back to article Titan-ic disaster: Bluetooth blunder sinks Google's 2FA keys, free replacements offered

Google is offering free replacements of its Titan Security Keys, used for two-factor authentication, after learning the widgets' Bluetooth connections could be compromised by nearby hackers. The Chocolate Factory on Wednesday advised customers with certain Bluetooth Low-Energy (BLE) versions of Titan Security Keys – marked T1 …

  1. Paul Crawford Silver badge

    Short distance

    "Frankly, an attacker might do better to grab the device in question and run."

    What if the attacker is in the adjacent hotel room to yours? These are unlikely attacks for sure, but if you are a high-value target to some major agency then it is quite a neat way to bypass the security without the alert of the device's disappearance.

    1. DougS Silver badge

      Re: Short distance

      Yes, stuff like this is likely to be a targeted attack. Sitting in a Starbucks isn't going to get you far, probably most of the people getting these are geeks who are using it for their Slack accounts. Corporations that issue keys aren't likely to go with a Google product. Especially after this negative publicity.

  2. oldtaku
    FAIL

    What do you expect with Bluetooth?

    Q: How do you make a secure device insecure?

    A: Put Bluetooth on it.

    Such a terrible, terrible protocol. Just because it's been accreted for 30 years rather than designed.

    1. Dan 55 Silver badge

      Re: What do you expect with Bluetooth?

      Bluetooth is not even the same as BLE, Bluetooth got became more-or-less secure after about decade then BLE was added with all the same mistakes that the original Bluetooth made.

  3. elvisimprsntr

    Google != security | privacy

  4. seven of five

    30 feet? more like 30 metres

    While your mileage may (and very much will) vary, depending on conditions, bluetooth can relieably connect over more than 30 Metres (that is around a hundred of your feet). My blackberry picks up the stereo in the kitchen from further than that (and starts streaming metal to my wife :) ), even without LOS. Given the trouble I sometimes have to connect to the bloody rental car I sit in, the 30 feet advise seems rather sloppy.

  5. Blockchain commentard Silver badge

    As long as you know the username and password. Huh? How's a miscreant going to know that unless it's Bob sitting next to you? Yes, that Bob, who's looking at you right now, fidgeting with that funny laptop you never realised was there before.

  6. brotherelf

    Yea, that's the ups and downs of it: user-updateable firmware is a security risk, but if you have a bug, it's a across-the-board recall. And it's not just them, Yubico had one or two in the past, and so did Nitrokey. (Nitrokeys have writeable firmware, but the programming pins are inside the case, which might make it the worst of both worlds?)

    And of course, you have, by design, irretrievable secret key material or serial#s on the devices. It's a branch of IT that can become effing expensive, real quick. (It still might be the best we have right now, though?)

  7. Gio Ciampa

    "If the attacker also knows the victim's username and password"...

    ...they're buggered anyway, surely?

  8. Archivist

    What is this schadenfreuder you speak of? Even my English spellchecker picked up the mistake.

    Or could it be: One who schadenfreudes?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019