Inside Google Titan/Feitian Key

Google Titan AKA relabeled Feitian security key

Other teardowns

Casing: Pure ABS, no tamperproofing.

I was previously harshly critical of the former YubiKey's enclosure/shell design. As it turned out, YubiKey's old design was pretty advanced if you compare it to Google's. I am no chemist, but Titan's case looks and feels like pure, cheap ABS. Same ABS as in your LEGOs. And it turns into a milky suspension within minutes when submerged in acetone. I would not be drastically surprised is someone discovers you can melt the case by breathing at it after downing a good drink. I have not tried that, but a quick acetone bath allows you to fish out a clean board that sports a very proud FEITIAN logo, URL, manufacturing date, version number, and component IDs. Thank you Feitian for silkscreening both sides of the board. Very useful! Going back to the plastic, unlike Yubico, there are no fiberglass fillings that would make the case much sturdier. Do not expect your Titan key to last very long on your keychain.

Durability and destructability

Again, you may not want attach your Googlefied Feitian key to your key chain. A bit of a good news is that if you ignore this advice and within a few days break the thin side of the key ring hole, the key will continue to function, as there are no conductors on the PCB on the edge side of the hole. I am confused about the purpose of the protective plastic cover in the middle of the board. It covers the crystal resonator, radio, and a few discrete components. If that was an attempt at tamper resistance, it failed miserably. The cover is attached using transparent epoxy adhesive and there is no adhesive under the cover. The cover is actually pretty easy to remove and once removed you have clear access to all components.

Titan pictures

Similarities

Interestingly, the Google/Feitian key's design is nearly identical to the Yubico's. They use the same NXP chips, (Feitian's auth controller is the older A7005a with JCOP OS v2.4.2 R0.9. Yubikey's newer A7005c uses JCOP v2.4.2 R1). IC placement is very similar. Keyring hole diameter is identical. I hope the firmware is different. :) One can find reasons to wonder which one is the original and which one is a copy.

What is the cost?

We estimate total manufacturing costs to be in the range of $6..$8 USD. This breaks down to:

Improvement recommendations

• GET. RID. OF. ABS.
• Protective plastic cover makes it easy to access components beneath it without destroying them. Using epoxy instead would have been much more effective.
• Epoxy is clear, should be black.
• Security devices should not use silk screening. Nobody cares about your logo or URL on the board that is not designed to be accessed.
Omiting silk screening would remove unnecessary manufacturing step (though it would not save much) and at the same time complicate identification of SMD components.

About HexView

HexView's InfoSec experience goes back to early 2000s. Our company became one of the first (if not the first ever) to adopt "reasonably-responsible" vulnerability disclosure process where vendors were given a fixed timeframe to resolve a problem, and upon expiration, a full public disclosure would be released. Those days were great... The company has since evolved into a boutique that provides higher-level management consulting services, such as reviews of your relationships with security vendors. We also perform security assessments for the Internet of Things and specialized devices, such as medical equipment. Let us know if we can help.