[paulgerhardt]

Note, Google in typical fashion has named 6+ products "Titan." (Titan M, Titan C, Titan Security Key (available in USB A, C, Bluetooth versions), Titan Security Module, OpenTitan, and maybe a few more if you count the old Bluetooth versions that were recalled that look identical to the new Bluetooth version).

The various Titan Security Keys are also made by Feitian who sometimes use the same auth chip and sometimes don't but externally look identical.

The products sole purpose is to establish a secure chain of trust and starts out the gate broken with ambiguous or misleading claims for verifying exactly which Titan it is.

Google will pay you $1 million to hack the Titan but not the Titan hacked here - the other Titan[1]. Furthermore they are happy to tell you that their products, like Google Cloud Platform, are "Secured by Titan" but not which Titan [2].

This is frustrating because the Titan M is an absolutely brilliant device, with some real advancements to normalize embedded security, including an SPI interposer to monitor communications (a real leap forward) - and should not at all be conflated with a generic, whitelabeled, non-hsm product that makes no claims whatsoever and has been broken at least twice before [3] [4]. The Titan C is an even bigger improvement over the Titan M but not in anyway they care to disclose which may or may not indicate weaknesses in Titan M [5]. Likewise, OpenTitan[6] is crashing through barriers others didn't even know were there in establishing verifiable silicon roots of trust but is ambiguously different than Titan M because of various foundry and PDK issues which may be as innocuous as having to run the chips through at different process sizes but who knows because while OpenTitan is verifiable; Titan M/C aren't.

[1] https://duo.com/decipher/hack-the-titan-m-get-usd1-million

[2] https://cloud.google.com/blog/products/gcp/titan-in-depth-se...

[3] http://www.hexview.com/~scl/titan/ - note the migration from the NXP A7005a to A7005c

[4] https://www.engadget.com/2019-05-15-google-recalls-some-tita...

[5] https://showcase.withgoogle.com/titan-c/

[6] https://opentitan.org/

[lambda_obrien]

I still don't understand which titan keys I have and whether this affects them.

[zinekeller]

Titan on Pixel -> OK

Titan BT or NFC -> Physically not OK, but remote attacks still impossible so unless you're targeted and somehow got access to your fob, it doesn't matter.

[lambda_obrien]

Thanks

[tpetry]

So the titan security keys sold which imply to be secure because they are from google and not that secure? Not secure enough enough to allow bounties for hacking?

It's nice they have a secure chip (titan m) like the secure enclave of apple. But the security keys imply more sense of security as there are not running a lot more apps on this device like on a smartphone.

[lifeofpi331144]

security by obscurity bro