NOT READY FOR PRIMETIME. —
Attackers can connect their own device to Bluetooth-enabled keys used for 2fa.
Google is warning that the Bluetooth Low Energy version of the Titan security key it sells for two-factor authentication can be hijacked by nearby attackers, and the company is advising users to get a free replacement device that fixes the vulnerability.
A misconfiguration in the key’s Bluetooth pairing protocols makes it possible for attackers within 30 feet to either communicate with the key or with the device it’s paired with, Google Cloud Product Manager Christiaan Brand wrote in a post published on Wednesday.
The Bluetooth-enabled devices are one variety of low-cost security keys that, as Ars reported in 2016, represent the single most effective way to prevent account takeovers for sites that support the protection. In addition to the account password entered by the user, the key provides secondary “cryptographic assertions” that are just about impossible for attackers to guess or phish. Security keys that use USB or Near Field Communication are unaffected.
The attack described by Brand involves hijacking the pairing process when an attacker within 30 feet carries out a series of events in close coordination:
- When you’re trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects. In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly.
- Before you can use your security key, it must be paired to your device. Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.
For the account takeover to succeed, the attacker would also have to know the target’s username and password.
To tell if a Titan key is vulnerable, check the back of the device. If it has a “T1” or ”T2,” it’s susceptible to the attack and is eligible for a free replacement. Brand said that security keys continued to represent one of the most meaningful ways to protect accounts and advised that people continue to use the keys while waiting for a new one. Titan security keys sell for $50 in the Google Store.
While people wait for a replacement, Brand recommended that users use keys in a private place that’s not within 30 feet of a potential attacker. After signing in, users should immediately unpair the security key. An Android update scheduled for next month will automatically unpair Bluetooth security keys so users won’t have to do it manually.
Brand said that iOS 12.3, which Apple started rolling out on Monday, won’t work with vulnerable security keys. This has the unfortunate result of locking people out of their Google accounts if they sign out. Brand recommended people not sign out of their account. A good safety measure would be to use a backup authenticator app, at least until a new key arrives, or to skip Brand’s advice and simply use an authenticator app as the primary means of two-factor authentication.
This episode is unfortunate since, as Broad notes, physical security keys remain the strongest protection currently available against phishing and other types of account takeovers. Wednesday’s disclosure prompted social media pile-ons from critics of Bluetooth for security-sensitive functions.
Like, what kind of idiot protocol lets users negotiate a “maximum key size” that can be as small as 1 byte. (A default that, fortunately, should be higher in recent versions.) pic.twitter.com/7yFJqaMJLI
— Matthew Green (@matthew_d_green) May 15, 2019
The threat of having the key hijacked and the current incompatibility with the latest release of iOS are sure to generate further user resistance to using the BLE-based keys. The threat also helps explain why Apple and alternative key maker Yubico have long refused to support BLE-enabled keys.