Google Will Replace Titan Security Key Over a Bluetooth Flaw

As part of its expanded anti-phishing and account security measures, Google offers extensive support for physical authentication tokens. Matthew Green, Johns Hopkins University The "misconfiguration," as Google calls it, would allow an attacker who gets within 30 feet of someone using a security key to communicate with that key or with the device the key is paired to. Additionally, once the attacker paired to the target's Bluetooth key, Google suggests that they could also pull a sort of bait-and-switch as the victim attempts again to connect a device to their Bluetooth dongle. With the right timing, they could trick the victim's laptop, for instance, into pairing with their own Bluetooth dongle rather than the Titan key, thus gaining access to both a user's Google account and that computer. Those possibilities make this a serious enough bug that Google will replace any Titan BLE-branded security key that is linked to a Google account.