Security flaw found in Google's "most secure" account authenticator

person on google homepage on mobile and desktop

A misconfigured Bluetooth pairing protocol in Google's Titan security keys could allow attackers to bypass encryption and hijack user accounts, the firm has revealed.

Google has said it will start offering replacements of what it once called the "strongest, most phishing resistant method of two-step verification (2SV) on the market today", following the discovery of the flaw which exposes account information to those within Bluetooth range.

The company has assured customers that the keys, the technology for which was first launched in 2017, would still do their job and provide multi-factor authentication built to a FIDO-standard that's stronger than regular 2SV, but that the $50 cost would be waived if they wanted a replacement unit.

"This bug affects Bluetooth pairing only, so non-Bluetooth security keys are not affected," said Christiaan Brand, product manager, Google Cloud. "Current users of Bluetooth Titan Security Keys should continue to use their existing keys while waiting for a replacement, since security keys provide the strongest protection against phishing."

When attempting an account sign-in, a Titan user is required to press a button on the Bluetooth key to authenticate the log-in attempt. It was discovered that immediately after this button press, attackers have a narrow window to connect their own device to the security key, which could result in the attacker logging into the user's account from their device, provided they already had said user's email and password.

Titan keys work by acting as another authentication step and are linked with a user's device, such as a phone or laptop, via a Bluetooth connection. A flaw in this connection means that an attacker could trick the phone or laptop into thinking the attacker's own device is the security key. If this is achieved, the attacker could bypass the authentication process and start to make changes to the user's device by mimicking an external keyboard and mouse.

It could be argued that a situation where an attacker that has your account credentials, knows you use a Titan key and is within 30m of your location would be unlikely to occur, but it's still serious enough to prompt Google into taking action by replacing all affected keys. Others are less sceptical, though.

"The fact you must be within 30 feet of the security key isn't an issue, especially when you consider how fast compiled and scripted software can run," said Mark Miller, director of enterprise security support at Venafi. "In addition, lots of people conduct business in public places like coffee shops and airports, so connecting a dongle to a device isn't that farfetched."

"From a technology perspective, these keys are amazing; they make security a lot easier to consume", he added. "However, there is no such thing as perfect technology, so I'm glad Google is taking the initiative and recalling these keys."

Most recently, Google announced that a new form of its Titan Security keys would be made available to all Android phones running Android 7.0 or later, with its line of Pixel phones getting a slightly more secure version too.

The phone as a security key (PaaSK) standard was announced at Google Cloud next 2019 and instead of having an external Titan Security key to hand, all that would be required is to unlock your Google account-linked Android device and press a button to approve the log-in in real time.

The Titan key was originally introduced to combat phishing attempts that exploited vulnerable 2SV methods such as confirmation codes delivered by texts - a method of communication that can be hijacked with relative ease.

In other Google news, a privacy flaw was found in Google Pay's settings on Wednesday. Optional settings regarding a user's ability to share their creditworthiness, personal information or Google Pay account information were hidden behind a special URL and not directly through the Google Pay account settings page.

Google has since attributed this error to fault left over from an update and has now fixed it so that the three privacy settings now appear as normal.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.