Posted on May 16, 2019 at 2:53 PM
Google has recently issued a warning for Titan security key users who purchased its Bluetooth Low Energy version, claiming that its two-factor authentication is not as safe as it may seem. According to the warning, the Bluetooth version of Titan can be hijacked by hackers. Users are advised to get a replacement device, which can be obtained for free. The replacement device has already implemented a fix for the newly discovered flaw.
What is the problem?
The problem appears to lie in a misconfiguration of the security key’s Bluetooth pairing protocols. The misconfiguration allows hackers to communicate with the key if they happen to approach within 30 feet. However, they can also gain access to the device that the key is paired with by using the same method. The warning about the flaw was published yesterday, May 15th, by Google Cloud Product Manager, Christiaan Brand.
Titan’s Bluetooth version came after it was discovered that this variety of low-cost security keys appears to be the best way of preventing account takeovers of websites that support the protection. Accounts would normally be protected by password, created by users themselves. However, by adding the security key, the user would secure their account with a secondary measure, the so-called ‘cryptographic assertation.”
This has proven to be the best way to completely secure the account, as it makes it impossible for any attacker to guess. Even phishing has proven to be an ineffective method against this type of security measure. Further, the security keys, which typically use Near Field Communication or a simple USB, would remain completely unaffected.
However, Brand has now reported a type of attack which would allow bad actors to hijack the pairing process, provided that the attacker is relatively close — within 30 feet. While this is a specific requirement, it is still more than possible, which poses a significant danger to Titan’s users.
How does the attack work?
Brand reports that an attempt to sign in into an account on a user device requires the user to press the button on their BLE security key. This is how the device is activated.
However, if an attacker happens to be within 30 feet at the time when the key is activated, they might connect their own device to the flawed security key. If they manage to connect before the user themselves, they would be able to sign in on the user’s account via their own device. Of course, the attacker would still need to have the user’s username and password, and time the events perfectly.
Another issue that Brand has reported is that, prior to using the security key, the user needs to pair it to their device. However, if the attacker gets to be the first to pair with the key, they could use their own device to imitate the user’s security key. The user would, unknowingly, pair with the attacker, and possibly grant them access to their device.
What if your Titan key is vulnerable?
The big question now is whether you have the affected device or the one with a fix. Luckily, it is quite easy to check. Simply check the back of your device, and see whether it has a ‘T1’ or a ‘T2’ mark. If any of these are there, the device is vulnerable and can be replaced for free.
Meanwhile, Brand urges the users of Titan and other security keys not to be discouraged by this experience. According to him, security keys are still the best way to protect your account, and they should be used. Titan itself is rather affordable, too, with a price of only $50 in the Google Store. If the users are currently not able to immediately replace their devices, Brand suggests that they try to use their security key only within safe environments, with no one within 30 feet who might act as a potential attacker.
Further, users should remember to unpair their devices as soon as they sign in. There is an Android update, currently in development, which should arrive within a month or so. Once it is released, the update will unpair the Bluetooth security key automatically. But, until it gets out, users should try to remember to do it manually.
As for iOS users, Brand pointed out that iOS 12.3, which has already been released this Monday, does not work with the vulnerable key. However, this also means that users will be locked out of their Google accounts if they sign out, so Brand suggests not to do it, if possible. Another additional security measure could be the use of a backup authenticator app. This may serve until the new security key arrives, or users could simply opt to use it instead of a security key.
Meanwhile, the discovery of a flaw sparked a lot of criticism of devices that use Bluetooth to bring extra security, despite Brand’s claims that they are still the best option available. While BLE-based keys were already barely inspiring trust, their reputation will likely be additionally damaged by this flaw. Additionally, the situation provides a better understanding of Apple’s and Yubico’s decision not to support BLE-enabled keys — something that many have been wondering about for a while.