Google is warning that the Bluetooth Low Energy version has been released Turn on the security key it sells for two-factor authentication can be hacked by nearby attackers, and the company encourages users to get a free replacement device that fixes the vulnerability.
A flaw in the key’s Bluetooth pairing protocol makes it possible for attackers within 30 feet to communicate with the key or device paired with Google Cloud Manager Product Manager Christiaan Brand wrote in a post published on Wednesday.
Bluetooth-enabled devices are a variety of low-cost security keys that, as Ars reported in 2016, represent the most effective way to prevent account takeovers for sites that support security. In addition to the account password entered by the user, the key provides the following “cryptographic guarantees” that are practically impossible for attackers to guess or secret. Security keys that use USB or Near Field Communication are not affected.
An attack that Brand describes as hijacking the coordination process when an attacker within 30 feet performs a series of events in close coordination:
- When trying to access an account on your device, you are always asked to press the button on your BLE security key to activate it. A user in physical proximity at that moment in time can potentially connect their own device to the affected security key before their own device connects. In this set of circumstances, an attacker can log into your account using their own device if the attacker has already obtained your username and password and can time these events correctly.
- Before you can use your security key, you must pair it with your device. Once connected, an attacker who is in physical proximity to you can use their device to impersonate the affected security key and connect to your device at the time it asks you to press the button on your key . After that, they can try to change their device to appear as a Bluetooth keyboard or mouse and they can perform actions on your device.
For the account acquisition to succeed, the attacker would also have to know the target’s username and password.
To tell if a Power button is damaged, check the back of the device. If you have a “T1” or “T2,” you are susceptible to attack and are eligible for a free replacement. Brand says that security keys continue to represent one of the most meaningful ways to protect accounts and recommends that people continue to use keys while waiting for a new one. Titan Security Keys sell for $50 in the Google Store.
While people are waiting for a replacement, Brand recommends that users use the keys in a private place that is not within 30 feet of a potential attacker. After logging in, users should immediately unpair the security keys. An Android update scheduled for next month will automatically enable Bluetooth security keys so users won’t have to do it manually.
Brand said that iOS 12.3, which Apple started rolling out on Monday, will not work with vulnerable security keys. This has the unfortunate consequence of locking people out of their Google accounts if they log out. Brand advises people not to log out of their account. A good security measure would be to use a backup authentication tool, at least until the new key arrives, or to skip the Brand tip and simply use the authentication tool as the primary method of two-factor authentication.
This phenomenon is unfortunate since, as broad notes, physical security keys are currently the strongest defense available against phishing and other forms of account hijacking. Wednesday’s announcement triggered a social media backlash from critics of Bluetooth for its safety concerns.
Like, what kind of stupid protocol allows users to negotiate a “maximum key size” that can be as small as 1 byte. (A default based, should be higher in recent versions.) pic.twitter.com/7yFJqaMJLI
— Matthew Green (@matthew_d_green) May 15, 2019
The threat of key theft and the current malfunction with the latest release of iOS is sure to generate further user resistance to the use of BLE-based keys. The threat also helps explain why Apple and alternative key maker Yubico have long refused to support BLE-enabled keys.