What you need to know
- This only affects the Bluetooth version of the Titan Key.
- Google is offering a free replacement for every user.
- The key will stop working with the iOS 12.3 update.
- The key will stop working with the June 2019 Security Patch for Android.
Google has issued an advisory for users of the Bluetooth version of its Titan Security Key that says they all need to be replaced due to a misconfiguration in the pairing protocol. Users of the affected keys have received an email with full details, but if you're unsure the affected keys are marked at T1 or T2 on the rear.
This flaw can enable an attacker who is within 30 feet of you while you're using the key to communicate with it or with the device it is paired to. As scary as that sounds, there is a very limited potential for abuse because for it to happen:
- The attacker already knows your username and password, and when you first pair the device they could connect after you press the pairing button, but before your device connects.
- After pairing, the attacker could masquerade as your key at the exact time you are using it to authenticate, then configure his or her device as a Bluetooth keyboard or mouse and have access to your phone.
Regardless, a flaw is a flaw and when it comes to something like a two-factor authentication key, a prompt fix and replacement are in order. That's what Google is doing. If you use an iOS device with your key, it will stop working once you update to version 12.3. if you use an Android device with your key, it will stop working with the June 2019 Security Patch. That's plenty of time to get a free replacement, which you can do by visiting google.com/replacemykey.
In the meantime, Google has some suggestions for you. First of all, do not disable two-factor-authentication. Your backup method of authenticating will still work as it always did and NFC/USB keys are not affected in any way. Google has a few suggestions for those who use the affected Bluetooth keys. Always use it in a private place where nobody is within 30 feet of you, and once you've signed into your device with it, unpair it through the device settings. If you need to use it again, repair it and unpair when you're finished.
While the scenarios where an attacker could get access via this flaw are very specific, security is paramount. these keys need to be replaced right away, and it's great to see Google eating the loss instead of trying to work around it. If you use a Titan BLE key, be sure to get your free replacement and follow the safe practices outlined above in the meantime. Stay safe out there.
Made by Google
In a perfect world, we wouldn't need to care about security, but in this world we do. The Titan key makes it easier to go the extra mile that 2FA brings for everyone with a smartphone.
Google just made it a lot easier to control your phone with just your voice
Google today announced the launch of a new version of its Voice Access accessibility feature, which will be available on devices running Android 6.0 and above in Beta. It has also announced five more useful new features that will be rolling out to Android devices in the coming weeks.
Review: Outcasters isn't a killer-app for Stadia, but it's still pretty fun
Outcasters just released on Google Stadia and is included at no extra-charge for all Pro subscribers. It's not a must-play title by any means, but it still offers plenty of fun with its inventive twist on twin-stick shooting.
Did you buy a Moto G phone in 2020?
Moto G phones are some of our favorite budget Android phones on the market. Did you buy one in 2020?
PSVR games releasing in November 2020 and more!
PlayStation VR has a solid lineup of games with more being added every month. We've put together a list of everything releasing this month!