Google has issued a security advisory for its Bluetooth Titan security keys that is serious enough that you can replace it for free. The company says there is a "misconfiguration in the Bluetooth pairing protocols of Titan security keys" that could allow an attacker to access your account or device, even if only in a couple of specific (and specifically difficult) circumstances to achieve)
The company tells us that today's news is a coordinated disclosure, which means in part that companies that manufacture affected products are spreading the problem at the same time. Feitian, which is the company that makes Titan Key from Google but also sells keys with its own brand, revealed the same vulnerability today and offers a replacement program for its users.
Microsoft originally discovered the vulnerability and revealed it to the companies that makes the products affected, says Google.
Google has been leading the two-factor authentication (2FA) position for a long time. In particular, it has been pushing its Titan Security Keys as a more secure way to enable 2FA than simply an authentication application (or, worse, SMS). Google is not wrong about it, but since it is designed to provide a higher level of security, there will be a greater level of control over any possible security vulnerability.
There are two vulnerabilities that Google is revealing. First, if an attacker is within the 30-foot Bluetooth range of your key's low power consumption when you press the button to authenticate a login, you could connect your device to your security key. If they have your password, they could get access to your account. The second possible case is that when a key is paired for the first time, an attacker could "impersonate your affected security key and connect to your device," and then do the same things on your device that other Bluetooth devices can do, how to act as a keyboard or a mouse.
Then: the attacker must be aware of this vulnerability, have a software capable of exploiting it and must execute his attack at exactly the right time. It's a series of unlikely events, but again the physical security keys like the Titan must meet a higher standard to maintain people's trust.
As TechCrunch notes, the founder of Yubico criticized Google for launching a BLE key because I thought it would not be as secure as USB or NFC. Google's disclosure of the Bluetooth vulnerability of Titan's security key no affects the recently released ability to use your Android phone as a physical security key. That method is not based on Bluetooth pairing in the same way that the Titan and Feitian keys do.
If you have a "T1" or "T2" on your Titan Key, you are eligible for a replacement. It may seem obvious, but these FIDO keys are designed not to be software upgradeable as a security measure. While you're waiting for it to arrive, Google recommends that you continue to use your security key. It is probably still safer than other 2FA methods and absolutely safer than not using 2FA at all.