Menu

Timesdelhi.com

May 26, 2019
Category archive

key

Google recalls its Bluetooth Titan Security Keys because of a security bug

in Bluetooth/computer security/cryptography/cybercrime/Delhi/Google/India/key/Keys/mobile security/Password/phishing/Politics/security token/TC/wireless by

Google today disclosed a security bug in its Bluetooth Titan Security Key that could allow an attacker in close physical proximity to circumvent the security the key is supposed to provide. The company says that the bug is due to a “misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols” and that even the faulty keys still protect against phishing attacks. Still, the company is providing a free replacement key to all existing users.

The bug affects all Titan Bluetooth keys, which sell for $50 in a package that also includes a standard USB/NFC key, that have a “T1” or “T2” on the back.

To exploit the bug, an attacker would have to within Bluetooth range (about 30 feet) and act swiftly as you press the button on the key to activate it. The attackers can then use the misconfigured protocol to connect their own device to the key before your own device connects. With that — and assuming that they already have your username and password — they could sign into your account.

Google also notes that before you can use your key, it has to be paired to your device. An attacker could also potentially exploit this bug by using their own device and masquerading it as your security key to connect to your device when you press the button on the key. By doing this, the attackers can then change their device to look like a keyboard or mouse and remote control your laptop, for example.

All of this has to happen at the exact right time, though, and the attacker must already know your credentials. A persistent attacker could make that work, though.

Google argues that this issue doesn’t affect the Titan key’s main mission, which is to guard against phishing attacks, and argues that users should continue to use the keys until they get a replacement. “It is much safer to use the affected key instead of no key at all. Security keys are the strongest protection against phishing currently available,” the company writes in today’s announcement.

The company also offers a few tips for mitigating the potential security issues here.

Some of Google’s competitors in the security key space, including YubiCo, decided against using Bluetooth because of potential security issues and criticized Google for launching a Bluetooth key. “While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability,” YubiCo founder Stina Ehrensvard wrote when Google launched its Titan keys.

BoxLock secures your booty against porch pirates

in Amazon/containers/Delhi/Gadgets/Gates/India/key/lock/package delivery/packaging/padlock/Politics/TC/transport/UPS/wi-fi by

This clever – if expensive – product is called the BoxLock and it is a keyless padlock that lets your package delivery person scan and drop off your packages into a locked box. The system essentially watches for a shipping event and then waits for the right barcode before opening. Once the delivery person scans the package, the lock opens, the delivery person sticks the package in a box or shed (not included) and locks it back up. You then go and grab your package at your leisure.

The lock costs $129.

The company appeared on everyone’s favorite show, Shark Tank, where they demonstrated the system with a fake door and fake UPS dude.

The internal battery lasts 30 days on one charge and it connects to your phone and house via Wi-Fi. While the system does require a box – it’s called BoxLock, after all, not LockBox – it’s a clever solution to those pesky porch pirates who endlessly steal my YorkieLoversBox deliveries.

It’s just gotten a lot easier to reprint keys from photographs

in architecture/construction/Delhi/Gates/India/key/kwikset/lock/Politics/TC by

If you’re in the business of opening locked doors for business or pleasure, it just got a little easier. Using a parametric file for SCAD, you can easily recreate a Kwikset key with a few keystrokes.

Kwikset is particularly vulnerable because it has only five pins and five positions – 1 being not cut at all and 5 being cut very deeply. This means you can look at an image of a Kwikset key and estimate how deep or shallow a key cut is, then plug in those measurements into this CAD file and print a key in a few minutes. Having physical access to the key makes it even easier. The SCAD file also changes based on the entered values, following the geometry of the keying system precisely.

Dave Pedu used this technique to print a few very basic keys on his Flashforge Creator Pro in ABS. He says he snapped off a few keys while working to build the final working product but he was able to open his lock quickly and easily using the final product. He does warn that new keys might not work as well.

“So, the verdict is – Yes! You can 3D print working copies of real keys. I suspect a new, tight lock might not work as well – mine is worn and it certainly helped,” he wrote.

Remember, friends, don’t post your keys on social media but if you have a Kwikset lock it might behoove you to measure the teeth as a sort of offline, digital backup.

Go to Top