As if the world isn’t scary enough: According to Google, your most trusted security measures could actually be secret vulnerabilities.
On Wednesday, Google announced on its security blog that it has found a bug in the Bluetooth Low Energy (BLE) version of its Titan Security Key that exposes users to a potential attack when pairing the device via Bluetooth. These keys are a low-cost method of two-factor authentication that provides an added layer of security when logging in to your Google account.
According to Google, “it is possible for an attacker who is physically close to you at the moment you use your security key to (a) communicate with your security key, or (b) communicate with the device to which your key is paired.”
The chances that you’ll be affected by this particular vulnerability are relatively small. The circumstances that would have to align include an attacker in close proximity (less than 30 feet or so), who is able to time their attack to the exact moment that you connect with your security key.
Hackers could then connect their device and take advantage of the two-factor authentication offered by Titan key, or masquerade their device as your key and connect to your laptop. In that scenario, they’d still have to have your user name and password and time their attack perfectly.
Or, they could, in effect, use their device as a Bluetooth accessory like a keyboard to take control of your computer.
Neither is something that’s likely to happen as you sit and work in your average coffee shop. If people want your information that badly, it’s probably more likely that they’d wait for you to log in and then physically steal your laptop. Still, you should be aware when vulnerabilities like this are revealed because it’s ultimately your responsibility to protect your personal and company information from would-be bad actors.
While the chances are remote for the average user, the consequences could be significant. If you did fall victim to this attack while connecting to your company’s intranet or customer database, for example, you might expose sensitive or personal data that could be accessed or modified.
To tell if you might be affected, check the back of your key. If it’s marked T1 or T2, Google will replace it for free. Go to google.com/replacemykey to request a new version that is unaffected by this flaw. In the meantime, Google recommends you continue to use your key since the security protection provided generally outweighs the chances that you’ll fall victim to this particular vulnerability.
Published on: May 16, 2019
The opinions expressed here by Inc.com columnists are their own, not those of Inc.com.