Experts ask Google for clarifications about backdoor in Titan Security Key

Share this…

The company has been asked for information about its security software produced in China

According to ethical hacking specialists from the International Institute of Cyber Security, in past days Google began to sell in Google Store the Titan Security Key, a physical token that offer two-factor authentication more robust than that provided by a SMS code or a mobile application. Instead of simply providing a password, that a clever enough hacker may be able to obtain, the user must also plug the security token into his computer or place it near his phone when logged on.

But several experts are concerned about the security of these devices because, as already reported, they are actually produced by Feitian, a Chinese company. Through the specialized media, specialists have asked Google to be more transparent about these tools, facing the possibility that the Chinese government could hack key’s users.

These physical tokens are used to lock online accounts, such as e-mail or cloud storage services. Several different companies offer such tools, and Google has previously said that security keys are the reason why none of its more than 85k employees has been a victim of fraud since the beginning of last year.

But the Titan security key is not really made by Google, as the company has confirmed that Feitian does manufacture the keys. Legally, Google is the manufacturer, but the company has a contract with a third party to produce the keys. But that bond with China is what keeps ethical hacking exerts concerned.

Generally speaking, one concern is that the Chinese government might force Feitian to introduce some kind of backdoor into the devices, or intercept and manipulate the keys, allowing the government to access the accounts of the device’s users.

Google has emphasized how the firmware improves the security of the Titan security keys. As a company spokesman mentioned in past months, the keys include firmware developed by the company to verify its integrity and ensure that they do not suffer from manipulation; this, according to the company, is what distinguishes the Titan security key from the rest of options available in the market.

However, this does not seem to be enough for some specialists.

Dan Guido, ethical hacking specialist, mentions that it is necessary for the public to know what changes they made to the firmware of Feitian, or if the company developed the firmware from scratch. If so, it is also necessary to know what procedure was used to achieve a satisfactory safe outcome. The specialist mentions that it is impossible to update the firmware on most of the keys, which means that the vendors should do the right thing the first time. Also, it is necessary to know if Google added an update function, “If so, I would avoid use it or recommend it” , mentioned the specialist.