Google confirms a vulnerability in their TITAN security key

in #google6 years ago


Src

The security key Titan, the USB device from Google that allows you to log in without a password and prevent theft of credentials on your computer, it seems that it is not as safe as it was promoted.

Google has just reported that they have been forced to remove the Titan security key due to a bug that could allow an attacker near our network to circumvent the security of that key.

The Mountain View clarify that the error is due to a misconfiguration of the Bluetooth pairing protocols of the Titan security keys, although they clarify that the defective keys still protect against phishing attacks. In any case they are providing a totally free replacement security key to all affected users.

For the error to be exploited, an attacker would have to be within the range of Bluetooth that is usually about 9 or 10 m, and at the same time act very quickly and accurately. Attackers could use the improperly configured protocol to connect their own device to the key before it connects to the user's computer. With that, and assuming they would already have the victim's username and password, they could log in.


Src

The attacker could also exploit this error by using his own device and masking it as his security key. By doing this, attackers can change the device to be recognized as a keyboard or mouse, and thus control your computer.

In any case it is quite complicated that this can happen, given that the attacker must know the credentials and be quite agile about it, but obviously no one wants to have a security key that is not entirely secure.

From Google explain that this problem does not affect the main mission of the existence of this security key is to protect against phishing attacks, and even argues that users should continue to use the keys until they get a replacement.

At the moment the security key Titan of Google has not started on a very good footing, and we will see if from now on the public trusts a device that does not assure them a total protection either.


Src