Google's 2FA keys can be hacked due to Bluetooth config borkage


Google noted that the bug doesn't impact the primary function of its Titan Security Keys, which is prevent phishing.

Google yesterday announced that it will be offering free replacement to customers in the United States who purchased Google's Bluetooth Low Energy (BLE) version of the Titan Security Key.

But even if your Titan Security Key has the bug, don't stop using it while waiting for a replacement.

In addition, when a device owner presses the activation button on the Titan security key to sign into an online account, an attacker can also authorize a rogue device to access that account -as long as the attacker also has a valid password.

There's also a scenario in which a nearby attacker could spoof a key and connect to the victim's device at the moment the key button is pressed.

This vulnerability is hard to exploit, the company said, and would require an outsider to already have obtained a victim's username and password to access their account.

Titan is Google's name for its family of hardware security keys that provide two-factor authentication (2FA) for web users. The company warned that if you're using the security key's Bluetooth pairing, you should make sure you're in a private place where a potential attacker couldn't be within 30 feet. "After that, [the hacker] could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device", Brand said. To check whether your device needs to be replaced, look for a letter and number combo on the back of the key near the bottom. One easy way to tell if you're affected if your Bluetooth key says "T1" or "T2" on the back.

"It is much safer to use the affected key instead of no key at all", Christiaan Brand, Google Cloud's product manager, said in the company's post about the bug.

Not all Titan Security Keys have the bug, which Google says is due to a misconfiguration in the key's Bluetooth pairing protocols. Security keys that use USB or Near Field Communication are unaffected.

Hackers could then connect their device and take advantage of the two-factor authentication offered by Titan key, or masquerade their device as your key and connect to your laptop. As a result of this discovery, Google is offering replacement keys via this website. Also, immediately unpair the key after you have used it to sign in.

Google's Titan-branded keys are only sold in the US. Google has more specific instructions for iOS and Android devices, which you can read here. If you are already signed into your Google Account on your iOS device, do not sign out because you won't be able to sign in again until you get a new key.

Users of iOS 12.3 "will not be able to use your affected key to sign into your Google Account, or any other account protected by the key, and you will need to order a replacement key". Note that you can continue to sign into your Google Account on non-iOS devices. Android devices updated with the upcoming June 2019 Security Patch Level (SPL) and beyond will automatically unpair affected Bluetooth devices, so you won't need to unpair manually.