As part of its expanded anti-phishing and account security measures, Google offers extensive support for physical authentication tokens. In a surprising setback, though, the company announced today that it has discovered a vulnerability in the Bluetooth version of its own Titan Security Key—which pairs to devices through the wireless Bluetooth Low Energy protocol, rather than through NFC or physical insertion into a port.
Google began selling the Titan-branded keys last August, outsourcing the hardware from Chinese manufacturer Feitian while managing the cryptographic keys itself. Anyone can use the dongles with their Google accounts for an extra layer of protection, but they’re especially favored by users at particular risk of having their accounts targeted by attackers, like public figures, human rights activists, and political dissidents. Google specifically recommends the BLE dongles for its Advanced Protection Program, which offers even more aggressive account protections. In other words, the people most affected by the bug are the ones most concerned about their security.
“Bluetooth is easy to misconfigure.”
Matthew Green, Johns Hopkins University
The “misconfiguration,” as Google calls it, would allow an attacker who gets within 30 feet of someone using a security key to communicate with that key, or with the device the key is paired to. That makes it a difficult vulnerability to exploit. In addition to the physical proximity, an attacker would need to quickly connect their own device to a dongle in the seconds that a target initiates the pairing process.
If successful, though, an attacker that already had the target’s username and password could then sign into the victim’s Google account on her own device. Additionally, once the attacker paired to the target’s Bluetooth key, Google suggests that she could also pull a sort of bait-and-switch as the victim attempts again to connect a device to their Bluetooth dongle. With the right timing, she could trick the victim’s laptop, for instance, into pairing with her own Bluetooth dongle rather than the Titan key, thus gaining access to both a user’s Google account and that computer.
“Bluetooth is easy to misconfigure,” says Johns Hopkins University cryptographer Matthew Green. “And there are legacy versions of Bluetooth that are actively insecure, but might be supported in some devices.”
Those possibilities make this a serious enough bug that Google will replace any Titan BLE branded security key that is linked to a Google account. Google says that researchers at Microsoft notified the company about the issue. The company is sending emails today to potentially affected users.
Google points out, though, that using any second-factor authentication token is still much more protective than not using one. After all, without that extra layer of defense, an attacker who already has the username and password for a victim’s Google account wouldn’t need to do any fancy hacking to gain access. Google also notes that the bug doesn’t affect physical authentication tokens that don’t use BLE.
Initially, Google said it will replace Titan-branded keys marked “T1” and “T2” on the back. But the company told WIRED that it will also replace other Feitian keys—even those without the Titan branding—that have been associated with Google accounts if the user got the key from Google or was directed to buy it by Google. Feitian did not return a request for comment by publication, but Feitan-branded BLE dongles with a “3” on the back are also vulnerable.
If you’re using physical authentication tokens, don’t let this deter you. Just get a replacement Bluetooth dongle from Google while you can.