Jump to content
Sign in to follow this  
The AchieVer

Inside a Google Titan Bluetooth security key – high security, low durability

Recommended Posts

The AchieVer

Inside a Google Titan Bluetooth security key – high security, low durability

The Google Titan Bluetooth two-factor security key might be the best way to protect your account from hackers and phishing attacks, but the hardware itself is a big disappointment.

 

Google has been pushing its Titan two-factor authentication security keys as the best way to protect Google Accounts from hacking and phishing, especially high-value accounts that are regularly probed and attacked. The key is used as part of Google's Advanced Protection Program.

 

Recently, a bug was discovered with the Bluetooth Titan key, and Google issued users replacements. Since I'm a Titan user, this meant that I had an old key to play with. So, what better use for it than to tear it apart.

 

So, what is inside a Google Titan Bluetooth two-factor security key?

Note: This teardown is for a Feitian Bluetooth two-factor security key, but Google's Titan keys are rebranded Feitian keys.

Well, I have to admit that I was expecting a lot more than I saw.

 

First off, the shell is constructed from cheap ABS plastic, with no reinforcement. I've only been using a Titan key for a few months, and I'd already noticed how in that time how roughed up it had become. For the teardown it split in two easily, and the circuit board fell out no problem. 

 

If you keep your security key on a keyring, then be aware that if it does break, the insides will fall out. Ideally, the board should be secured in such a way it doesn't fall out easily, and even if the case does break, the board should be retained on the keyring and not just deposited on the ground somewhere.

 

The key isn't waterproof either. The board is a bare circuit board with no signs of even basic waterproofing. While it did survive a short soak, I believe that long-term exposure to water – or sweat – would be an issue, and that corrosion could form that would damage the key. Ingress of water could cause the battery to short circuit, possibly damaging the battery or electronics.

 

There are also no visible anti-tampering safeguards. None of the chips are encased in epoxy, and there is no self-destruct button to electronically destroy the key if it is opened. 

 

All the major chips seem to be off-the-shelf components too, with markings still on them (wiping the markings off chips is a handy security precaution).

 

The battery powering the key is a small off-the-shelf 35mAh 3.7W lithium polymer pack. It's soldered onto the board, but replaceable if you can get inside the key without exploding the fragile case.

 

The Bluetooth chip is also an off the shelf chip.

 

Here are the main chips inside the key:

  • Nationz Z32HUB 32-bit ARM high-performance security MCU
  • NXP A7005 secure authentication MCU
  • NXP QN9021 Bluetooth LE chip

So, all in all, the Google Titan Bluetooth two-factor security key hardware is disappointing. I was expecting a more robust design, especially when it came to breakage and waterproofing, and was expecting basic anti-tamper safeguards such as encasing chips – especially the main secure element chips – in epoxy.

 

The bottom line is that this key really doesn't seem all that robust and if you are using them to secure your Google Account I would plan on breakages and have contingencies in place.

 

 

 

Source

Edited by Karlston
Tidied formatting

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...