Google uncovers Bluetooth vulnerability in Titan Security Key

When Google introduced the Titan Security Key at Cloud Next 2018 last August, the Mountain View company pitched the bundled FIDO (Fast Identity Online) keys as ironclad protections against data compromise. Ironically, it now appears that at least one of them became an attack enabler rather than a deterrent.

Google today said that it uncovered a flaw in the Bluetooth Low Energy (BLE) version of the Titan Security Key that could allow an attacker in close proximity (within about 30 feet) to communicate with the key or with the device to which the key is paired. There’s a narrow window of opportunity during account sign-in and setup, it says.

“When you’re trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it,” explained Google. “An attacker … can potentially connect their own device to your affected security key before your device connects [and] sign into your account … if [they] obtained your username and password. [Also,] before you can use your security key, it must be paired to your device. Once paired, an attacker … could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key.”

For the uninitiated, the Titan Security Key is Google’s take on a FIDO key, a physical device used to authenticate logins over Bluetooth. It stressed last year that it’s not meant to compete with other FIDO keys on the market, but instead is aimed at “customers who … trust Google.”

Google’s decision to support Bluetooth wasn’t without controversy. In a prescient statement following the Titan Security Key’s announcement, Yubico CEO Stina Ehrensvard said that it “does not provide the security assurance levels of NFC and USB” and that its battery and pairing requirements offer “a poor user experience.”

Google notes that the issue doesn’t affect the USB or NFC functions of the Titan Security Key nor the “primary purpose” of security keys. Indeed, it recommends using an affected key rather than turning off security key-based two-step verification or downgrading to less phishing-resistant methods. Still, it’s offering free replacement keys through the Google Play Store. (Impacted keys have a “T1” or “T2” etched into the back.)

In the meantime, Google’s recommending that on Android and iOS (version 12.2) users activate their affected security keys in “private place[s]” away from potential attackers and immediately unpair them after sign-in. Android devices updated with the upcoming June 2019 Security Patch Level (SPL) and beyond will automatically unpair affected Bluetooth devices, and affected keys on iOS 12.3 will no longer work, Google says. iOS users who sign out of their Google accounts won’t be able to sign back in (without a workaround) until they secure a replacement key.

Content sourced fromTNW

*This section only applies to third party rss feed users*
Kashmir Broadcasting Corporation allows the use of RSS Feeds, but with our content usage we expect that credit is given, but in the event that it is not. This content policy annotation will act as a credit towards KBC (Kashmir Broadcasting Corporation) Please visit for more news and articles — we can not justify what is written on a third party site, as the content can be altered to their specification, if something is not authentic as it should be please visit and look for the original content. if it is no longer there then it can no longer be associated with Kashmir Broadcasting Corporation and if the content on a third party site has been altered to the point of offence or deemed inappropriate please report it to KBC via email: or fill the submission form on kbc’s website: with the details of the site and article heading — Thank You

Website —
FaceBook —
Twitter —
YouTube —
Instagram —

Show More

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker
%d bloggers like this: