Inside a Google Titan Bluetooth security key – high security, low durability

The Google Titan Bluetooth two-factor security key might be the best way to protect your account from hackers and phishing attacks, but the hardware itself is a big disappointment.

Google launches its own security key The Titan Security Key reduces the risk of attackers using stolen credentials to access a user's account, as the security key is also required to log in. Read more: https://zd.net/2LCNK8A

Google has been pushing its Titan two-factor authentication security keys as the best way to protect Google Accounts from hacking and phishing, especially high-value accounts that are regularly probed and attacked. The key is used as part of Google's Advanced Protection Program.

Recently, a bug was discovered with the Bluetooth Titan key, and Google issued users replacements. Since I'm a Titan user, this meant that I had an old key to play with. So, what better use for it than to tear it apart.

Must read: iOS 13: Things Apple still needs to fix

So, what is inside a Google Titan Bluetooth two-factor security key?

Note: This teardown is for a Feitian Bluetooth two-factor security key, but Google's Titan keys are rebranded Feitian keys.

Well, I have to admit that I was expecting a lot more than I saw.

First off, the shell is constructed from cheap ABS plastic, with no reinforcement. I've only been using a Titan key for a few months, and I'd already noticed in that time how roughed up it had become. For the teardown it split in two easily, and the circuit board fell out no problem.

If you keep your security key on a keyring, then be aware that if it does break, the insides will fall out. Ideally, the board should be secured in such a way that it doesn't fall out easily, and even if the case does break, the board should be retained on the keyring and not just deposited on the ground somewhere.

The key isn't waterproof either. The board is a bare circuit board with no signs of even basic waterproofing. While it did survive a short soak, I believe that long-term exposure to water -- or sweat -- would be an issue, and that corrosion could form that would damage the key. Ingress of water could cause the battery to short circuit, possibly damaging the battery or electronics.

There are also no visible anti-tampering safeguards. None of the chips are encased in epoxy, and there is no self-destruct button to electronically destroy the key if it is opened.

Special feature

Cyberwar and the Future of Cybersecurity

Today's security threats have expanded in scope and seriousness. There can now be millions -- or even billions -- of dollars at risk when information security isn't handled properly.

Read More

All the major chips seem to be off-the-shelf components too, with markings still on them (wiping the markings off chips is a handy security precaution).

The battery powering the key is a small off-the-shelf 35mAh 3.7W lithium polymer pack. It's soldered onto the board, but replaceable if you can get inside the key without exploding the fragile case.

The Bluetooth chip is also an off the shelf chip.

Here are the main chips inside the key:

  • Nationz Z32HUB 32-bit ARM high-performance security MCU
  • NXP A7005 secure authentication MCU
  • NXP QN9021 Bluetooth LE chip

So, all in all, the Google Titan Bluetooth two-factor security key hardware is disappointing. I was expecting a more robust design, especially when it came to breakage and waterproofing, and was expecting basic anti-tamper safeguards such as encasing chips -- especially the main secure element chips -- in epoxy.

The bottom line is that this key really doesn't seem all that robust and if you are using them to secure your Google Account I would plan on breakages and have contingencies in place.