• Google offers free replacements for Bluetooth Titan keys that are vulnerable to attacks.
  • A misconfiguration could allow an attacker in close proximity to authenticate to the victim’s account.
  • Users are urged to keep their distance from others and to immediately unpair their keys after use.

Google has published a security advisory that warns users of their Titan 2FA security keys about a severe flaw that concerns the BLE (Bluetooth Low Energy) version. Those who own such devices qualify for a free replacement key that is not plagued by the particular bug, while the people who are using the non-Bluetooth version should not be worried about anything as they are not affected. While the security flaw is severe, users of the BLE Titan keys are still urged to continue using them until the replacement arrives, as the exploitation of the bug requires special conditions and multiple prerequisites.

The problem stems from a misconfiguration in the pairing protocol of the particular model, which could allow an attacker to log in to the victim’s Google Account from their device, as long as they stand within the Bluetooth range (10 meters/30 feet). During the sign-in step, the users are requested to press the Bluetooth button on their Titan key, which affirms that you are in control. However, if an attacker has already grabbed your Google Account credentials, and sits on a laptop nearby, they could connect to your account when you click that button.

Another potential flaw relies on the pairing of the key, which is also done via Bluetooth. As Google reports, an attacker who is in range could masquerade their device as your Titan key, and connect to your device. By changing the device type to a keyboard or a mouse, they may then seamlessly interact with the compromised device and perform arbitrary actions.

Google Titan Key
image source: security.googleblog.com

To figure out if your key is among the affected models, check the back of the device and notice the marking on the bottom. If it’s either a “T1” or a “T2”, you should go ahead and ask for a replacement. Until that arrives, you should continue using the existing Titan key, but do so carefully. Try to avoid using it in places where there are people who are within a 30-feet range from you, and immediately unpair the key after using it to authenticate. Google will also roll out a security patch in June, making the unpairing step automatic for the affected keys that will still be used by people then.

Are you using a 2FA key for added security? Which one is your pick? Let us know in the comments down below, and help us reach out to more people by sharing this post through our socials, on Facebook and Twitter.