Security flaw found in Google's "most secure" account authenticator

Google has said it will replace vulnerable Titan Keys for free

A misconfigured Bluetooth pairing protocol in Google's Titan security keys could allow attackers to bypass encryption and hijack user accounts, the firm has revealed.

Google has said it will start offering replacements of what it once called the "strongest, most phishing resistant method of two-step verification (2SV) on the market today", following the discovery of the flaw which exposes account information to those within Bluetooth range.

Advertisement - Article continues below

The company has assured customers that the keys, the technology for which was first launched in 2017, would still do their job and provide multi-factor authentication built to a FIDO-standard that's stronger than regular 2SV, but that the $50 cost would be waived if they wanted a replacement unit.

"This bug affects Bluetooth pairing only, so non-Bluetooth security keys are not affected," said Christiaan Brand, product manager, Google Cloud. "Current users of Bluetooth Titan Security Keys should continue to use their existing keys while waiting for a replacement, since security keys provide the strongest protection against phishing."

When attempting an account sign-in, a Titan user is required to press a button on the Bluetooth key to authenticate the log-in attempt. It was discovered that immediately after this button press, attackers have a narrow window to connect their own device to the security key, which could result in the attacker logging into the user's account from their device, provided they already had said user's email and password.

Advertisement - Article continues below

Titan keys work by acting as another authentication step and are linked with a user's device, such as a phone or laptop, via a Bluetooth connection. A flaw in this connection means that an attacker could trick the phone or laptop into thinking the attacker's own device is the security key. If this is achieved, the attacker could bypass the authentication process and start to make changes to the user's device by mimicking an external keyboard and mouse.

It could be argued that a situation where an attacker that has your account credentials, knows you use a Titan key and is within 30m of your location would be unlikely to occur, but it's still serious enough to prompt Google into taking action by replacing all affected keys. Others are less sceptical, though.

"The fact you must be within 30 feet of the security key isn't an issue, especially when you consider how fast compiled and scripted software can run," said Mark Miller, director of enterprise security support at Venafi. "In addition, lots of people conduct business in public places like coffee shops and airports, so connecting a dongle to a device isn't that farfetched."

Advertisement - Article continues below

"From a technology perspective, these keys are amazing; they make security a lot easier to consume", he added. "However, there is no such thing as perfect technology, so I'm glad Google is taking the initiative and recalling these keys."

Most recently, Google announced that a new form of its Titan Security keys would be made available to all Android phones running Android 7.0 or later, with its line of Pixel phones getting a slightly more secure version too.

The phone as a security key (PaaSK) standard was announced at Google Cloud next 2019 and instead of having an external Titan Security key to hand, all that would be required is to unlock your Google account-linked Android device and press a button to approve the log-in in real time.

The Titan key was originally introduced to combat phishing attempts that exploited vulnerable 2SV methods such as confirmation codes delivered by texts - a method of communication that can be hijacked with relative ease.

Advertisement - Article continues below

In other Google news, a privacy flaw was found in Google Pay's settings on Wednesday. Optional settings regarding a user's ability to share their creditworthiness, personal information or Google Pay account information were hidden behind a special URL and not directly through the Google Pay account settings page.

Google has since attributed this error to fault left over from an update and has now fixed it so that the three privacy settings now appear as normal.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now
Advertisement

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
IT Pro Panel: Why IT leaders need soft skills
professional development

IT Pro Panel: Why IT leaders need soft skills

26 Jul 2021