When cyber security threats grab headlines in the United States, suspicion often falls on actors from rival states, like Russia and China. In December, for instance, U.S. cybersecurity firms blamed Chinese government-sponsored hackers for exploiting a recently uncovered critical vulnerability in computer server software.
But there is one Chinese cybersecurity firm whose gear is aimed at improving digital security for American and global consumers — Feitian Technologies. In 2018, Beijing-based Feitian formed a partnership with Google to produce the Titan security key, a USB-like device that provides two-factor authentication services. Feitian also sells to Microsoft, J.P. Morgan and Softbank.1S&P Capital IQ says it has also sold to Intel. And in China, its clients include the big four state-owned banks and the National Administration of State Secret Protection, which is charged with protecting China’s classified secrets.
And yet, while winning those contracts is a sign of the company’s growing presence in the market for security keys, some analysts worry about potential risks for users of Feitian’s hardware. This week, The Wire looks at the rise of Feitian Technologies, and what analysts say about its security keys.
COMPANY HISTORY
Feitian was founded in 1998 by three computer science students who studied together at Beijing’s Jiaotong University: Huang Yu, Li Wei, and Lu Zhou. The three established Feitian in the heart of Beijing’s version of Silicon Valley, the state-backed Zhongguancun technology zone, where some of China’s leading tech firms were building a presence alongside global firms like Microsoft and Google.
Early on, Feitian specialized in manufacturing USB security keys. In fact, it claims to be the first Chinese company to develop an identity authentication device. Cybersecurity experts consider security keys the gold standard for login and identity verification. Sites are increasingly encouraging users to adopt two-factor authentication — an extra layer of security that, for most people, involves entering a code received via text message or a phone app. But those methods have loopholes: texts can be intercepted, and users can be tricked into entering their codes into phony websites. USB security keys, which resemble a thumb drive, recognize legitimate sites and can’t be tricked into logging into a fake webpage. Last year, about 40 percent of Feitian’s revenue — about $60 million — came from selling security keys, a large percentage of which were made for China’s biggest banks.
LOOKING OUTWARD
While Feitian’s revenue has fluctuated wildly in recent years, its share of overseas revenue has tripled since the company’s 2014 listing on the Shenzhen Stock Exchange. In addition to its sales to global technology firms, the company has also become a member of several industry certification bodies. It is one of just two Chinese companies, for instance, on the 41-member board of the FIDO Alliance, an industry association that sets technical standards to transition internet users away from password-based logins.2The other Chinese firm is Lenovo.
And while Chinese-made security devices might seem like a potential security threat, given U.S.-China political tensions, analysts say hardware providers like Feitian pose less of a risk than software or service providers. “The risk is higher with a service provider [than with a hardware provider] because they’re basically sitting on your box,” says Adam Segal, director of the Digital and Cyberspace Policy program at the Council on Foreign Relations.
Still, malicious actors have used hardware vulnerabilities or backdoors for malicious purposes before. Documents leaked by U.S. whistleblower Edward Snowden revealed the NSA’s backdoors into hardware built by Cisco. A 2018 Bloomberg Businessweek article on how Chinese spies hid tiny chips in motherboards made by U.S. tech supplier Supermicro suggests that Beijing may have similar capabilities. But Segal notes that the cybersecurity community remains skeptical of the Bloomberg Businessweek report.3Despite forceful denials from firms including Amazon and Apple, Bloomberg stood by its 2018 Super Micro report, and published a follow-up article earlier this year.
Feitian’s Google partnership is perhaps its best-known deal. (Neither Google nor Feitian responded to requests for comment for this article.) Google began marketing its Titan security key in 2018 alongside its Advanced Protection Program, an opt-in enhanced security option for Google accounts that requires users to register at least two security keys. But cybersecurity experts, including Facebook’s former chief information security officer, Alex Stamos, questioned whether the Chinese-made key would undermine what Google calls its “strongest security” option. Chinese dissidents have also expressed concerns about buying a Chinese-made security key to protect their Google accounts, after the accounts of some dissidents were targeted by “state-sponsored attackers.”
Earlier this year, Titan again drew attention after researchers uncovered a vulnerability that could allow a determined hacker to clone a key if they were able to gain physical access to it. But that doesn’t mean the Titan is more vulnerable to Chinese hacking than other security keys, says Victor Lomne, a cybersecurity researcher with France-based NinjaLab who helped uncover the vulnerability. He says other keys based on similar technology have the same flaw, and while the device is made by Feitian, Google claims to develop the firmware.
“It is more an international product than a Chinese one,” Lomne says. “More generally, a lot of digital devices are actually manufactured in China (e.g., Apple products). So if one is afraid of the Chinese origin of the Titan key for security risk, one should be also for most of the digital products we use every day.”
In gaining a foothold overseas, Feitian may soon join a handful of other Chinese tech brands that don’t necessarily make high-end electronics like smartphones, but have found a niche and quietly become serious competitors abroad, like Anker, the Shenzhen-based maker of phone chargers and battery packs, and CCTV camera makers like Hikvision and Dahua, which dominate the global video surveillance market.
OWNERSHIP
Feitian is publicly traded company listed in Shenzhen. Its three founders cumulatively hold a controlling stake in the company. Listed below are the company’s biggest shareholders:
Eliot Chen is a Toronto-based staff writer at The Wire. Previously, he was a researcher at the Center for Strategic and International Studies’ Human Rights Initiative and MacroPolo. @eliotcxchen
