The Bluetooth-enabled devices are one variety of low-priced security keys that, as Ars reported in 2016, represent the single most effective way to prevent account takeovers for sites that support the protection. That's plenty of time to get a free replacement, which you can do by visiting google.com/replacemykey.
The "bug", as Google refers to it, has a misconfiguration that leaves open the possibly for an attacker to align a series of events in order to gain control of your Bluetooth key and then access your account.
"Due to a misconfiguration in the Titan Security Keys' Bluetooth pairing protocols, it is possible for an attacker who is physically close to you at the moment you use your security key - within approximately 30 feet - to (a) communicate with your security key, or (b) communicate with the device to which your key is paired", it said. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects. The attacker can later re-assign this rogue device as a Bluetooth keyboard, which they can later use to run malicious commands to hijack users' devices.
The attacker already knows your username and password, and when you first pair the device they could connect after you press the pairing button, but before your device connects.
It's because of these reasons that Google is now replacing these keys. However, the company recommended that users do not stop using the keys until they get a replacement, as they can provide enhanced security, compared to not using a security key after all.
But the scope of the threat impacting the Titan security keys appears to be pretty small, according to Lauren Weinstein of People for Internet Responsibility. "Security keys are the strongest protection against phishing now available".
When you're trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it.
Once you update to iOS 12.3, your affected security key will no longer work. If you are locked out of your Google Account on your iOS device before your replacement key arrives, see these instructions for getting back into your account.
In the meantime, Google has some suggestions for you. Google is also still recommending that people use the keys in their current state as some protection is better than none. If you need to use it again, fix it and unpair when you're finished. Always use it in a private place where nobody is within 30 feet of you, and once you've signed into your device with it, unpair it through the device settings. Android devices updated with the upcoming June 2019 Security Patch Level (SPL) and beyond will automatically unpair affected Bluetooth devices, so you won't need to unpair manually. Google warns that even a key with a security bug is safer than using no key at all.
Article updated with Google comment regarding Feitian-branded keys.