Google has posted a technical advisory stating that its Titan Security Keys are vulnerable to attacks. The two-factor authentication device has a Bluetooth Low Energy (BLE) version that is affected by this vulnerability. Google is offering free replacements that will take care of the vulnerability.
The other versions of the security keys aren’t affected since the bug only acts up during Bluetooth pairing. Google said in its blog that the vulnerability arises from a “misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols.” Any attacker within a range of 30 feet can possibly communicate with the key or the device with which the key has been paired.
For those who want to verify whether their key is affected, turn over the key and look for ‘T1’ or ‘T2’ at the bottom. If it does have those tags then the key can be replaced for free.
Until the keys are replaced, Google has also posted a few extra suggestions. iOS users running version 12.2 should sign in into their Google account in a “private place where a potential attacker is not within close physical proximity.” Once the sign in is done, the key should be unpaired. After the iOS 12.3 update, the security key won’t work so you have to ensure that you don’t sign out of your account.
For Android and other devices, Google advises the same measures of signing in at a private place and then immediately unpairing the key. After the June 2019 Security Patch Level (SPL) arrives, all the affected Bluetooth devices will be unpaired automatically.
Google still stresses that using the affected Bluetooth Low Energy version of the Titan Security key is still safer to prevent phishing attacks than not using any at all.