Google is recalling its Titan security key after discovering a Bluetooth vulnerability that could allow a hacker located within roughly 30 feet of the device to communicate with it, the company announced Wednesday.
Google released the key-shaped Titan last August, offering the physical authentication tool as a remedy to phishing and other attacks. The device connects with other hardware via Bluetooth pairing. A misconfiguration in its protocol could allow attackers to communicate with the security key or communicate with the device connected to it, Google said.
This vulnerability is difficult to exploit, the company said, and would require an outsider to already have obtained a victim’s username and password to access their account.
Google is offering free replacements to affected users.
“This security issue does not affect the primary purpose of security keys, which is to protect you against phishing by a remote attacker,” the company said in a blog post. “Security keys remain the strongest available protection against phishing it is still safer to use a key that has this issue, rather than turning offer security key-based two-step verification on your Google Account or downgrading to less phishing-resistant methods (e.g. SMS codes or prompts sent to your device).”
Mark Risher, Google’s head of account security, tweeted that the “issue relates to the Bluetooth Low Energy pairing protocol, and not to the cryptographic properties of the key itself[.]”
Titan is one of several key-shaped products designed to add an extra layer of security beyond a user’s password. Competitors include Yubico’s line of devices.