Google recalls some Titan security keys after it discovers Bluetooth flaw

Google is recalling some of its Titan Security Keys after it discovered that they could be hijacked by nearby hackers. 

A misconfiguration in the key’s Bluetooth pairing protocols made it possible for a hacker who is within 30 feet of the user to either communicate with the security key or the device it’s paired with, Google said on Wednesday.

The bug only affects the Bluetooth variant of Google’s Titan Security Keys, not the USB version.  


In order for the attack to work, the hacker would have to be nearby to you the moment you press the button on your key to turn it on. 

They’d also have to know your username and password.  

‘An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects,’ Christiaan Brand, a product manager at Google Cloud, said in a blog post. 

‘In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly.’

Once connected, hackers could manipulate your device by changing their device to appear as a Bluetooth keyboard or mouse. 

To determine if a Titan Security Key is affected, Google said users can check the back of the device. 

If the key says ‘T1’ or ‘T2’, then it’s affected by the bug. 

Google is offering free replacement keys for users who are affected by the security flaw.  

The search giant began selling the Titan Security Key last July, offering the Bluetooth and USB versions as a bundle for $50, or $20 to $25 individually. 

Security keys add another layer of authentication to a user’s device, requiring users to have their physical key on their person in order to login to an account. 

This makes it difficult for hackers to target a user, since they won’t be able to login without the physical key. 

It’s the most robust form of defense against phishing, one of the most common attacks meant to steal your password, giving hackers access to your account and data.  

Google noted that the bug doesn’t impact the primary function of its Titan Security Keys, which is prevent phishing. 

‘Security keys remain the strongest available protection against phishing; it is still safer to use a key that has this issue, rather than turning off security key-based two-step verification (2SV) on your Google Account or downgrading to less phishing-resistant methods (e.g. SMS codes or prompts sent to your device),’ Brand added.    


Leave a Reply

Your email address will not be published. Required fields are marked *