Google could be selling compromised security tool: Titan Security Key

The company faces questions about the implementation of a new security tool

Google has recently began selling a piece of hardware called Titan Security Key, which functions as an additional cybersecurity measure by adding two-factor authentication in different online environments; however, ethical hacking specialists question the way in which the company has implemented this tool.

A post in the company blog mentions that the security key can be used in any environment where there is support for such tools, including Google’s Advanced Protection Program, aimed to those who may be at higher risk of cyberattacks, like journalists, activists, and politicians.

However, when someone logs into Advance Protection Program site, after clicking the “Get started” option the site redirects you to a page that mentions that you need two security keys, one as the main tool, and another as backup. The backup option offered by Google is the security key Yubico FIDO U2F, available at Amazon, which seems legitimate; the problem lies in the main key that Google asks users to acquire, the security key MultiPass FIDO from Feitian Technologies, a China-based security company.

As ethical hacking experts have noted, it seems that the Titan security key is the same hardware as Feitian MultiPass FIDO, just marketed by a different brand.

Feitian is a member of the Chinese TI-military alliance, comprising 12 companies. According to international observers, Feitian mentions that the head of the General Department of Armaments expressed a deep interest in its products and that the company would provide service to the military market under the great strategy of ‘civil-military integration’. Researchers specializing in the Asian country mention that there is no way in which a Chinese company can decline to integrate into government intelligence activities.

For ethical hacking experts from the International Institute of Cyber Security, the problem is not that Feitian is responsible for cyber threats, surveillance or other related facts. The question is on Google and its apparent decision to establish deep links with a Chinese company that could potentially compromise its protection programs. In other words, Feitian could be forced by the Chinese government in the name of State intelligence activities, and would have no choice but to comply.

The Google program is designed to protect the type of people that the Chinese government can have a serious interest in, such as political activists protesting against China’s control and censorship measures.

By directing those who are in their protection program with a hardware vendor that has not implemented Google’s own brand firmware, there is the possibility that a different firmware could be used, both hardware-level and firmware backdoors could be exploited, and other forms of alteration in the manufacturing stage, all of which would be out of Google’s control.

Descriptions offered from Feitian security keys, whether purchased directly or through Amazon, do not mention the inclusion of Google firmware in any way. This leads several ethical hacking experts to wonder: why the variant of the key that is offered in Google Store offers the Google firmware, while the keys required for the protection program does not? If such a strict security standard is being implemented, why use the hardware manufactured by actors closely related to a government so interested in monitoring its opponents as the Chinese?

The most optimistic view is to think that Google was unaware of the link between the China government and Feitian Technologies, although no one really believes that the company has acted with such ignorance of the Chinese company.