In order for the attack to work, the hacker would have to be nearby to you the moment you press the button on your key to turn it on.
This vulnerability is hard to exploit, the company said, and would require an outsider to already have obtained a victim's username and password to access their account. "An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects", Google's cloud product manager Christiaan Brand explained.
"If it has a "T1" or "T2" on the back of the key, your key is affected by the issue and is eligible for free replacement", Google said today in a blog post.
The attacker already knows your username and password, and when you first pair the device they could connect after you press the pairing button, but before your device connects.
On devices running iOS version 12.2 or earlier, we recommend using your affected security key in a private place where a potential attacker is not within close physical proximity (approximately 30 feet).
Cubs' Zobrist still on leave as wife files for divorce
Julianna Zobrist filed for divorce on Monday, according to Cook County Circuit Court records. Zobrist played nine years for the Rays, then was traded in January 2015 to Oakland.
Keanu Reeves has a profound take on the afterlife
Actor Keanu Reeves puts his handprints in cement in the forecourt of TCL Chinese theatre in Los Angeles, California May 14, 2019. There are three certainties in this life; death, taxes, and Keanu Reeves starring in action films with lots of explosions.
AEW, TNT Officially Announce TV Deal
A leading digital sports enterprise, B/R Live's high fan engagement will provide an invaluable opportunity to build AEW's audience.
It's the most robust form of defense against phishing, one of the most common attacks meant to steal your password, giving hackers access to your account and data.
You can request a replacement by heading over to a website Google has set up for this specific issue, and if you're logged into your Google account when you visit it, it'll even automatically check to see if any affected keys are associated with your account.
In brief: Google recently became aware of a security issue impacting select Titan Security Keys. Normally, the key should work like this: You hold it close to your PC or smartphone and the key will communicate over Bluetooth to unlock access to your online account.
Google noted that there needs to be a ideal storm of conditions in order for a hacker to infiltrate the Titan's defenses.
Nearly a year ago, Google made available its own line of physical security keys to improve anti-phishing protection of its employees and users. Still, until the replacement key arrives, they can minimize the risk of compromise by using the key at a safe distance from potential attackers and unpairing the key after signing into their Google account (detailed instructions for iOS and Android users are available here). Most Yubico USB-based security keys also include NFC, and you can get a combination USB-NFC security key from Amazon for less than $20. You can use your key in this manner again while waiting for your replacement, until you update to iOS 12.3. You will need to sign into your Google account when you access the site to claim your replacement. Note that you can continue to sign into your Google Account on non-iOS devices.
The company also provided a number of steps created to make it possible for users of iOS (12.2 or earlier) and Android devices and of BLE version of Titan Security Keys to minimizing the security risks until they receive their replacement security keys.
It also affects Feitian BLE security keys.