Security flaw found in Google's Titan Security Keys

Google Titan's Bluetooth Security Key Can Be Used to Hack Paired Devices

According to Google, a "misconfiguration in the Titan Security Keys' Bluetooth pairing protocols" allowed an attacker with about 30 feet the ability to communicate with both the security key and the device with which the key was pairing at the moment the key was activated.

"This security issue does not affect the primary goal of security keys, which is to protect you against phishing by a remote attacker", said Google Cloud product manager Christiaan Brand in a blog post, noting that even flawed security keys are better than giving up on two-step authentication. As mentioned, this only affects Titan Security Keys with the Bluetooth capabilities. In addition to the account password entered by the user, the key provides secondary "cryptographic assertions" that are just about impossible for attackers to guess or phish. If you see "T1" or "T2" then your key is impacted and you are eligible for a free replacement.

"However, there is no such thing as flawless technology, so I'm glad Google is taking the initiative and recalling these keys". The same keys are sold in other countries under their original Feitian brand.

You can obtain a replacement by heading to google.com/replacemykey. Google recommends using your bad key to sign-in one last time from a secure space where no one is within 30 feet, and then immediately unpairing it.

If you've got a Titan Security Bundle from Google, you might have to replace the wireless Bluetooth/NFC keyfob device that came as part of the package. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.

Two Security Keys are required to enroll so that you'll have a backup key in case you lose your main key.

US Supreme Court allows suit against Apple to proceed
This issue originally started in 2011 when some iPhone users claimed that App Store prices would be lower in an open market. The dispute hinged in part on how the justices would apply a decision the court made in 1977 to the claims against Apple.

Iran`s Rouhani calls for unity to face `unprecedented` US pressure
However, as analysts noted, U.S. allies and other USA officials including Pompeo and Chief of Naval Operations Navy Adm. Taken together, they "may provoke a response", he warned. "He said America" will wait and watch" what Iran will next.

Amazon to employees: We'll pay you to quit and haul packages
His company now has 120 employees, a fleet of 50 delivery vans, and makes up to 200 deliveries a day. Amazon is offering a complete package which it calls the Amazon Delivery Service Partner program .

Google will replace the keys for Titan Security Key users, while Feitian will do the same for users who use non-Google-branded security keys. The company published the following advice for owners of faulty Bluetooth-powered Titan security keys, until replacements arrive. Due to a misconfiguration in the Bluetooth pairing protocols, an attacker physically close to the key can use your security key to (a) communicate with your security key, or (b) communicate with the device to which your key is paired. If they are not already signed into their Google Account on the iOS device and are locked out, they can use the instructions available HERE to get back into their accounts.

Brand said that iOS 12.3, which Apple started rolling out on Monday, won't work with vulnerable security keys.

Once you update to iOS 12.3, your affected security key will no longer work. Google is also still recommending that people use the keys in their current state as some protection is better than none.

You can request a replacement by heading over to a website Google has set up for this specific issue, and if you're logged into your Google account when you visit it, it'll even automatically check to see if any affected keys are associated with your account. This has the unfortunate result of locking people out of their Google accounts if they sign out.

In normal operation, you'd first register your BLE-enabled Titan key with the web service you're using, generating a secret that is stored on the key.

Related news:

Hot News

isis-killer-beheading-video-story-top Kanye West Gets Offered His Own 'Rick & Morty' Episode!
May 17, 2019 - 16:40
As of this writing, we don't have a specific premiere date, but we do know it'll land sometime in November. Harmon then escalated the situation by stating, "I'm giving him an episode, I'm making it official".

isis-killer-beheading-video-story-top Amazon announces refreshed Fire 7 and Fire 7 Kids Edition tablets
May 17, 2019 - 16:38
Along with those extra additions, there's also 7-inch IPS display, seven-hour battery life and front and rear cameras. The new Fire 7 tablet is available in black, sage, plum, and twilight blue - the last three are new colors.

isis-killer-beheading-video-story-top Epic Games Mega Sale is Now Live
May 17, 2019 - 16:32
The 'Epic Mega Sale' will run from today, May 16th, until June 13th and offers up to 75% off the price of some games. Epic have announced a new sale on their fledgling game store and it seems like you could pick up a bit of a bargain.

