Google warns that the Bluetooth security for the low energy version of Titan, which it sells for two-factor authentication, may be hijacked by nearby attackers. advice for users to get a free replacement device that solves the vulnerability.
Invalid configuration of the Bluetooth pairing protocols allows attackers to communicate with the key or the device with which they are paired within 30 feet of a message from Google Cloud Products Manager Christiaan Brand on Wednesday
Bluetooth devices are one of the low-cost security keys, which, as reported in Ars 201
The attack described by the manufacturer involves hijacking the mating process when the attacker closely coordinates a series of events within 30 feet:
- When you try to access your device account, you are usually asked to activate it by pressing the BLE button on the security key. An attacker in the near future can potentially connect his device to the affected security key while your device is connected. In such circumstances, an attacker may log in to your account using your device if the attacker has somehow received your username and password and was able to accurately execute these events.
- Before using a security key, it must be paired with your device. When paired, an attacker who is close to physical proximity would be able to use his device to become masked as your affected security key, and to connect to your device at the time the key is requested. They could then try to change their device to appear as a Bluetooth keyboard or mouse, and possibly take action on your device.
To be successful, an attacker should also know the destination username and password. 19659003] To find out if the Titan key is vulnerable, check the end of the device. If it has a T1 or T2, it can be attacked and can be replaced for free. The manufacturer said the safety keys continued to be one of the most important ways to protect the accounts and advised people to continue using the keys while waiting for new ones. Titan Security Keys sell at $ 50 for Google Store.
While people are waiting for a replacement, Brand has recommended users to use keys in a private location that does not exceed 30 feet from a potential attacker. Online users should log out the security key immediately. The Android update next month will automatically unblock the Bluetooth security keys, so users won't have to do it manually.
The manufacturer said that iOS 12.3, which Apple launched on Monday, will not work with vulnerable security keys. This results in an unfortunate result when people block their Google Accounts if they sign out. People recommended by the manufacturer do not sign from their account. A good security tool would be to use a backup authentication program, at least until a new key is available, or skip the branding tips and simply use the authentication program as the primary two-factor authentication tool
. As broad remarks, physical security keys remain the strongest current anti-phishing and other account-taking methods. Wednesday's Discovery triggered a bunch of social media from Bluetooth critics to security-sensitive features.
As with what type of idiot protocol allows users to negotiate a "maximum key size" that can be the same as 1 byte. (By default, it should be higher in the latest versions.) pic.twitter.com/7yFJqaMJLI
– Matthew Green (@matthew_d_green) 2019 May 15
that the key is hijacked, and the current incompatibility with the latest iOS release will surely ensure further user resistance through the BLE framework. The threat also helps explain why Apple and alternative key developers Yubico have long refused to support BLE.