the most likely to succeed - but is still relatively unlikely to affect most users in the wild. Nevertheless, Google has confirmed it is to replace all affected security keys free of charge: Anyone with a Titan BLE security key is advised to look on the bottom-rear of the dongle for the markings T1 or T2 to confirm that it suffers from the flaw; any other marking indicates the dongle is fine.
Those with a dongle affected by the recall can find more information on the Google Online Security blog.
February 24 2020 | 12:00