SoylentNews

Fnord666 writes:

Google is warning that the Bluetooth Low Energy version of the Titan security key it sells for two-factor authentication can be hijacked by nearby attackers, and the company is advising users to get a free replacement device that fixes the vulnerability.

A misconfiguration in the key's Bluetooth pairing protocols makes it possible for attackers within 30 feet to either communicate with the key or with the device it's paired with, Google Cloud Product Manager Christiaan Brand wrote in a post published on Wednesday.

[...] To tell if a Titan key is vulnerable, check the back of the device. If it has a "T1" or "T2," it's susceptible to the attack and is eligible for a free replacement. Brand said that security keys continued to represent one of the most meaningful ways to protect accounts and advised that people continue to use the keys while waiting for a new one. Titan security keys sell for $50 in the Google Store.

While people wait for a replacement, Brand recommended that users use keys in a private place that's not within 30 feet of a potential attacker. After signing in, users should immediately unpair the security key. An Android update scheduled for next month will automatically unpair Bluetooth security keys so users won't have to do it manually.

Source: ArsTechnica

[Note: Though it cautions about attackers within 30 feet (approximately 10 meters), the distance could be potentially much greater than that depending on the design of the antenna used by the attacker; cf an analogous technique described in How To Make a Wi-Fi Antenna Out Of a Pringles Can. --Ed.]

Original Submission