GOOGLE HAS STARTED replacing Bluetooth Titan Security Keys after it discovered that a bug in the USB devices can lead to PCs getting exploited by hackers in the vicinity.
The bug stems from a misconfiguration of the Titan Key's Bluetooth pairing protocol, which in normal use provides a quick way to verify security credentials by holding the key near to a phone or laptop.
But Google found that a hacker within 30 feet of a targeted key could hijack the pairing process when a person uses the Titan Key to login to their online accounts.
"When you're trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects," Google's cloud product manager Christiaan Brand explained.
"In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly."
Brand also noted that once a security key is paired with a user's device, a hacker could use their Bluetooth device to masquerade as the security key and then connect to other devices at the moment a victim is asked to press the key's button.
The scope for attack seems slim given a hacker would need to be in the right place at the right time.
But Google isn't taking that risk and is replacing affected Titan Keys. It also suggested some mitigations, such as using the security keys in a private place and unpairing it after use; hardly the slickest of fixes.
It's also worth noting that such security keys are likely to be far more secure than simply sticking with easy to breach usernames and passwords, which could be snapped up on unsecured public wi-fi networks. µ
Hashes to hashes
Team Green cranks the Super GPU machine
Also, the moon on a stick