Google’s Titan Security Key has been found to contain a security error. The security keys have an incorrectly configured protocol for pairing with Bluetooth. This allows attackers to bypass encryption and take over user accounts.

Google revealed the error itself, writes Cloud Pro. If users try to log in, they must press a button on the Bluetooth key to verify the login attempt. Now, however, it has been discovered that immediately after that pressure on the head, attackers have a small moment to connect their own device to the key. This can result in the attackers logging into users’ accounts via their own devices. To do this, they must already have the user’s e-mail addresses and passwords.

The Titan Security Key acts as an additional authentication step and is linked to a user’s device, such as a phone or laptop, via Bluetooth. An error in that connection means that attackers can make the phone or laptop think that the devices of the attackers themselves are the security key. If this succeeds, attackers can bypass the authentication process and spend changes to the devices of the attacked end users.

Replacement

Google has promised to offer replacement copies. The Titan Security Key has been sold to consumers since August last year. At the time, Google still called this the “strongest, most phishing resistant method of two-step verification on the market”.

Google further states that the security keys still work and still offer multifactor authentication in a FIDO standard that is stronger than regular two-step verification. However, if users want a new version without the vulnerability, they don’t have to pay the usual $50 for it.

“The error only affects pairing via Bluetooth. Security keys without Bluetooth are therefore not vulnerable,” says Christiaan Brand, product manager at Google Cloud. “Current Bluetooth Titan Security Keys users should continue to use their existing keys while they wait for replacement, as security keys provide the strongest protection against phishing.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.