from Hacker News

Security Issue with Bluetooth Low Energy (BLE) Titan Security Keys

by agrinman on 5/15/19, 4:56 PM with 23 comments

• by sisk on 5/15/19, 5:58 PM

  For anyone else who has to go through the process:

  Go to the replacement page: https://myaccount.google.com/replacemykey

  If you qualify for the return, there will be a box displaying the key you purchased (in my case it says "Titan Security Key Bundle"). If you do not see this box and you have multiple Google accounts, make sure you've selected the one in which you placed the order (and is paired to your account—thanks programd) by clicking on your avatar in the top right. If you're not simply in the wrong account, Google doesn't think you qualify.

  At that point, you'll end up on the shopping page. Add the replacement key (it will tell you the full price of the item but don't worry). Proceed to checkout. On the final checkout screen, you should find a promo applied which brings your total down to $0. If you don't, you're probably buying another one so don't confirm.

• by turtlegrids on 5/15/19, 5:53 PM

  Not the most user-friendly replacement process here, Google.

  First I had to chat with a representative, which wasn't terrible but still took time.

  Now I need to place a "replacement order" for a new set of keys. And it's charging me $1.00 for the replacement key plus $0.07 tax.

  And on top of all that I need to print labels for fedex, box up the old keys, and drive the ewaste box to a fedex/kinkos/whatever.

  Maybe Yubikey wasn't so terrible after all...

• by kevin_b_er on 5/15/19, 7:29 PM

  "Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device."

  Why is a bluetooth device allowed to spontaneously change its type and suddenly become an authenticated keyboard and/or mouise? Could this be done to insecure BT headphones or is something specific to a security key? Is the security key actually a keyboard?

• by janekm on 5/15/19, 5:11 PM

  Has anyone seen a description of the "misconfiguration"? It appears that both iOS (is) and Android (will) ship mitigations which disable the existing keys, but I can't find a description of the actual issue.

• by r3bl on 5/15/19, 5:17 PM

  Is this issue applicable to Feitian MultiPass key[0]? As far as I can tell, Google rebranded them as Titan Key. Ones with the Feitian's labels were handed out by Google to activists at various conferences. I assume there's no way they'll be replacing those (since they were handed out for free), but it would be nice to know if they're affected or not.

  [0] https://www.ftsafe.com/products/FIDO/Multi

• by finiteloops on 5/15/19, 5:05 PM

  Quick link to replacement: https://myaccount.google.com/replacemykey

• by CaliforniaKarl on 5/15/19, 7:13 PM

  I’m curious, what did Apple fix in 12.3 that makes the older Titans unusable? It sounds like something Bluetooth-related.

• by paulie_a on 5/15/19, 6:50 PM

  I wonder if the key I just ordered two hours ago will be effected. Google sent out an email they were back in stock.

• by hsk823 on 5/15/19, 5:14 PM

  The interesting tidbit here is around iOS 12.2 and 12.3 (and I assume also affects macOS 10.14.5 but people generally use USB based U2F hardware keys). In the 10.14.5 what's new page, it says "Disables accessories with insecure Bluetooth connections."