Thursday, May 16, 2019

Google today disclosed a security bug in its Bluetooth Titan Security Key that could allow an attacker in close physical proximity to circumvent the security the key is supposed to provide. The company says the bug is due to a “misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols” and that even the faulty keys still protect against phishing attacks. Still, the company is providing a free replacement key to all existing users.

The bug affects all Titan Bluetooth keys, which sell for $50 in a package that also includes a standard USB/NFC key, that have a “T1” or “T2” on the back.

To exploit the bug, an attacker would have to be within Bluetooth range (about 30 feet) and act swiftly as you press the button on the key to activate it. The attacker can then use the misconfigured protocol to connect their own device to the key before your own device connects. With that — and assuming that they already have your username and password — they could sign into your account.

Google also notes that before you can use your key, it has to be paired to your device. An attacker could also potentially exploit this bug by using their own device and masquerading it as your security key to connect to your device when you press the button on the key. By doing this, the attacker can then change their device to look like a keyboard or mouse and remote control your laptop, for example.

All of this has to happen at the exact right time, though, and the attacker must already know your credentials. A persistent attacker could make that work, though.

Google argues that this issue doesn’t affect the Titan key’s main mission, which is to guard against phishing attacks, and argues that users should continue to use the keys until they get a replacement. “It is much safer to use the affected key instead of no key at all. Security keys are the strongest protection against phishing currently available,” the company writes in today’s announcement.

The company also offers a few tips for mitigating the potential security issues here.

Some of Google’s competitors in the security key space, including Yubico, decided against using Bluetooth because of potential security issues and criticized Google for launching a Bluetooth key. “While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability,” Yubico founder Stina Ehrensvärd wrote when Google launched its Titan keys.



from TechCrunch https://tcrn.ch/2Q4gKWF

Related Posts:

  • LATEST TECHNOLOGY NEWSInkHunter, an augmented reality tattoo try-on app that was born out of a 48-hour hackathon back in the altogether gentler days of 2014, has bagged a place in Y Combinator’s summer 2018 batch, scoring itself the seed accelerat… Read More
  • LATEST TECHNOLOGY NEWS You don't have too long to wait to see how Call of Duty: Black Ops 4 fares as a multiplayer-only game. Activision and Treyarch have outlined the schedule for beta tests, and it's clear that some gamers will have better acces… Read More
  • LATEST TECHNOLOGY NEWS Makula Dunbar Contributor Makula Dunbar is a writer with Wirecutter. More posts by this contributor Summer road trip tech essentials and extras Gear for making outdoor fitness more enjoyable Editor’s note: This post wa… Read More
  • LATEST TECHNOLOGY NEWS The race to build a "flying car" has just become more crowded. This week, the Canadian company Opener revealed its new vehicle, called BlackFly. The one-person aircraft can travel up to 25 miles at a speed of 62 miles per ho… Read More
  • LATEST TECHNOLOGY NEWS The US' indictment of Russian officers over the DNC hacks is having an effect... at least, on Twitter. The social network has banned accounts for both DCLeaks and Guccifer 2.0 in response to the indictment. In a statement ex… Read More

0 comments:

Post a Comment

Followers

Contact Form

Name

Email *

Message *

Popular Posts

FOLLOW BY EMAIL

Enter your email address:

Delivered by FeedBurner