Titan-ic disaster: Bluetooth blunder sinks Google's 2FA keys, free replacements offered

A pairing problem makes an account compromise possible, although improbable


Google is offering free replacements of its Titan Security Keys, used for two-factor authentication, after learning the widgets' Bluetooth connections could be compromised by nearby hackers.

The Chocolate Factory on Wednesday advised customers with certain Bluetooth Low-Energy (BLE) versions of Titan Security Keys – marked T1 and T2 on the key back – to return them for a replacement. Sales of the new keys ($50 and tax) has now been restarted with secure hardware.

But there's no charge for the replacement. Google's web form asks for a credit card number but adds a promo code discount that brings the net cost to zero.

Feitian Technologies BLE security keys – sold for Google's Advanced Protection Program prior to the Titan-branded models – share this flaw and are also eligible for replacement. USB and NFC keys are not affected.

Redmond lends a hand (and a side of schadenfreude)

Microsoft, the subject of more than a few vulnerability disclosures from Chocolate Factory researchers, alerted Google to the issue, which is down to a misconfiguration in the way the keys handle Bluetooth pairing protocols.

The vulnerability is not easy to exploit. First the attacker has to be within 30 feet of the Titan Key user. In that situation, the attacker can attempt to connect a BLE device to the victim's key before the victim's device connects. If the attacker also knows the victim's username and password and can time the attack properly, then the account could be compromised.

There's also a scenario in which a nearby attacker could spoof a key and connect to the victim's device at the moment the key button is pressed. If successful, the attacker could attempt to convert the hostile device to a Bluetooth keyboard or mouse to direct input to the compromised device.

Frankly, an attacker might do better to grab the device in question and run.

key throw

Cache of the Titans: Let's take a closer look at Google's own two-factor security keys

READ MORE

"This security issue does not affect the primary purpose of security keys, which is to protect you against phishing by a remote attacker," said Google Cloud product manager Christiaan Brand in a blog post, noting that even flawed security keys are better than giving up on two-step authentication.

To minimize potential risk – Google's Advanced Protection Program is intended specifically for those likely to be targeted by cyber attacks – Google is advising iOS and Android users to login to their devices in protected places where no attacker is likely to be nearby. And after logging into a Google Account, key holders are advised to unpair the key, repeating this process until a replacement model has been obtained.

iOS users who have updated to iOS 12.3, released on Monday, may have discovered that affected security keys no longer work. Google advises those with affected keys who have installed the update to remain logged in to their Google Accounts until a replacement arrives. Those already logged out have to follow account recovery instructions or use a non-iOS device to log in again.

Android users can look forward to the upcoming June 2019 Security Patch Level (SPL) to address the issue without account lockout concerns. ®

Broader topics


Other stories you might like

  • Makers of ad blockers and browser privacy extensions fear the end is near
    Overhaul of Chrome add-ons set for January, Google says it's for all our own good

    Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

    Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

    The anticipated result will be fewer extensions and less innovation, according to several extension developers.

    Continue reading
  • Google has more reasons why it doesn't like antitrust law that affects Google
    It'll ruin Gmail, claims web ads giant

    Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.

    The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.

    AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation. 

    Continue reading
  • Google, EFF back Cloudflare in row over pirate streams
    Ban akin to 'ordering a telephone company to prevent a person from having conversations' over its lines

    Google, EFF, and the Computer and Communications Industry Association (CCIA) have filed court documents supporting Cloudflare after it was sued for refusing to block a streaming site.

    Earlier this year, a handful of Israel-based media companies took Israel.tv to court, accusing it of streaming TV and movie content it had no right to distribute. The corporations — United King Film Distribution, D.B.S. Satellite Services, HOT Communication Systems, Charlton, Reshet Media and Keshet Broadcasting — won the lawsuit after Israel.tv's creators failed to show up to their hearings, and the judge ordered Israel-tv.com, Israel.tv and Sdarot.tv each pay $7,650,000 in damages. 

    In a more surprising move, however, the media outfits also won an injunction [PDF] in the United States in April against a slew of internet companies, among others, banning them from aiding Israel.tv in its piracy.

    Continue reading
  • Apple M1 chip contains hardware vulnerability that bypasses memory defense
    MIT CSAIL boffins devise PACMAN attack to let existing exploits avoid pointer authentication

    Apple's M1 chip has been found to contain a hardware vulnerability that can be abused to disable one of its defense mechanisms against memory corruption exploits, giving such attacks a greater chance of success.

    MIT CSAIL computer scientists on Friday said they have identified a way to bypass the M1 chip's pointer authentication, a security mechanism that tries to prevent an attacker from modifying memory references without being detected.

    In a paper titled "PACMAN: Attacking Arm Pointer Authentication with Speculative Execution," Joseph Ravichandran, ​​Weon Taek Na, Jay Lang, and Mengjia Yan describe how they were able to use speculative execution – the way in which modern processors perform calculations before they may or may not be needed, to accelerate execution – to discern the pointer authentication code that allows pointer modification on a protected system.

    Continue reading
  • I was fired for blowing the whistle on cult's status in Google unit, says contractor
    The internet giant, a doomsday religious sect, and a lawsuit in Silicon Valley

    A former Google video producer has sued the internet giant alleging he was unfairly fired for blowing the whistle on a religious sect that had all but taken over his business unit. 

    The lawsuit demands a jury trial and financial restitution for "religious discrimination, wrongful termination, retaliation and related causes of action." It alleges Peter Lubbers, director of the Google Developer Studio (GDS) film group in which 34-year-old plaintiff Kevin Lloyd worked, is not only a member of The Fellowship of Friends, the exec was influential in growing the studio into a team that, in essence, funneled money back to the fellowship.

    In his complaint [PDF], filed in a California Superior Court in Silicon Valley, Lloyd lays down a case that he was fired for expressing concerns over the fellowship's influence at Google, specifically in the GDS. When these concerns were reported to a manager, Lloyd was told to drop the issue or risk losing his job, it is claimed. 

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • End of the road for biz living off free G Suite legacy edition
    Firms accustomed to freebies miffed that web giant's largess doesn't last

    After offering free G Suite apps for more than a decade, Google next week plans to discontinue its legacy service – which hasn't been offered to new customers since 2012 – and force business users to transition to a paid subscription for the service's successor, Google Workspace.

    "For businesses, the G Suite legacy free edition will no longer be available after June 27, 2022," Google explains in its support document. "Your account will be automatically transitioned to a paid Google Workspace subscription where we continue to deliver new capabilities to help businesses transform the way they work."

    Small business owners who have relied on the G Suite legacy free edition aren't thrilled that they will have to pay for Workspace or migrate to a rival like Microsoft, which happens to be actively encouraging defectors. As noted by The New York Times on Monday, the approaching deadline has elicited complaints from small firms that bet on Google's cloud productivity apps in the 2006-2012 period and have enjoyed the lack of billing since then.

    Continue reading

Biting the hand that feeds IT © 1998–2022