Oops : a security vulnerability in the authentication key Titan Google

This is nerd. Google has warned that the Bluetooth version of its security key Titan was affected by a problem of… security. A flaw regarding the protocol of pairing allows you to malandrino, placed not too far from his victim, to communicate with the key or with the device unlocked by the key.

The circumstances, however, will have to be very specific for the forban can complete his plan. Not only it will have to be close to the user (to approximately 9 metres), have in his possession the username and password of the account, but also demonstrate a great sense of timing.

The manipulation must be performed just before the user presses the button of the key : in this period of time, the robber is able to connect his machine to the key. The other scenario is for the attacker to move his machine to the security key of its victim.

The flaw affects all versions Bluetooth THE key Titan (T1 and T2). Google, which retains all of its trust in this authentication system, two factors, proposes to replace the free key with a more robust version. The search engine specifies that the USB version is not affected (by the way, the Bluetooth key problem has not been distributed in the United States).

The Bluetooth dongle no longer works with iOS 12.3, as it solved the issue. While waiting to receive the new model secure, the search engine application does not disable the Google account, otherwise it will be very difficult to identify before the new key : the technical data sheet advises to create a new temporary password, but only if the user is part of the Advanced Protection Program. Otherwise, it is necessary to use a device other than the iPhone, as an Android smartphone or a laptop.

For iOS 12.2 and earlier, Google recommends that you use the key in a secure place where individuals unknown can only be located within 9 metres. After logging in to the account, it is necessary to immediately cancel the pairing with the key.