Google Titan key security problem?

I was sure I tooted/tweet a thank you to the Google team in Berlin’s Re:publica conference. But it looks like it never quite happened due to connectivity issues with the wifi at certain points of the day.

So first of all I want to say thanks for giving me a titan security key for spending time listening to what changes Google had made to their security as announced in Google IO 2019.

I was surprised to see Google there with all the ill feeling about the 5 stacks, their monopoly and business practice.

But before I could get home try the key/system, I saw a bunch of problems with the key.

Google Titan Bluetooth Security Key Can Be Used to Hack Paired Devices

Titan-ic disaster: Bluetooth blunder sinks Google’s 2FA keys, free replacements offered

Obviously I was a little concerned, although I had not added the titan key to my google 2 factor auth yet.

After a bunch of reading, it seems its not completely flawed. The Google security blog confirms my research.

The problem is with the Bluetooth fob which to be honest is super convenient wasn’t the most secure idea in the world. The bluetooth stack is limited in its range but because of that, its not got as much security as most things on the net.

Due to a misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols, it is possible for an attacker who is physically close to you at the moment you use your security key — within approximately 30 feet — to (a) communicate with your security key, or (b) communicate with the device to which your key is paired. In order for the misconfiguration to be exploited, an attacker would have to align a series of events in close coordination:

When you’re trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects. In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly.

Before you can use your security key, it must be paired to your device. Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.

This all being a big mistake, Google has offered a replacement key. However because my key hasn’t been added to my account yet, I get a message saying no action is required but a email to override this. However after double checking my key is a type T3 meaning it wasn’t effected.

Good work Google…

Media Molecule allows you to Dream?

A few people have mentioned Dreams to me especially in respect to interactive experiences and creating your own.

I don’t own a PlayStation 4 (although I just ordered the Playstation Classic) but ever since I saw Little Big Planet’s creation mode, been blown away by the possibilities. So I was impressed they doubled down on this feature in Dreams.

However there is something which bugs me…

Imagine putting all that work into your dream/world (as such), because some of them look incredible. Who owns the dream?

I’m wondering if there is a export mode for the dreams? If there was, how would it be exported? A flatten video wouldn’t cut it. You almost need something like Google Stadia, but thats also a unknown entity too (although maybe this is what the Microsoft and Sony thing is all about?). Ultimately I’d hate to spend hours/days/weeks working on something incredible and for it to be stuck in a world which could die in the next generation of the console or if the game doesn’t sell well enough? I won’t even mention ip challenges of the dreams…

Maybe it was time for a exportable descriptive language for interactive narratives which is platform neutral?

Just a thought…

The best technology can be used for good and for bad

Plex

I was very much reminded of this when reading about a user abusing Plex’s share.

Earlier this week the man in question informed fellow Plex users on Tweakers that he was approached by local anti-piracy group BREIN, which had become aware that he was running a Plex share with 5,700 movies and 10,000 TV-shows.