Tuesday, 14 May 2019 18:29

Google warns Bluetooth Titan security keys can be hijacked by nearby hackers

Google is warning that the Bluetooth Low Energy version of the Titan security key it sells for two-factor authentication can be hijacked by nearby attackers, and the company is advising users to get a free replacement device that fixes the vulnerability.

A misconfiguration in the key’s Bluetooth pairing protocols makes it possible for attackers within 30 feet to either communicate with the key or with the device it’s paired with, Google Cloud Product Manager Christiaan Brand wrote in a post published on Wednesday.

The Bluetooth-enabled devices are one variety of low-cost security keys that, as Ars reported in 2016, represent the single most effective way to prevent account takeovers for sites that support the protection. In addition to the account password entered by the user, the key provides secondary “cryptographic assertions” that are just about impossible for attackers to guess or phish. Security keys that use USB or Near Field Communication are unaffected.

The attack described by Brand involves hijacking the pairing process when an attacker within 30 feet carries out a series of events in close coordination:

For the account takeover to succeed, the attacker would also have to know the target’s username and password.

To tell if a Titan key is vulnerable, check the back of the device. If it has a “T1” or ”T2,” it’s susceptible to the attack and is eligible for a free replacement. Brand said that security keys continued to represent one of the most meaningful ways to protect accounts and advised that people continue to use the keys while waiting for a new one. Titan security keys sell for $50 in the Google Store.

While people wait for a replacement, Brand recommended that users use keys in a private place that’s not within 30 feet of a potential attacker. After signing in, users should immediately unpair the security key. An Android update scheduled for next month will automatically unpair Bluetooth security keys so users won’t have to do it manually.

Brand said that iOS 12.3, which Apple started rolling out on Monday, won’t work with vulnerable security keys. This has the unfortunate result of locking people out of their Google accounts if they sign out. Brand recommended people not sign out of their account. A good safety measure would be to use a backup authenticator app, at least until a new key arrives, or to skip Brand’s advice and simply use an authenticator app as the primary means of two-factor authentication.

This episode is unfortunate since, as Broad notes, physical security keys remain the strongest protection currently available against phishing and other types of account takeovers. Wednesday’s disclosure prompted social media pile-ons from critics of Bluetooth for security-sensitive functions.

Like, what kind of idiot protocol lets users negotiate a “maximum key size” that can be as small as 1 byte. (A default that, fortunately, should be higher in recent versions.) pic.twitter.com/7yFJqaMJLI

— Matthew Green (@matthew_d_green) May 15, 2019

The threat of having the key hijacked and the current incompatibility with the latest release of iOS are sure to generate further user resistance to using the BLE-based keys. The threat also helps explain why Apple and alternative key maker Yubico have long refused to support BLE-enabled keys.