Google recalls all Titan Security Key hardware keys due to leak

Spread the love

Google is offering a replacement to all users of the Bluetooth version of its Titan Security Key, as it has identified a vulnerability that cannot be repaired. The vulnerability allows an attacker to connect the USB device to its own hardware.

The vulnerability is in the software that takes care of the Bluetooth pairing of the Titan, says Google. The moment users press the button to pair, an attacker who is within the bluetooth range of the USB device can pair it with their own hardware. If that attacker also has the user’s username and password, they can log in.

Also, an attacker can impersonate a Titan Security Key and pair with the user’s device, which can then log in as a bluetooth keyboard and do things on the device. The vulnerability has crept in due to a ‘misconfiguration’ of the pairing protocol. Hardware key users can go to a Google site to request a replacement.

That replacement is needed because the hardware key no longer works on iOS 12.3 and will be disabled on Android with the upcoming June patch. As a result, users can no longer access their account. It is unknown how many copies of the Titan Security Key are in circulation. Google has been selling the keys based on the FIDO standard since the summer of last year.

You might also like
Exit mobile version