Experts voice concern after discovering Google's Titan Security Key is made in China
While the US and UK governments continue to eye China with suspicion, blocking the use of some Chinese hardware because of national security concerns, it has come to light that Google's Titan Security Key is produced in China.
The keys are supposed to boost security through the use of two-step verification, but security experts are calling for transparency about the supply chain for the hardware after it was revealed it is produced by Chinese company Feitian. There are concerns that the devices could be compromised by Chinese hackers (state or otherwise) to spy on users.
See also:
- Google's Titan Security Key now available for $50
- Google is able to track your offline purchases thanks to a secret deal with Mastercard
- Google launches Titan Security Key... that is nothing to do with Yubico
Like Russia, there have long been concerns about the threat of surveillance carried out by China, and Chinese involvement in security products used in the west raises understandable concerns. Speaking to Motherboard, former chief information security officer at Facebook, Alex Stamos, said of Google: "I think it would be great if they documented their supply chain process".
On Twitter, he went as far as saying he would not recommend the use of the security keys:
I think I can believe two things:
1) People throw around "that is made in China" as shorthand for "it is definitely backdoored" with no evidence or consideration for compensating controls.
2) I'm not recommending the Google keys.
— Alex Stamos (@alexstamos) August 30, 2018
Chinese involvement in the production of Google hardware is hardly a new thing. Earlier in the year the Feitian name was noticed as being linked to the company's security keys:
"Google builds its own hardware security keys."
You mean "Google sells Feitian security keys under its own brand name"? pic.twitter.com/V2RgoEkPiV— Luc Van Braekel (@lvb) July 25, 2018
Google is not hiding the fact that Feitian makes the keys -- the company has in fact confirmed as much. But given the level of apprehension Chinese companies raise in many people, it is perhaps surprising that Google opted to go down this route -- especially considering this is a security product.
One of the features of Titan Security Keys is that they include tamper-resistant firmware, but if the supply chain is compromised, this might not be of any use. This is a worry voiced by CEO of cybersecurity firm Trail of Bits, Dan Guido:
I want to know what changes they made to the Feitian firmware, or if they wrote the firmware from scratch. If from scratch, I want to know what steps they took to ensure a secure outcome.
Google is yet to give any more detail about the production process, and it is not clear whether it will do so or not. It also remains to be seen whether concerns about security and transparency are great enough to impact upon the sale of Titan Security Keys.