Security issues affecting Titan, Google’s security key
After performing an information security audit, Google revealed a security flaw in Titan, its Bluetooth security key, which would allow an attacker located near the device to bypass the protection that this tool provides. Google announced that it would replace the users’ faulty security keys.
The specialists determined that the flaw exists
due to an erroneous configuration in the Bluetooth pairing protocol of the
Titan devices. According to the experts who conducted the information security
audit, this vulnerability affects all Bluetooth
security keys, which are sold at an average cost of $50 each.
To exploit this vulnerability, a hacker would
have to be physically close to the security key (about 10 meters, the Bluetooth
range); if the attacker is near the victim, they can abuse the misconfigured
protocol to connect their own device to the security key before the victim
connects to login to a compromised account.
In addition, before the security key can be
used, it must be paired with the users’ device, as if it were a pair of
headphones. Threat actors could exploit this feature to use their own devices, disguising
them as a security key to connect to the victim’s device when the key button is
pressed.
It is important to note that all this process
must be done at the very moment when the security key is connected to a device;
in addition the attacker must know the access credentials of the victim,
increasing the complexity of the attack, according to the experts who conducted
the information security audit.
The company assures that this drawback does not
intervene in the primary work of the Titan security key, which is to protect
users against phishing attacks, and invite users to continue using their device
until Google sends them a replacement.
According to specialists from the International
Institute of Cyber Security (IICS) it is much safer to use a key with a
Bluetooth protocol issue than not to use any security tools.
Gloss