
Security Issue with Bluetooth Low Energy (BLE) Titan Security Keys - agrinman
https://security.googleblog.com/2019/05/titan-keys-update.html
======
sisk
For anyone else who has to go through the process:

Go to the replacement page:
[https://myaccount.google.com/replacemykey](https://myaccount.google.com/replacemykey)

If you qualify for the return, there will be a box displaying the key you
purchased (in my case it says "Titan Security Key Bundle"). If you do not see
this box and you have multiple Google accounts, make sure you've selected the
one in which you placed the order (and is paired to your account—thanks
programd) by clicking on your avatar in the top right. If you're not simply in
the wrong account, Google doesn't think you qualify.

At that point, you'll end up on the shopping page. Add the replacement key (it
will tell you the full price of the item but don't worry). Proceed to
checkout. On the final checkout screen, you should find a promo applied which
brings your total down to $0. If you don't, you're probably buying another one
so don't confirm.

~~~
turtlegrids
It's great to read that it works this way for at least someone out there. For
me, after clicking 'Get Started' at the above page I was sent to
[https://support.google.com/store/contactflow?dl=change_cance...](https://support.google.com/store/contactflow?dl=change_cancel_or_return_an_order&p=replacemykey&visit_id=<series-
of-numbers-removed>&rd=1)

And yes, I'm using the current Chrome and script/ad-blockers are disabled.

~~~
sisk
I was seeing that as well at first (with chat disabled as an option). Changing
to the right account and revisiting the replacement key page in the same
browser window was what brought me to the right page. Now I can't reproduce
getting to that support page.

------
turtlegrids
Not the most user-friendly replacement process here, Google.

First I had to chat with a representative, which wasn't terrible but still
took time.

Now I need to place a "replacement order" for a new set of keys. And it's
charging me $1.00 for the replacement key plus $0.07 tax.

And on top of all that I need to print labels for fedex, box up the old keys,
and drive the ewaste box to a fedex/kinkos/whatever.

Maybe Yubikey wasn't so terrible after all...

~~~
acchow
Was the replacement order site not working for you?

~~~
turtlegrids
Not clear to me what 'working' means to you. The replacement site worked by
sending me to a contact form where I had to chat with a representative then
wait for an email to initiate an RMA where I had to pay $1.07 via credit card.

------
kevin_b_er
"Once paired, an attacker in close physical proximity to you could use their
device to masquerade as your affected security key and connect to your device
at the moment you are asked to press the button on your key. After that, they
could attempt to change their device to appear as a Bluetooth keyboard or
mouse and potentially take actions on your device."

Why is a bluetooth device allowed to spontaneously change its type and
suddenly become an authenticated keyboard and/or mouise? Could this be done to
insecure BT headphones or is something specific to a security key? Is the
security key actually a keyboard?

~~~
acdha
I'm not sure if it's identical in the Bluetooth world but the USB keys do
present as a HID keyboard because the one-time pad & TOTP functionality
require it to emit a string of random characters and there's no other generic
way to do that.

~~~
lxgr
That's what I thought too, but it seems like FIDO CTAP over BLE is its own
thing and does not use Bluetooth HID:
[https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-
cl...](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-
authenticator-protocol-v2.0-id-20180227.html)

The fact that paired devices are able to arbitrarily change their profile long
after pairing seems to be the real issue here, and probably what was patched
in yesterday's iOS/macOS releases.

There is nothing on this in the security notes to these updates, but my guess
is that the CVEs will be disclosed in a bit.

------
janekm
Has anyone seen a description of the "misconfiguration"? It appears that both
iOS (is) and Android (will) ship mitigations which disable the existing keys,
but I can't find a description of the actual issue.

------
r3bl
Is this issue applicable to Feitian MultiPass key[0]? As far as I can tell,
Google rebranded them as Titan Key. Ones with the Feitian's labels were handed
out by Google to activists at various conferences. I assume there's no way
they'll be replacing those (since they were handed out for free), but it would
be nice to know if they're affected or not.

[0]
[https://www.ftsafe.com/products/FIDO/Multi](https://www.ftsafe.com/products/FIDO/Multi)

~~~
jonathonlui
I use the Feitian Multipass that I bought from Amazon before Titan Keys were
available. I had connected to my Google account using my iphone.

This morning I received the "Update on your Titan Security Key" email from
Google. I was able submit the $0 order for replacement using the Google
replacement link.

So seems like Google can't tell different between the Feitian Multipass and
their version.

~~~
agrinman
Seems like they will give you a free one if you have an account with a feitan
key added. Regardless of whether or not it's actually a titan key and even if
you didn't buy it from them.

~~~
lstamour
I'm in Canada, they didn't offer to send me a Google one, they directed me to
Feitian's replacement site instead.

------
finiteloops
Quick link to replacement:
[https://myaccount.google.com/replacemykey](https://myaccount.google.com/replacemykey)

------
CaliforniaKarl
I’m curious, what did Apple fix in 12.3 that makes the older Titans unusable?
It sounds like something Bluetooth-related.

~~~
lxgr
Yes, this looks like there is a much larger vulnerability disclosure about to
happen and Google is giving people a chance to update to non-vulnerable
versions of their operating systems.

------
paulie_a
I wonder if the key I just ordered two hours ago will be effected. Google sent
out an email they were back in stock.

------
hsk823
The interesting tidbit here is around iOS 12.2 and 12.3 (and I assume also
affects macOS 10.14.5 but people generally use USB based U2F hardware keys).
In the 10.14.5 what's new page, it says "Disables accessories with insecure
Bluetooth connections."

