Google offers all users of the bluetooth version of its Titan Security Key a replacement, because it has found a vulnerability that cannot be repaired. Due to the vulnerability, an attacker could connect the USB device with its own hardware.
Titan Security Key The vulnerability is in the software that takes care of the Bluetooth pairing of the Titan, says Google. The moment users press the button to pair, an attacker who is within the Bluetooth range of the USB device can pair it with their own hardware. If that attacker also has the user’s username and password, he can log in.
An attacker can also act as a Titan Security Key and pair with the user’s device, after which he can report as a Bluetooth keyboard and do things on the device. The vulnerability has crept in because of a ‘misconfiguration’ of the pairing protocol. Users of the hardware key can go to a Google site to request a replacement copy.
That replacement copy is needed, because the hardware key no longer works on iOS 12.3 and will be disabled on Android with the coming patch in June. As a result, users can no longer enter their account. It is unknown how many copies of the Titan Security Key are in circulation. Google has been selling the keys based on the FIDO standard since the summer of last year.