A security bug in Google’s Titan Security Key which can potentially allow fraudsters located nearby to bypass the security provided by the key. While the company provided a replacement key for free to all the already existing users, it blamed a “misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols” for the security bug.
Although the defected keys are reported to be still protecting against phishing attacks, the company decided to provide a replacement key regardless. The affected keys include all those which are sold in packages priced a $50; it also includes a usual NFC/USB key.
In order to exploit the security bug, the fraudsters need to in a Bluetooth range of around 30 feet, he is supposed to act promptly as the victim activates the key by pressing the button, then the fraudsters can employ falsely configured protocol to intercept your device’s connection to the key and connect theirs instead. Then given, they would be having access to your username and password, they would be able to log in to the victim’s account.
Google has given students to ensure that the bug does not intercept the security key’s ultimate purpose that is to provide security against phishing attacks; Google also urged the users worldwide to keep utilizing the keys until a replacement is provided.
In an announcement, the company said, “It is much safer to use the affected key instead of no key at all. Security keys are the strongest protection against phishing currently available,”
Around the time when Google launched its Titan keys, Stina Ehrensvärd, Yubico founder, wrote, “While Yubico previously initiated the development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability,”
Source: E Hacking news
Security Bug Discovered in Google’s Titan Security keys, Provides Free Replacement