Windows 10 patch blocks Google Titan keys over Bluetooth flaw

Microsoft’s June 2019 Patch Tuesday update for Windows brings the end to pairing between Google’s recently launched Titan Security keys and Windows devices. 

Apple cut off iPhone and iPad connections to Google’s Titan security key in the May release of iOS 12.3 as Google kicked off a return program due to a flaw that could allow a nearby attacker to sign into a Titan key-protected account, even though the key still securely served its main purpose of protecting users against distant remote phishing attacks. 

The product recall suggests Google could not economically fix the flaw in the security keys with a remotely delivered patch.    

Google launched the Titan keys as part of a two-factor authentication solution in the summer of 2018 with the intent to help protect Google Account users against phishing attacks. For $50, businesses and consumers could buy a bundle that included one model that could be used to authenticate after being physically connected and via NFC, and another that connected over Bluetooth. 

Security key maker Yubico — a supplier for Google employees' own computers — opposed Bluetooth due to security and usability concerns.

Microsoft’s June 2019 Patch Tuesday update brings a similar restriction to Apple’s iOS 12.3 update. 

“You may experience issues pairing, connecting or using certain Bluetooth devices after installing security updates released June 11, 2019. These security updates address a security vulnerability by intentionally preventing connections from Windows to unsecure Bluetooth devices. Any device using well-known keys to encrypt connections may be affected, including certain security fobs,” Microsoft said in a support note for Windows 10 version 1903. All versions of Windows 10 are similarly affected. 

Microsoft notes in an advisory that the issue affects the Bluetooth Low Energy (BLE) version of FIDO Security Keys, and also advised customers using the Feitian Multipass (Feitian CTAP1/U2F) security key to check its product warning

The security issue is specific to Bluetooth pairing and would still require an attacker to have the target’s username and password to become a threat. The attacker would need to be within about 30 feet of the device, according to Google. Feitian, like Google, is offering to replace affected keys at no charge to affected customers.

Microsoft’s language to describe the issue offers a different take on Google’s description, which emphasized that while the keys should be replaced as a matter of caution, they still served their primary purpose of thwarting remote phishing attacks. 

“Due to a misconfiguration in the Bluetooth pairing protocols, it is possible for an attacker who is physically close to a user at the moment he/she uses the security key to communicate with the security key, or communicate with the device to which the key is paired," said Microsoft. 

"To address this issue, Microsoft has blocked the pairing of these Bluetooth Low Energy (BLE) keys with the pairing misconfiguration.”

Microsoft recommends that customers install its June 2019 Windows security update despite the potential inconvenience, and advises users to review Google’s June Android security bulletin, where the search company details a bug that's identified as CVE-2019-2102 and a high severity elevation of privilege issue in Android 7.0 and above. 

In terms of usability due to the Windows patch, this issue is more acute for iPhone users. Android phones didn’t need Bluetooth support because they already had NFC support while Windows devices have USB support.

Still, the security flaw does not help the push to encourage users to adopt two-factor authentication.