iOS 12.3 kills support for Google’s Bluetooth Titan security key over hijacking flaw

Google is offering customers with the Bluetooth variant of its Titan Security Key a free replacement after it learned of a flaw that could allow a nearby attacker to sign into a key-protected account, undermining one of the main purposes of the hardware key. 

Google says the Bluetooth variant of Titan keys still provide the best protection against remote phishing attackers, however it revealed today that “a misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols” made it possible for a nearby attacker to compromise a connection when pairing, potentially allowing an attacker to sign in to a Titan key-protected account.  

This could allow an attacker to “communicate with your security key, or communicate with the device to which your key is paired.” 

This means that an attacker can, from about 30 feet (9 metres), jump in at the time of key-to-device pairing and connect their own device to a key before the legitimate user’s device successfully pairs. 

The attacker would still need a username and password, but if they had that information already they could use the captured data to sign into a Google account with their device.