How to Replace a Jailbroken Google Titan Bluetooth Dongle
If you use one of the Google Titan Bluetooth security keys to sign in to all of your two-factor accounts, there is good news and bad news. The bad news, as you probably guessed, is that Google has announced that it has discovered a vulnerability that allows someone to potentially gain access to your accounts. The good news is that Google has spotted a problem and will send you a free replacement that will close the loophole.
The Google Titan Bluetooth Security Key is a physical security token that, when paired with a phone or tablet, provides one of two passwords required to unlock a two-factor authentication protected account. It replaces the random password you might expect from a two-factor authentication app or text message. As many people, including Google, rightly point out, using a physical token that automatically transmits these codes is much safer than sending a random password to your device.
According to the Google Security Blog, Titan dongles using Bluetooth Low Energy architecture are under attack during the Bluetooth pairing process. During pairing, an attacker can intercept a device’s signal from a distance of up to 30 feet, allowing them to send data to the dongle and any device already connected to it. Technically, this could allow them to access your device with two-factor protection if they sync their access with yours. It will take real skills, but it’s possible.
For this reason, Google has revoked the affected electronic keys. (Google prefers to think of this as a full blown replacement rather than a “revocation” since they do not require the return of vulnerable keys). To check if your device needs to be replaced, look for the combination of letters and numbers on the back of the key at the bottom. If your key says “T1” or “T2”, the key is public and you should go to the Google Review Management site. You will need to sign in to your Google account when you sign in to request a replacement. (Google checks to see if you have synced the key with your account). If this is not possible, you can write to Google at [email protected] . (To keep things running smoothly, I would recommend having your serial number and receipt handy.)
Until your new key arrives, Google recommends that all users avoid using Titan in public places where someone might get close and / or see when you are using your key. If you haven’t paired your Titan with your Google account, Google recommends that you do so and then unpair your device immediately. Google noted that affected Titan keys will stop working if paired with Apple devices running iOS 12.3, and that Android devices will automatically rip the affected key pair after receiving the June security patch.
This article was updated on 5/16/19 to reflect that Google itself is not calling its replacement proposal a “recall.”