Today Google has announced a security flaw in its Bluetooth Titan Security Key that is used for 2-factor authentication. The security flaw could allow hackers in close proximity to bypass the security mechanism and connect their own devices.
Google says that the flaw exists “due to a misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols.” The company is offering a free replacement to all those who have the affected Titan Bluetooth keys.
To circumvent the security mechanism deployed in the security key, an attacker has to be within 30 feet approximately. An attacker can connect his/her own device to the key in the window between pressing the button to activate the hardware and signing into your account.
If the attacker acts swiftly and has obtained access to your username and password, it is also possible to login to your account using his own device.
The security flaw could allow hackers to “masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key.” Once they are connected to your device, remote actions can be performed on it.
The bug doesn’t affect the primary purpose of the Google Titan Security Key — protection against phishing by a remote hacker.
If your Google Security Key has “T1” or “T2” written on the back of it, you’re eligible for a free replacement. Affected users can get their Security Key replaced by visiting this link.
In the meantime, Google has also offered some steps to minimize the risk arising due to the flaw. You can read the steps here.