Google has confirmed that a vulnerability in the Bluetooth Low Energy (BLE) Titan Security Key, used to provide two-step verification for accessing Google accounts, means that some iOS users will find themselves locked out. Writing for the Google Security Blog, Christiaan Brand, a product manager at Google Cloud, yesterday disclosed that "due to a misconfiguration in the Titan Security Keys' Bluetooth pairing protocols, it is possible for an attacker who is physically close to you at the moment you use your security key to communicate with your security key, or communicate with the device to which your key is paired."
The attacker would need to be within something like 30 feet and the chances of pulling off a successful attack are fairly limited. However, it would be possible for an attacker to sign into your account if they already had your username and password as well as being within close physical range. The Titan Security Keys are used by Google staff for internal access as well as being sold as hardware two-step verification devices to the public. Other security key vendors, such as Yubico, have not used Bluetooth due to the potential for such vulnerabilities. Brand insists that the security issue "does not affect the primary purpose of security keys, which is to protect you against phishing by a remote attacker," and says it is "safer to use a key that has this issue, rather than turning off security key-based two-step verification on your Google Account."
Which keys are impacted?
USB and NFC security keys are not affected by the misconfiguration vulnerability. If you are using a BLE version of the Titan Security Key, you should check the reverse of the device and if it is marked T1 or T2 then it is affected and Google will issue a free replacement.
What's the problem with iOS 12.3?
While the Google advice for users of iOS 12.2 or earlier is to simply to use the key "in a private place where a potential attacker is not within close physical proximity" and then immediately unpair it, things are different if your device is running iOS 12.3 it would seem. Google has stated that such users will not be able to use the key to sign into a Google Account, or any other account protected by the key. What's more, Google confirms, "if you are already signed into your Google Account on your iOS device, do not sign out because you won't be able to sign in again until you get a new key." If you find yourself locked out of your account, Google has provided instructions here for getting access to it again.
The expert opinion
Nadir Izrael, CTO at security vendor Armis, says that Bluetooth is a complicated protocol and so he isn't surprised to see an issue like this emerge. "This vulnerability highlights the importance of testing to ensure there are no exposures or misconfigurations when implementing the Bluetooth protocol," Izrael warns, adding, "Google is a good organization focused on security, but if this got by them then imagine the issues facing the potential 10 to 12 billion other Bluetooth devices out there..."
