Where Your Speech Is Free And Your Comment Is King - Post A Link


Screenshot Wired.com
VOTE  (0)  (0)

Google Recalls Titan Security Key Over a Bluetooth Flaw

Added 05-15-19 03:06:02pm EST - “Google will replace any Titan BLE branded security key, after disclosing that a nearby attacker could use it to compromise your accounts.” - Wired.com


Posted By TheNewsCommenter: From Wired.com: “Google Recalls Titan Security Key Over a Bluetooth Flaw”. Below is an excerpt from the article.

As part of its expanded anti-phishing and account security measures, Google offers extensive support for physical authentication tokens. In a surprising setback, though, the company announced today that it has discovered a vulnerability in the Bluetooth version of its own Titan Security Key—which pairs to devices through the wireless Bluetooth Low Energy protocol, rather than through NFC or physical insertion into a port.

Google began selling the Titan-branded keys last August, outsourcing the hardware from Chinese manufacturer Feitian while managing the cryptographic keys itself. Anyone can use the dongles with their Google accounts for an extra layer of protection, but they're especially favored by users at particular risk of having their accounts targeted by attackers, like public figures, human rights activists, and political dissidents. Google specifically recommends the BLE dongles for its Advanced Protection Program, which offers even more aggressive account protections. In other words, the people most affected by the bug are the ones most concerned about their security.

The "misconfiguration," as Google calls it, would allow an attacker who gets within 30 feet of someone using a security key to communicate with that key, or with the device the key is paired to. That makes it a difficult vulnerability to exploit. In addition to the physical proximity, an attacker would need to quickly connect their own device to a dongle in the seconds that a target initiates the pairing process.

If successful, though, an attacker that already had the target's username and password could then sign into the victim's Google account on her own device. Additionally, once the attacker paired to the target's Bluetooth key, Google suggests that she could also pull a sort of bait-and-switch as the victim attempts again to connect a device to their Bluetooth dongle. With the right timing, she could trick the victim's laptop, for instance, into pairing with her own Bluetooth dongle rather than the Titan key, thus gaining access to both a user's Google account and that computer.

"Bluetooth is easy to misconfigure," says Johns Hopkins University cryptographer Matthew Green. "And there are legacy versions of Bluetooth that are actively insecure, but might be supported in some devices."


Post a comment.