Security Issue with Bluetooth Low Energy (BLE) Titan Security Keys(security.googleblog.com)
For anyone else who has to go through the process:
Go to the replacement page: https://myaccount.google.com/replacemykey
If you qualify for the return, there will be a box displaying the key you purchased (in my case it says "Titan Security Key Bundle"). If you do not see this box and you have multiple Google accounts, make sure you've selected the one in which you placed the order (and is paired to your account—thanks programd) by clicking on your avatar in the top right. If you're not simply in the wrong account, Google doesn't think you qualify.
At that point, you'll end up on the shopping page. Add the replacement key (it will tell you the full price of the item but don't worry). Proceed to checkout. On the final checkout screen, you should find a promo applied which brings your total down to $0. If you don't, you're probably buying another one so don't confirm.
Note that if you have not yet paired your key with a Google account the page will say "No action needed". Apparently they try to detect if the key is paired with your account before they replace it.
I emailed them to the contact address on that web page, but no reply just yet.
I hope they have a return/replace workflow for unused keys because obviously, why would you want to use one before you get it replaced? Obviously.
It's great to read that it works this way for at least someone out there. For me, after clicking 'Get Started' at the above page I was sent to https://support.google.com/store/contactflow?dl=change_cance...
And yes, I'm using the current Chrome and script/ad-blockers are disabled.
I was seeing that as well at first (with chat disabled as an option). Changing to the right account and revisiting the replacement key page in the same browser window was what brought me to the right page. Now I can't reproduce getting to that support page.
Not the most user-friendly replacement process here, Google.
First I had to chat with a representative, which wasn't terrible but still took time.
Now I need to place a "replacement order" for a new set of keys. And it's charging me $1.00 for the replacement key plus $0.07 tax.
And on top of all that I need to print labels for fedex, box up the old keys, and drive the ewaste box to a fedex/kinkos/whatever.
Maybe Yubikey wasn't so terrible after all...
Was the replacement order site not working for you?
Not clear to me what 'working' means to you. The replacement site worked by sending me to a contact form where I had to chat with a representative then wait for an email to initiate an RMA where I had to pay $1.07 via credit card.
"Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device."
Why is a bluetooth device allowed to spontaneously change its type and suddenly become an authenticated keyboard and/or mouise? Could this be done to insecure BT headphones or is something specific to a security key? Is the security key actually a keyboard?
I'm not sure if it's identical in the Bluetooth world but the USB keys do present as a HID keyboard because the one-time pad & TOTP functionality require it to emit a string of random characters and there's no other generic way to do that.
That's what I thought too, but it seems like FIDO CTAP over BLE is its own thing and does not use Bluetooth HID: https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-cl...
The fact that paired devices are able to arbitrarily change their profile long after pairing seems to be the real issue here, and probably what was patched in yesterday's iOS/macOS releases.
There is nothing on this in the security notes to these updates, but my guess is that the CVEs will be disclosed in a bit.
There is no such thing as "device type" in BLE. Any device can implement a number of profiles, and the list can change at will. A few are mandatory like GAP and GATT, others are optional, like battery profile, U2F, or custom fw update channels. Limiting profiles used or changes to that list would break many use cases (eg: DFU over BLE)
Has anyone seen a description of the "misconfiguration"? It appears that both iOS (is) and Android (will) ship mitigations which disable the existing keys, but I can't find a description of the actual issue.
Is this issue applicable to Feitian MultiPass key? As far as I can tell, Google rebranded them as Titan Key. Ones with the Feitian's labels were handed out by Google to activists at various conferences. I assume there's no way they'll be replacing those (since they were handed out for free), but it would be nice to know if they're affected or not.
I use the Feitian Multipass that I bought from Amazon before Titan Keys were available. I had connected to my Google account using my iphone.
This morning I received the "Update on your Titan Security Key" email from Google. I was able submit the $0 order for replacement using the Google replacement link.
So seems like Google can't tell different between the Feitian Multipass and their version.
Seems like they will give you a free one if you have an account with a feitan key added. Regardless of whether or not it's actually a titan key and even if you didn't buy it from them.
I'm in Canada, they didn't offer to send me a Google one, they directed me to Feitian's replacement site instead.
The hardware is from Feitian but Google did write all the software for their security keys.
Quick link to replacement: https://myaccount.google.com/replacemykey
I’m curious, what did Apple fix in 12.3 that makes the older Titans unusable? It sounds like something Bluetooth-related.
Yes, this looks like there is a much larger vulnerability disclosure about to happen and Google is giving people a chance to update to non-vulnerable versions of their operating systems.
I wonder if the key I just ordered two hours ago will be effected. Google sent out an email they were back in stock.
The interesting tidbit here is around iOS 12.2 and 12.3 (and I assume also affects macOS 10.14.5 but people generally use USB based U2F hardware keys). In the 10.14.5 what's new page, it says "Disables accessories with insecure Bluetooth connections."