Google warns that the Bluetooth Lov Energy version of the Titan security key that it sells for two-factor authentication can be abducted by an attacker in the surrounding area, and the company advises users to obtain a free replacement device that fixes vulnerability.
The misconfigured Bluetooth pairing protocol allows attackers in a 30-degree circle to communicate with the key or the device with which it is paired, Google Cloud Product Manager Christiaan Brand wrote in a post released on Wednesday.
Bluetooth devices are one of a number of low-cost security keys that, as Ars reported in 2016, are the most effective way to prevent account downloads for sites that support protection. In addition to the password of the user's account, the key provides secondary "cryptographic claims" that can hardly be guessed by the attackers or phish. Security keys that use USB or Near Field Communication are not affected.
The attack described by Brand includes the seizure of a pairing process when an attacker within a 30-foot circuit carries out a series of events in close coordination:
- When you try to log in to an account on your device, you are usually asked to press the button on the BLE security key to activate it. An attacker in close physical proximity at that moment can potentially connect your device to a security key that is affected before your device is connected. In this set of circumstances, an attacker can log into your account using his own device if the attacker somehow already got your username and password and can accurately assess those events.
- To use the security key, it must be paired with the device. When it evaporates, an attacker in the immediate vicinity can use your device to mask it as a security key and connect to the device as soon as you are prompted to press the button on your key. After that, they may try to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.
In order for the download to be successful, the attacker should also know the username and password of the target.
To determine whether the Titan key is vulnerable, check the back of the device. If it has "T1" or "T2", it is subject to attack and is entitled to a free substitute. The brand said that security keys continue to be one of the most important ways of protecting accounts and advised that people continue to use keys while waiting for a new one. Titan Security Keys are sold for $ 50 in the Google Store.
While people are waiting for a replacement, Brand has recommended users to use keys in a private place that is not less than 30 feet from a potential attacker. Once logged in, users should immediately break the security key. Updating Android scheduled for next month will automatically remove the pairing of Bluetooth security keys so users do not have to do it manually.
Brand said iOS 12.3, which Apple launched on Monday, will not work with vulnerable security keys. This is an unfortunate result of people locking in from your Google Account if they unsubscribe. People who recommend the brand did not sign out of their order. A good security measure would be to use a backup authentication application, at least until a new key arrives, or skip Brand's advice and simply use the authentication application as the primary means of authentication in two factors.
This episode is unlucky because, as Wide Notes, physical security keys remain the strongest protection currently available against phishing and other types of account downloads. The announcement on Wednesday prompted Bluetooth critics to refer social media to security-sensitive features.
Like, what kind of idiot protocol allows users to negotiate "maximum key size" which can be only 1 byte. (The default value which, fortunately, should be higher in newer versions.) pic.tvitter.com / 7iFJkaMJLI
– Matthev Green (@ matthev_d_green) May 15, 2019
The threat of subtracting the key and instant incompatibility with the latest version of iOS will surely generate additional user resistance to using BLE-based keys. The threat also helps to explain why Apple and the alternative Iubico key manufacturer have long refused to support BLE.