After a pompous launch last Jul, G anncd tody that 'twill replace Titan security keys due to a vulnerability the company discovered inna keys’ Bluetooth pairing process.
G said the security flaw is extremely dangerous, as it allos attackers to gain access, and possibly take over usrs’ devices, and even log into usrs’ accounts.
All usrs who own Titan security keys that can pair (connect) witha device via Bluetooth are now eligible for a free replacement.
Titan security keys without Bluetooth capabilities aint affected, s'as those that work via NFC or USB.
On the other hand, owners of Bluetooth-capable Titan keys can access this page to see if their device is vulnerable, and gain access to a replacement. “If t'has a ‘T1’ or ‘T2’ odda back odda key, yr key is affected by the issue and is eligible for free replacement,” G said.
The security flaw
According to G, the security flaw is due to “a misconfiguration inna Titan Security Keys’ Bluetooth pairing protocols.”
This flaw can be exploited by an attacker who is physically present (within ≈ 30 ft) offa Titan usr, n'when usrs are using the key normally, or when they are 1st pairing it to their computer.
For ex, when a usr 1st pairs their Titan security key to their device, an attacker can exploit the flaw inna Bluetooth pairing protocol to hijack this process nolso pair a rogue Bluetooth device to the usr’s computer. The attacker can l8r re-assign this rogue device as a Bluetooth keyboard, which they can l8r use to run malicious commands to hijack usrs’ devices.
In addition, when a device owner presses the activation button odda Titan security key to sign into an online account, an attacker can also authorize a rogue device to access that account –as long as the attacker also has a valid pass.
G: usrs ‘d continue using the keys
It’s cause of these reasons that G is now replacing these keys. However, the company recommended that usrs do not stop using the keys til they get a replacement, as they can provide enhd security, compared to not using a security key after all.
“It is still safer to use a key that has this issue, rather than turning off security key-based two-step verification (2SV) on yr G Account or downgrading to less phishing-resistant methods (e.g. SMS codes or prompts sent to yr device),” G said.
G anncd the Titan security keys last Jul, na keys ‘ve 1-ly been sold inna US. The company published the folloing advice for owners of faulty Bluetooth-powered Titan security keys, til replacements arrive.
On devices running iOS version 12.2 or earlier, we recommend using yr affected security key in a private place where a potential attacker aint within close physical proximity (≈ 30 ft). After you’ve used yr key to sign into yr G Account on yr device, immediately unpair it. You can use yr key in this manner again while w8in for yr replacement, til you update to iOS 12.3.
Once you update to iOS 12.3, yr affected security key will no longer work. You will not be able to use yr affected key to sign into yr G Account, or any other account protected by the key, and you will nd'2 order a replacement key. If ur already signed into yr G Account on yr iOS device, do not sign out cause you won’t be able to sign in again til you get a new key. If ur locked out of yr G Account on yr iOS device b4 yr replacement key arrives, see these instructions for gettin back into yr account. Note that you can continue to sign into yr G Account on non-iOS devices..
On Android nother devices:
We recommend using yr affected security key in a private place where a potential attacker aint within close physical proximity (≈ 30 ft). After you’ve used yr affected security key to sign into yr G Account, immediately unpair it. Android devices updated w'da upcoming Jun 2019 Security Patch lvl (SPL) and beyond will automatically unpair affected Bluetooth devices, so u won’t nd'2 unpair manually. You can also continue to use yr USB or NFC security keys, which are supported on Android and not affected by this issue.
+ vulnerability reprts:
Original content at: www.zdnet.com…