Google has issued a security advisories for the Bluetooth Titan security key, which is serious enough for free use. The company has incorrectly configured the "Titan Security Key & # 39; Bluetooth Pairing Protocol" to potentially enable an attacker to gain access to an account or device.
The company informs that current news is in tune. Feitian, a company that creates Google's Titan Key and sells its own branded keys, today announced the same vulnerability and replaced it with a replacement for its users.
Microsoft first discovered this vulnerability (19659004) and Google has been leading the charge for two-factor authentication (2FA) for a long time, especially when the Titan security key is simply an authentication application (or even more We are pushing for a safer way to use 2FA than bad SMS.
There are two vulnerabilities that Google reveals: First, to authenticate the login, it is necessary to use the If the attacker is within 30 feet of the Bluetooth low power range when you press the button, you can connect your device to the security key. If they have your password, you can access your account.
Thus: an attacker can only be able to do the same thing that the attacker can do by "attaching to the device as an affected security key" and doing the same things that other Bluetooth devices can do. Be aware of this vulnerability and be able to exploit the software. You must run the attack. For example, a physical security key, such as the Titan must meet a higher standard in order to maintain the trust of the people. Google for free instead if the key is displayed as a T1 or T2. According to [19659008TechCrunch TechCrunch ]Ubico's founder criticized Google's criticism of running BLE keys as unsafe as USB or NFC. Titan Security Key Google's disclosure of Bluetooth vulnerabilities does not affect the use of Android security keys as actual security keys for recently released features. This method does not rely on Bluetooth pairing in the same way as the Titan and Feitian keys.
If the Titan Key has "T1" or "T2", you can replace it. Although it may seem obvious, these FIDO keys are designed as a security measure to prevent software upgrades. It's a good idea to keep your security key while you wait for it to arrive. It is still more secure than the other 2FA methods and is absolutely safe than not using 2FA at all.