Why is Google selling potentially compromised Chinese security keys?

Opinion: To sign up for Google's Advanced protection program, you must buy security keys from a Chinese vendor. Security questions have since been raised considering current intelligence laws in China.

Google has come under fire for its ties to China recently. The situation has the potential to get a lot worse now that Google is offering a Chinese security product to those who need protection the most.

Earlier this month, the tech giant was criticised after reports emerged of its secret project to develop a Google search engine version catering to China's censorship regime.

As reported by The Intercept, a team of Google engineers is working on a version of the search engine in an app which restricts content banned by Beijing by pulling blacklists on web content directly from China's Great Firewall censorship network.

Dubbed Dragonfly, the custom search app has already been shown off to Chinese officials and could be launched in as soon as six to nine months, paving the way for Google's return to the country after withdrawing eight years ago on the grounds of free speech rights and China's cyberespionage activities.

At the time, Google protested the country's heavy censorship laws: Chinese citizens are blocked from large swathes of the web, including social networks. Criticism of the Chinese government and its leaders is also not tolerated.

This week's revelations resulted in outcry not only from the public but also internally in the company. Google has not commented on the apparent leak beyond "we don't comment on speculation about future plans."

However, it seems like this may not be the end of potential security and privacy implications caused by such relationships.

On Thursday, Sam Srinivas, Director of Product Management at Google Cloud, revealed the launch of Titan Security Keys in the Google Store.

screen-shot-2018-08-30-at-15-04-26.png

The Titan Security Keys, which are now up for sale in the official US store, are described as "phishing-resistant two-factor authentication (2FA) devices that help protect high-value users such as IT admins."

"Titan Security Keys work with popular browsers and a growing ecosystem of services that support FIDO standards," the company added. "They are built with a hardware chip that includes firmware engineered by Google to verify the integrity of the key."

Srinivas says that Google's keys have extra "special sauce" -- the addition of firmware from the company which, embedded in a hardware chip, "helps to verify that the key hasn't been tampered with."

In a separate blog post written by Christiaan Brand, Product Manager of Google Cloud, the executive says that the Titan Security Keys "can be used anywhere security keys are supported as a second factor of authentication, including Google's Advanced Protection Program."

The Advanced Protection Program is directed at those who may be at more risk of targeted attacks, such as journalists, activists, executives, and politicians.

However, should you sign up, you are not forwarded to the Google Store to purchase the keys imbued with Google's "special sauce" -- instead, if you click "get started," you are directed to a page which says you will need two security keys, one for primary use and another as a backup.

Read on: China withdraws local Facebook presence approval

While the backup option required as a purchase from Amazon, the Yubico FIDO U2F Security Key, looks legitimate, the first and main key you are asked to buy is potentially problematic.

screen-shot-2018-08-30-at-15-20-11.png
screen-shot-2018-08-30-at-16-51-47.png

At the time of writing, that option is the Feitian MultiPass FIDO Security Key. Those in the US are directed to Amazon, while those in the UK are directed to the Chinese vendor's website.

See also: Chinese cyberattack on Google exposed spy data: US officials | Baidu founder confident to beat Google if it returns to China | Chinese startup's 'self-made' web browser built on Google Chrome | Google eyes billion-dollar Chinese market with $550m JD.com investment

As noted in July by an IT consultant, it appears the Titan is the same hardware, just sold under a different brand name.

screen-shot-2018-08-30-at-15-23-50.png

Founded in 1998, Feitian Technologies is based in China and provides security solutions for the banking, financial, telecommunications and government sectors.

As reported by human rights outfit and news outlet China Change, which is part of the Human Rights Archive at Columbia University, in 2003, the company joined the "IT-Military Alliance" (计算机世界科技拥军联盟), made up of 12 companies in total. A document viewed by ZDNet verified the findings.

The alliance ceremony was reportedly dedicated to the 76th year of the founding of the Chinese People's Liberation Army (PLA).

According to the China Change's Matthew Robertson:

"Feitian notes on its website that "the head of the General Armaments Department expressed a deep interest in Feitian's products," and that "Feitian will inevitably provide earnest service to the giant military market under the grand strategy of 'civil-military integration,' and thus do our bit to help the construction of the nation's informatized defensive infrastructure."

Realistically, no Chinese company is going to be able to respectfully decline an invitation to join a celebration with the PLA.

The company, too, may have no intention of covertly tampering with their hardware offerings required by the Google Protection Program.

However, as declared in China's 2017 National Intelligence Law, section seven:

"All organizations and citizens shall support, assist, and cooperate with national intelligence efforts in accordance with law, and shall protect national intelligence work secrets they are aware of.

The State protects individuals and organizations that support, assist, and cooperate with national intelligence efforts."

Due to Chinese law, vendor Huawei is fighting back against concerns raised by Australia and the US which have both questioned its relationship with the Chinese government and potential risks to national security.

Tom Uren, a visiting fellow at the International Cyber Policy Centre at the Australian Strategic Policy Institute, told China Change that "companies in China aren't able to refuse to engage in intelligence activities."

Also: Online security 101: Tips for protecting your privacy from hackers and spies

The problem here is not that Feitian is responsible for any cyberthreats, surveillance, or direct attacks against those who need additional protection the most. Rather, the decisions Google seems to be making by being so deeply connected to a Chinese company could potentially undermine the entire protection program.

Feitian could find itself imposed upon by the Chinese government in the future in the name of intelligence activities -- and would have little choice but to comply.

Google's program is designed to protect the sort of individuals whom the Chinese government may have serious interest in, such as activists and those speaking out against the country's government.

China has been linked to arrests, surveillance, and cyberattacks targeting free speech advocates and activists in the past. From the Chinese ruling party's perspective, the lure of being able to covertly monitor those involved in the program may be too much to resist.

By directing those in the protection program directly to the vendor for hardware which is not implemented with Google's own brand of firmware -- the so-called "special sauce" -- there is the possibility of different firmware being used, backdoors imbued at both the hardware and firmware level, or other forms of tampering at the manufacturing stage -- all of which would be outside Google's control.

Also: Why can't Wear OS smartwatches be security keys too? CNET

The descriptions offered of the Feitian keys, whether purchased directly or through Amazon, do not mention the inclusion of Google firmware in any capacity.

So why does the variant of the key on the Google Store offer Google firmware, whilst the keys required for the protection program do not?

The backup key is produced by Yubico. On the company's blog, Yubico may be alluding to the situation.

"Google released their own version of a security key, and while we have received the question if we were part of this production, these devices are not manufactured by Yubico," the company said. "Yubico strongly believes there are security and privacy benefits for our customers by manufacturing and programming our products in the USA and Sweden."

The once-celebrated Google motto of "Don't be evil" may be a thing of the past but the idea that Google is promoting the use of hardware to those that require additional security -- which may, one day, become the very thing that compromises their privacy and identities -- is deeply unsettling.

Robertson said in a discussion with ZDNet:

"If you're going to have this stringent security standard, why use the hardware manufactured by actors closely connected with those trying to break into your account?

My most optimistic view is that it was simply a matter of ignorance on Google's part -- not having checked out the background of Feitian Chengxin -- and lack of internal security review and judgment, which all of us would not like to consider."

See also: Cyberwar: What happens when a nation-state cyber attack kills? | Cyberattacks from China: Less numerous but more effective | Cyber security: Nation-state cyber attacks threaten everyone, warns ex-GCHQ boss | China blamed for data theft from US Navy contractor | China reveals existence of cyber warfare hacking teams

ZDNet reached out to Google and Feitian and has not received a response at the time of writing.