Monday 3 June 2019, Poradnik bezpieczeństwa

Vulnerability in Google’s security keys

Lost24

Microsoft has detected a vulnerability in BLE (Bluetooth Low Energy) version of Titan Security Keys. Due to a high risk of attack, Google has offered free replacements of T1 or T2 variants of units.
The vulnerability is related to improper configuration of Bluetooth pairing protocols, and results in a person in near vicinity of the potential victim being able to easily access the key or the device with which it is paired.


The distance that allows for the attack is just over 9 meters. The attack can place in two ways:
-    When logging in to the account, as at this point users is asked to press a button on the BLE security key for activation purposes. During this stage, third party can connect their own device to the security key before it connects to the owner’s desired device.
-    During the pairing of the device. The attacker will try to change his device to be recognized as a Bluetooth keyboard or a mouse, thanks to which he will be able to take any desired action on the victim’s device.