Titan-ic disaster: Bluetooth blunder sinks Google's 2FA keys, free replacements offered

Wednesday 15th May 2019 21:02 GMT Paul Crawford

Short distance

"Frankly, an attacker might do better to grab the device in question and run."

What if the attacker is in the adjacent hotel room to yours? These are unlikely attacks for sure, but if you are a high-value target to some major agency then it is quite a neat way to bypass the security without the alert of the device's disappearance.

3 0 Reply
1. Wednesday 15th May 2019 22:46 GMT Anonymous Coward
  
  Re: Short distance
  
  Yes, stuff like this is likely to be a targeted attack. Sitting in a Starbucks isn't going to get you far, probably most of the people getting these are geeks who are using it for their Slack accounts. Corporations that issue keys aren't likely to go with a Google product. Especially after this negative publicity.
  
  3 0 Reply
Wednesday 15th May 2019 21:13 GMT oldtaku

What do you expect with Bluetooth?

Q: How do you make a secure device insecure?

A: Put Bluetooth on it.

Such a terrible, terrible protocol. Just because it's been accreted for 30 years rather than designed.

6 1 Reply
1. Thursday 16th May 2019 06:39 GMT Dan 55
  
  Re: What do you expect with Bluetooth?
  
  Bluetooth is not even the same as BLE, Bluetooth got became more-or-less secure after about decade then BLE was added with all the same mistakes that the original Bluetooth made.
  
  1 0 Reply
Wednesday 15th May 2019 22:10 GMT elvisimprsntr

Google != security | privacy

4 0 Reply
Thursday 16th May 2019 06:44 GMT seven of five

30 feet? more like 30 metres

While your mileage may (and very much will) vary, depending on conditions, bluetooth can relieably connect over more than 30 Metres (that is around a hundred of your feet). My blackberry picks up the stereo in the kitchen from further than that (and starts streaming metal to my wife :) ), even without LOS. Given the trouble I sometimes have to connect to the bloody rental car I sit in, the 30 feet advise seems rather sloppy.

1 0 Reply
Thursday 16th May 2019 06:48 GMT Blockchain commentard

As long as you know the username and password. Huh? How's a miscreant going to know that unless it's Bob sitting next to you? Yes, that Bob, who's looking at you right now, fidgeting with that funny laptop you never realised was there before.

0 0 Reply
Thursday 16th May 2019 08:58 GMT brotherelf

Yea, that's the ups and downs of it: user-updateable firmware is a security risk, but if you have a bug, it's a across-the-board recall. And it's not just them, Yubico had one or two in the past, and so did Nitrokey. (Nitrokeys have writeable firmware, but the programming pins are inside the case, which might make it the worst of both worlds?)

And of course, you have, by design, irretrievable secret key material or serial#s on the devices. It's a branch of IT that can become effing expensive, real quick. (It still might be the best we have right now, though?)

0 0 Reply
Thursday 16th May 2019 12:28 GMT Gio Ciampa

"If the attacker also knows the victim's username and password"...

...they're buggered anyway, surely?

0 0 Reply
Friday 17th May 2019 15:03 GMT Archivist

What is this schadenfreuder you speak of? Even my English spellchecker picked up the mistake.

Or could it be: One who schadenfreudes?

0 0 Reply