Google disclosed a local proximity vulnerability impacting Bluetooth Low Energy (BLE) Titan Security Keys sold in the U.S. stemming from a "misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols."
According to the BLE Titan Security Key store page, "Titan Security Keys help prevent phishing and keep out anyone who shouldn’t have access to your online accounts. Security keys are the same level of security used internally at Google."
Google Cloud Product Manager Christiaan Brand says in the vulnerability announcement that non-Bluetooth security keys — such as USB or NFC — are not affected by the software flaw.
As the company states, potential attackers who manage to get within Bluetooth range — roughly 30 feet — while the security key is used can communicate with both the security key and the device to which it is paired.
Google also announced that for the pairing protocol misconfiguration to be abused, would-be attackers would have to very accurately his actions with a series of events:
- When you’re trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects. In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly.
- Before you can use your security key, it must be paired to your device. Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.
Considering the very slim chance of such an attack and the fact that this "security issue does not affect the primary purpose of security keys, which is to protect you against phishing by a remote attacker", the company advises BLE-enabled Titan Security Key users to continue using the devices.
Doing this will ensure that they would not have to either disable "security key-based two-step verification (2SV) on your Google Account or downgrading to less phishing-resistant methods (e.g. SMS codes or prompts sent to your device)."
Google says that all users of vulnerable Titan Security Keys with a T1 or T2 code on the back will get free replacements by visiting google.com/replacemykey:
This issue affects the BLE version of Titan Security Keys. To determine if your key is affected, check the back of the key. If it has a “T1” or “T2” on the back of the key, your key is affected by the issue and is eligible for free replacement.
The company also provided a number of steps designed to make it possible for users of iOS (12.2 or earlier) and Android devices and of BLE version of Titan Security Keys to minimizing the security risks until they receive their replacement security keys.
According to Google, Android and iOS users should use the "affected security key in a private place where a potential attacker is not within close physical proximity (approximately 30 feet)." Immediately after, they should unpair the security key [Android, iOS].
Users of iOS 12.3 "will not be able to use your affected key to sign into your Google Account, or any other account protected by the key, and you will need to order a replacement key." If they are not already signed into their Google Account on the iOS device and are locked out, they can use the instructions available HERE to get back into their accounts.
Users of "Android devices updated with the upcoming June 2019 Security Patch Level (SPL) and beyond" will be able to use their vulnerable BLE Titan Security Keys without unincumbered since they will get automatically unpaired.
.jpg)
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now