As Jennifer Lin, Google’s director of product management, GCP security and privacy wrote in a blog post in July, the keys include firmware developed by the company to verify its integrity, and make sure it hasn’t been tampered with.
Got a tip? You can contact this reporter securely on Signal at +44 20 8133 5190, OTR chat at or email emphasised to Motherboard how the firmware improves the security of its Titan keys. (On a related note, in a tweet Stamos pointed to backdoors the NSA introduced into products from Cisco). Generally speaking, one concern is that the Chinese government could potentially force Feitian to introduce some form of backdoor into the devices, or intercept the keys themselves and tamper with them, allowing the government to then access accounts of targets, for instance. Motherboard granted the source anonymity because they were not authorized to talk to the press. “The supply chain in China often is dictated by government policy,” the head of a security team based in a global, multi-billion dollar company said. That Chinese link is what concerns multiple, senior security staff, though. Legally, Google is the manufacturer, but the company contracts with the third party to produce the keys, Google said. Google confirmed to Motherboard that Feitian does make the keys, and that Google does not see an issue with working with them. Several different companies provide such tokens, and Google has previously said security keys are the reason none of its over 85,000 employees have been successfully phished since early 2017.īut the Titan key isn’t really made by Google, at least exclusively.
Hardware security tokens are used for locking down online accounts, such as email or cloud storage. “I think it would be great if they documented their supply chain process,” Alex Stamos, Facebook’s former CISO and now at Stanford University, told Motherboard.
0 kommentar(er)
