August 17, 2019 News Magazine

Google recalls its Bluetooth Titan Security Keys because of a security bug

Google today disclosed a security bug in its Bluetooth Titan Security Key that could allow an attacker in close physical proximity to circumvent the security the key is supposed to provide. The company says that the bug is due to a “misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols” and that even the faulty keys still protect against phishing attacks. Still, the company is providing a free replacement key to all existing users.

The bug affects all Titan Bluetooth keys that have a “T1” or “T2” on the back.

To exploit the bug, an attacker would have to within Bluetooth range (about 30 feet) and act swiftly as you press the button on the key to activate it. The attackers can then use the misconfigured protocol to connect their own device to the key before your own device connects. With that — and assuming that they already have your username and password — they could sign into your account.

Google also notes that before you can use your key, it has to be paired to your device. An attacker could also potentially exploit this bug by using their own device and masquerading it as your security key to connect to your device when you press the button on the key. By doing this, the attackers can then change their device to look like a keyboard or mouse and remote control your laptop, for example.

All of this has to happen at the exact right time, though, and the attacker must already know your credentials. A persistent attacker could make that work, though.

Google argues that this issue doesn’t affect the Titan key’s main mission, which is to guard against phishing attacks, and argues that users should continue to use the keys until they get a replacement. “It is much safer to use the affected key instead of no key at all. Security keys are the strongest protection against phishing currently available,” the company writes in today’s announcement.

The company also offers a few tips for mitigating the potential security issues here.

Some of Google’s competitors in the security key space, including YubiCo, decided against using Bluetooth because of potential security issues and criticized Google for launching a Bluetooth key. “While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability,” YubiCo founder Stina Ehrensvard wrote when Google launched its Titan keys.


Source: TechCrunch

Tags: in Uncategorized
Banner
Related Posts

Facebook collected device data on 187,000 users using banned snooping app

June 12, 2019

June 12, 2019

Facebook obtained personal and sensitive device data on about 187,000 users of its now-defunct Research app, which Apple banned earlier...

How retailers can survive the Amazon era

July 30, 2019

July 30, 2019

Simon Wu Contributor Share on Twitter Simon is a Director with Cathay Innovation, an early growth venture capital firm based...

Apple’s new Sidecar feature is great for users, but third-parties take a hit

June 3, 2019

June 3, 2019

Apple has a new feature it’s introducing for the Mac in macOS 10.15 Catalina that is admittedly amazing for anyone...

Seed investor Gree Ventures makes first close of new $130M fund — and rebrands to Strive

May 14, 2019

May 14, 2019

There’s big news for one of India and Southeast Asia’s longest-running early-stage investors after Gree Ventures, the fund attached to...

Justice Department charges Chinese hacker for 2015 Anthem breach

May 9, 2019

May 9, 2019

U.S prosecutors have brought charges against a Chinese national for his alleged involvement of the 2015 data breach at health...

Flaws in a popular GPS tracker leak real-time locations and can remotely activate its microphone

May 10, 2019

May 10, 2019

A popular GPS tracker — used as a panic alarm for elderly patients, to monitor kids, and track vehicles —...

Innovations in inclusive housing

May 13, 2019

May 13, 2019

Daniel Wu Contributor Dan Wu is a privacy counsel and legal engineer at Immuta. He holds a JD from Harvard...

Facebook accidentally shipped VR hardware with conspiratorial messages hidden inside

April 12, 2019

April 12, 2019

In the almost weekly tradition of Facebook talking about something embarrassing they did on a Friday, the company is now...

AWS launches a new tool to help you optimize your EC2 resources

July 23, 2019

July 23, 2019

Here is a small but potentially handy update if you’re an AWS EC2 user. The company today launched a new...

Acer’s ConceptD 9 is part laptop, part graphics tablet

April 11, 2019

April 11, 2019

When it comes to competing for the hearts and minds of creatives pros, some (see: Huawei) attempt to beat Apple...

Flexible housing startup Anyplace raises $2.5M

June 3, 2019

June 3, 2019

Anyplace, a startup offering furnished rooms and apartments to anyone who’s not interested in signing a long-term lease, is announcing...

Analysts think global 5G smartphone shipments will overtake 4G in 2023

July 1, 2019

July 1, 2019

After years of buildup, 5G is finally here — albeit more as a trickle than a deluge. These things take...

Google will start retiring Hangouts for G Suite users in October

January 22, 2019

January 22, 2019

Google’s strategy around its consumer messaging services remains baffling, especially since it killed off Allo (yet kept Duo on life...

Huawei says it shipped 59M smartphones in Q1 as revenue jumped 39% to $27B

April 22, 2019

April 22, 2019

Fresh from an $8.8 billion profit last year, much-maligned Chinese tech giant Huawei is touting yet more growth. The firm...

Sonos unveils in-ceiling, in-wall and outdoor speakers

February 5, 2019

February 5, 2019

Sonos is partnering with Sonance for a new lineup of passive speakers. You can now pre-order in-ceiling, in-wall and outdoor...

Comments
Leave a Reply

Your email address will not be published. Required fields are marked *