If you’re using one of Google’s Titan Bluetooth Security Keys to sign into all your two-factor protected accounts, there’s good news and bad news. The bad news, as you can probably guess, is that Google has announced the discovery of a vulnerability that allows someone to potentially access to your accounts. The good news is Google identified the issue and will send you a free replacement that closes the loophole.
The Google Titan Bluetooth Security Key is a physical security token that, when paired with a phone or tablet, delivers one of the two passwords needed to unlock an account protected with two-factor authentication. It replaces the randomized password you might expect to receive from a two-factor authentication app or via text message. As many, including Google, rightly point out, using a physical token that automatically transmits these codes is far more secure than having a random password sent to your device.
According to Google’s Security Blog, Titan keys that use Bluetooth Low Energy architecture are exposed to attack during the Bluetooth pairing process. While pairing, an attacker can intercept the device’s signal from up to 30 feet away, allowing them to send data to the key and any device already paired with it. Technically, this could allow them to access your two-factor-protected device, so long as they sync their access with yours. It would take some real skills, but it is possible.
And because of that, Google has issued a recall of the affected Security Keys. (Google prefers to think of it a full-scale replacement rather than a “recall,” as they are not asking for the vulnerable keys to be returned). To check whether your device needs to be replaced, look for a letter and number combo on the back of the key near the bottom. If your key says “T1” or “T2,” the key is exposed and you should go to Google’s recall management site. You will need to sign into your Google account when you access the site to claim your replacement. (Google checks to see if you have a key synced to your account). If that isn’t possible, you can email Google directly at replacemykey@google.com. (To make sure things go smoothly, I’d recommend having a serial number and receipt handy).
Until your replacement key arrives, Google recommends all users avoid using the Titan in public places where someone may be able to get close and/or see when you’re using your key. If you have not connected your Titan to your Google account, Google recommends you do so, then immediately unpair it from your device. Google noted that the affected Titan keys will stop working if paired with Apple devices running iOS 12.3, and that Android devices will automatically unpair affected keys once they receive the June Security Patch.