isis-killer-beheading-video-story-top US believes Iran proxies may be behind tanker attacks
May 16, 2019 - 02:02
In the letter, Saudi Arabia held Iran and the Houthis "totally responsible" for Tuesday's attack, according to Al-Arabiya. The website TankerTrackers.com, whose analysts monitor oil sales on the seas, first reported about the black marks.

isis-killer-beheading-video-story-top Arrest made in deadly bus push
May 16, 2019 - 01:44
Witnesses say Bishop pushed the man out of the bus door after getting into an argument with the victim and other passengers. Mr Fournier's neighbour Trevor Taylor described him as "a wonderful person" and promised he would never forget his friend.

isis-killer-beheading-video-story-top Warriors' title defence gets tricky after Durant injury
May 16, 2019 - 01:38
Antetokounmpo led seven players in double figures with 20 points and also tallied eight rebounds and a game-high eight assists. Durant's injury occurred innocently enough after he hit a jumper from the right side with 2:05 left in the third quarter.

isis-killer-beheading-video-story-top Tiger Woods Responds To Wrongful Death Lawsuit: "It's Very Sad"
May 15, 2019 - 00:54
The civil complaint says Immesberger had a blood alcohol level of.256, three times the legal limit. The lawsuit says Herman recruited Immesberger as a bartender despite knowing his condition.

isis-killer-beheading-video-story-top Jury Awards $2BN Damages In Roundup Weedkiller Cancer Claim
May 15, 2019 - 00:51
It is also insisting its legal fortunes could change, as none of the three cases in California have yet gone to appeals courts. Monsanto was initially ordered to pay $289 million to the groundskeeper, before the damages were reduced to $78.5 million.

isis-killer-beheading-video-story-top Manchester City ‘fully co-operating in good faith’ with UEFA investigation
May 15, 2019 - 00:45
Football fans around the world are now wondering why Manchester City will be banned and their fate going by the latest reports. But the club says the claims made in Der Spiegel were an "organised and clear" attempt to damage its reputation.

isis-killer-beheading-video-story-top Sebastian Vettel Claims that he ‘Helped’ Lewis Hamilton in Spain
May 15, 2019 - 00:44
Once in front he cruised through the race's 66 laps of the Barcelona-Catalunya circuit without a challenge. It's still just the fifth race with these new regulations and more potential to unlock.

isis-killer-beheading-video-story-top Twitter feels sorry for parents who’ve named their daughters Daenerys or Khaleesi
May 15, 2019 - 00:43
But another mum, who named her daughter Khaleesi after her hard pregnancy, condoned the ash-blond queen's actions. Speaking with Entertainment Weekly , actress Lena Headey discussed what her character did in that last episode.

isis-killer-beheading-video-story-top Carol Burnett Remembers Tim Conway: "He’ll Be In My Heart Forever"
May 15, 2019 - 00:41
The cast included Harvey Korman, Vicki Lawrence and Lyle Waggoner. "I had the pleasure of knowing him", wrote Larry King . He frequently guest-starred on the most popular shows of the day, including Married with Children and Mad About You .

isis-killer-beheading-video-story-top Disney now has full control of Hulu
May 15, 2019 - 00:40
According to Deadline , Disney and Comcast struck a "put/call" agreement for the latter's remaining 33 percent stake in Hulu . Disney's $71.3 billion takeover of 21st Century Fox combined their stakes, and gave Disney a majority hold over Hulu .

isis-killer-beheading-video-story-top Anti-Muslim riots claim first death, nationwide curfew imposed
May 15, 2019 - 00:38
The man, 42, was identified as Mohammed Ameer Mohammed Sally by a resident who helped transport him to hospital. Police imposed a countrywide curfew until from 9 p.m.to 4 a.m., spokesman Ruwan Gunasekera said .

isis-killer-beheading-video-story-top Houthi rebels begin withdrawal from key ports in Yemen
May 14, 2019 - 01:47
Yemen's conflict has killed tens of thousands of people, many of them civilians, relief agencies say. The deal also requires that Saudi-backed government forces leave the area.