In a Google Blog post published earlier this week, Christiaan Brand, Google Cloud’s product manager, urged all Titan Key owners to seek a free replacement.
The post comes days after Google announced that a major security breach had been identified. The statement spoke of a bug that allowed hackers to access and hijack the Titan physical keys if they stood within 30 feet of the owner. Titan Key owners can get a free replacement which contains the bug fix among other features.
How can someone hack a physical key?
The Titan security key is Google’s latest attempt to simply the two-step authentication process, while, at the same time, bolstering account privacy and security. This key would enable the owner to confirm his identity before granting him access to his account. Every time a login query is registered, the LED on the key would flash blue. Once the user presses the button, he’s granted access to his Google account.
Still, the device has to be paired with a Bluetooth-compatible device such as a smartphone or a tablet. On paper, it makes a lot of sense – by including a physical key, the user is spared the trouble of downloading another two-factor auth software or confirming his identity through other means such as the phone number.
However, the pairing process is what you might call the Achilles Heel of Google’s Titan Key. According to Brand’s post, anyone within 30 feet of your device can gain access to your Google accounts. The device they’re using masquerades as the Titan Key, which means that your device will be tricked into believing that you hit the button and will automatically log in. Moreover, according to the same post, the hijack attempt is virtually untraceable, as the hacking device can be disguised as a Bluetooth keyboard or mouse.
From there, the hacker can gain access to personal emails, e-wallets, or anything that may put one’s identity at risk. Since the BT key is designed to pair with your smartphone, it’s incapable of figuring out on its own the difference between a legit input from the user and a fraud attempt.
What should I do if I own a Titan Key?
In his blog post, Brand declared that all keys labeled T1 or T2 are prone to this type of exploitation. Check your model. If the back label reads T1 or T2, then you should go ahead and have it replaced as fast as possible. Another good way to prevent tampering would be to change your password. The general recommendation would be to generate a stronger password, using a combination of signs, symbols, or upper and lowercase letter since they’re much more difficult to break compared to traditional ones (spouse’s name, favorite movie, surname, etc.).
Does this mean that the Titan Key is unreliable?
Far from it. In fact, the physical key paired to a smartphone or device remains the safest way to access your online accounts. The main issue at hand is Google lacking hindsight in detecting a vulnerability that could have blown the entire project to Kingdom Come. Furthermore, according to Google Cloud’s product manager, the Titan Key has its own layers of protection, which makes phishing and password-guessing attempts impossible.
Yes, it is indeed a minor setback, but Google assures all Titan Key owners that the latest models can overcome this issue. Furthermore, Brand’s statement reveals that the bug has only been detected in Bluetooth physical keys, which means that those operate through Near Field Communication or USB. So, if you have one of those models, you needn’t bother to have them replaced.
Also, there’s some good news for Apple owners. With iOS 12.3 rolling out on Monday, the phones can automatically detect and bar compromised security keys. Unfortunately, as Brand pointed out, the device will be unable to recognize the legit physical key if the user signs out. So, if you have an Apple device, it would be a good idea to remain logged in for the time being.
Google’s Titan Key remains the single most secure option for ensuring that no one other than yourself has access to the accounts. What’s your take on the Titan Key’s vulnerability? Head to the comments section and let us know.