Tencent Technology News, May 16 news, according to foreign media reports, Google has disclosed two security vulnerabilities in its Bluetooth Titan security key, and promised to replace them for free.
Google claims that there is a configuration error in the Bluetooth matching protocol for the Titan security key, which may allow hackers to hack into a user's account or device, although this will only be done in a few specific (and especially difficult to implement) scenarios. .
Google said today's disclosure is a coordinated action, as Feitian, which is responsible for producing the affected products, is also disclosing the issue. The latter also disclosed the same security vulnerabilities today and promised to provide replacement services to its users. Feitian produces Titan keys for Google and also sells keys under its own brand. Google said that Microsoft first discovered the vulnerability and reported its findings to Feitian.
For a long time, Google has been the leader of the two-step certification mechanism (2FA). In particular, the company has been marketing its Titan security key, calling it a more secure way to make 2FA easier to use than authentication applications. Google has made no mistakes in this regard, but considering its purpose is to provide a higher level of security protection, it will conduct a higher level of review of any potential security breaches.
Google disclosed two vulnerabilities. First, when the user presses the login authentication button, if the hacker is within the Bluetooth Low Energy range of about 10 meters, the device can connect its device to the user's security key. If they get the user's password, they can enter the account.
The second possibility is that when the user pairs the key for the first time, the hacker can "pretend to be the affected security key and connect to its device" and then perform the same on the user's device as the other Bluetooth devices. The operation, for example, acts as a keyboard or mouse.
Therefore, hackers need to be aware of these vulnerabilities, have software that can exploit the vulnerability, and need to perform the attack at the right time. However, this is a series of unlikely events, but physical security keys like Titan need to meet higher standards to ensure people's trust.
The founder of online identity protection devices Yubico's founders have criticized Google for introducing BLE keys because they believe that such devices are not as secure as USB or NFC. The Titan Security Key Bluetooth vulnerability disclosed by Google does not affect the recently introduced ability to use Android phones as physical security keys. This method does not rely on Bluetooth pairing like Titan and Flying Key.
If the user's Titan key has “T1” or “T2”, it is eligible for a free replacement. Google recommends that users continue to use their own security keys, which may still be more secure than other two-step verification methods, and are definitely more secure than not using 2-step verification. (Tencent Technology Review / Jinlu)