We came to a full circle, as the Google who first touted their Titan Security Keys as the secret ingredient why the search giant employees never fell to phishing, is now very much vulnerable to hijacking, at least with its BLE (Bluetooth Low Energy) version. Google was selling their Titan Security Keys, but the search giant is now encouraging users to ask for a replacement, the newer version with no vulnerability of being hijacked by a nearby person. The flaw was due to a hardware misconfiguration that can only be corrected by hardware replacement.
The problem with the BLE version of Titan Security Keys is its capability to communicate with its paired device even at the distance of 30 feet. Christiaan Brand, Google’s Product Manager for Google Cloud team posted an official blog explaining the full story of the problem. “An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects. In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly,” explained Brand.
The attacker can also pretend to connect with the security key if he is within the 30-meter range, connecting to the device fast enough to take control of the security key’s functionality. Any Bluetooth device can connect to the security key first, which may include a Bluetooth keyboard. This will be enough to reprogram the device in the process, all without the user is knowing it. “On devices running iOS version 12.2 or earlier, we recommend using your affected security key in a private place where a potential attacker is not within close physical proximity (approximately 30 feet). After you’ve used your key to sign into your Google Account on your device, immediately unpair it. You can use your key in this manner again while waiting for your replacement, until you update to iOS 12.3,” added Brand.
Google is advising Titan Security users to make sure to attempt connecting to the BLE-version of the device as fast as possible, in order to prevent someone else within the vicinity of 30-feet from taking over the device. It is then prudent to unpair the key from the Google account used previously. Android users with the June 2019 Security Patch Level automatically unpair all paired Bluetooth device. It is put into question the need to have a USB security key with BLE-support. It seems it is only there for convenience purposes and only diminishes the security level that the USB key provides.
Matthew Green, a renowned security researcher has likewise advised everyone to never depend on the Bluetooth protocols to secure any device. Bluetooth by-design is not for security, but rather for convenience of communication with its use of Base64 encoding algorithm. “Like what kind of idiot protocol lets users negotiate a ‘maximum key size’ that can be as small as 1 byte. A default that, unfortunately, should be higher in recent version,” explained Green.