Google found a security issue that could give an attacker access to a users' device based on a tool meant to keep it secure, the company disclosed Wednesday.
Google is offering free replacements of its Bluetooth Low Energy Titan Security Keys after it found that anyone within about 30 feet could communicate with the key and its paired device while a user tried to activate the key or pair their devices.
The Titan Security Key is meant to provide an additional layer of protection for users hoping to prevent their accounts from being taken over by phishing attacks. While Google said the issue does not interfere with the key's ability to protect users from a remote phishing attack, it still reveals a significant gap in the device's security.
The flaw could undermine Google's recent messaging around privacy and security, which has become a hot issue in Silicon Valley. Google CEO Sundar Pichai penned a New York Times op-ed earlier this month advocating for the democratization of privacy after unveiling a host of new privacy features at Google's developer conference.
Google recommended continuing to use the affected keys until their replacement arrives. As an extra precaution, users should use the keys when they aren't near other people who may try to gain access to their devices, then immediately unpair the key after signing on, Google said. However, iOS users who have updated the version 12.3 will not be able to sign into any accounts linked to the key until they receive a replacement, according to Google. The company advised staying logged onto accounts on iOS devices until the new replacement arrives.
Google said that only BLE versions of the keys are affected. Devices with a "T1" or "T2" on the back are eligible for the free replacement by visiting google.com/replacemykey.