Google Titan Security Keys are supposed to be the best way to secure your online accounts, and come with two-factor authentication. Google has stated that it uses the Titan Security Keys internally. Recently the search giant announced that it had discovered a misconfiguration in the Bluetooth Low Energy version of the Titan Security Key that could potentially allow a nearby attacker to communicate with the security key or the device the key is paired to.
Google gave two examples of how an attacker might take advantage of the misconfiguration in the security key. One of the ways the flaw could be exploited is as the user is pairing the key to a PC or a phone. The attacker could potentially connect their device to your affected security key before the user's device connects and sign into your account. In this attack, the attacker would need to have your username and password and time the events precisely.
Google also notes that if you are using the device to obtain authorization, the attacker could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. Once connected, the attacker could attempt to change their device to appear as a Bluetooth keyboard or mouse with the potential to take actions on your device.
Both of these attacks would be hard to pull off as Bluetooth has limited range and an attacker would need to be within 30-feet of you when the button on the key is pressed. Google isn't trying to patch the issue with a software update; it wants to simply replace the key at no charge. Users of the BLE Titan Security Key can tell if their key needs to be replaced by looking at the small number above the USB port on the back, devices marked with T1 or T2 need to be replaced; Google has a website for the replacement program. The Titan Security Key went on sale last summer.