Titan — the physical security Google rolled out last year — was built to “protect high-value users.” Now those users who bought in on Titan are all eligible for free replacements of this device suite after the company discovered a vulnerability in the way it operates.
Titan, and competitor products that preceded it like the YubiKey or Feitan ePass, work to limit would-be hackers from accessing a given computer through physical proximity.
Unlike SMS two-factor authentification (2fa), which is vulnerable to countermeasures like SIM swapping, without possession of the key, obtaining access to the target account is extremely difficult.
Where Titan distinguished itself, however, was adding Bluetooth functionality — essentially giving the option to use the key from within around 9.14m. This proved to be a problem, as Google wrote:
Due to a misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols, it is possible for an attacker who is physically close to you at the moment you use your security key — within approximately 9.14m — to (a) communicate with your security key, or (b) communicate with the device to which your key is paired.
Lots of things have to line up just right for this exploit to be effective, and Google is not aware of this exploit being used to gain access to user data in the wild. But what makes this all a bit embarrassing is that the market leader in physical 2fa devices, YubiCo, expressed concerns over this exact sort of issue when Titan was first announced.
“Google’s offering includes a Bluetooth (BLE) capable key,” YubiCo CEO Stina Ehrensvard wrote last July. “While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability.”
These concerns were also shared by researchers prior to Titan’s launch.
A Google spokesperson told Gizmodo that it was aware of the potential flaws in Bluetooth but that the benefits for devices without physical USB ports outweighed the potential exposure. The company first learned of the vulnerability via a coordinated disclosure from Microsoft Research.
The company is chalking the vulnerability up to a “misconfiguration” in the key’s pairing protocols but couldn’t share more about how it’s being patched.
Let’s say you’re one of the folks who decided to purchase a Titan key set: if the Bluetooth dongle has “T1" or “T2" printed on the case, well, you can get a new one for free — and you probably should.
While you wait, Google advises you to continue using Titan because this highly specific exploit “does not affect the primary purpose of security keys, which is to protect you against phishing by a remote attacker,” and because using a physical 2fa device with the disclosed issue is still better than using none at all.