This is old news, but just in case you didn’t read about it, Feitian’s MultiPass FIDO U2F tokens are vulnerable to a Bluetooth exploit. The tokens in question are these:

The tokens

I actually did a review on these tokens a long time ago (god, this video is embarrassing). Go check it out (or not please just don’t).

So what’s the issue?

The problem is that they’re vulnerable to a Bluetooth exploit that allows an attacker to intercept the process while the token is pairing to a device (or exchanging U2F payloads, for that matter). To mitigate this, iOS devices immediately unpair the tokens starting from iOS 12.3 and disallows usage entirely, while Android devices will stop and unpair these devices when they get the update to the Bluetooth security stack - which means they never will. (cough Android updates suck cough)

I’m rehashing a lot of things available in the actual, official press release so if you want more details go check out the link.

Wait, didn’t Google..

That’s right. If you think that key looks suspiciously similar to Google’s security key, you’re not wrong. Google’s Titan security keys are actually Feitian’s MultiPass keys with Google’s stickers slapped on them, available in the US only (which is why I couldn’t get them and had to go direct to Feitian instead. Maybe this is an unexpected bonus because it cuts out the middleman?) Anyway, their keys are also vulnerable and that means Google will replace them too.

How do I check if I’m affected?

  • If you have a Feitian key

Look at the bottom of the key. If you have the number 1 or 2 or 3 key, then your key is affected.

  • If you have a Google key

Look at the bottom of the key. If you have the letters T1 or T2, then your key is affected.

How do I get it replaced?

  • If you have a Feitian key

Go to their website and contact them to begin the replacement process. I just emailed them.

  • If you have a Google key

    • If you are outside of the US

    You’re fucked.

    • If you are inside the US

    Go to their replacement portal to begin the process.

My experience

Spoiler alert: Feitian handled this really well. Job well done, Feitian customer support!

I tried their website but the replacement form was down (under maintenance). So I emailed them on July 20th, 2019 (8:39 PM):

Hi, I have an affected Feitian FIDO key with a 3 written at the bottom of the casing. I would like to get this key replaced.

I am currently traveling in South Korea. I am wondering if I should apply for the replacement once I get back to China in August, or apply for it now. How long does it take to get the shipment out and get the key replaced? If it takes less than a week then I would like to get it replaced while I am in South Korea.

Please reply to this email as soon as possible! I tried submitting via the online form, but it gave me this error message: "Sorry it seems that our mail server is not responding, Sorry for the inconvenience!" I would like this key to be replaced as soon as possible. Thanks!

Best regards,
Eric Park

This was their response on July 22nd, 2019 (5:40 PM):

Hi Eric,

The shipping to Korea normally takes a week. It would be better to ship in China. Could you provide your address in Chinese letter, we will arrange shipment accordingly.

Best Regards,

FEITIAN Customer Care

I responded on July 23rd, 2019 (11:27 AM):

Hi,

If the shipping takes a week could you guys send it to Korea? I'll be staying here until [REDACTED]. Would that be ample time to send the product here?

Also, do I need to ship the defective model back? If so, to which address?

When can you guys start shipping the replacement model here?

Thanks!
Eric

They responded on the same day, in a couple minutes (!) July 23rd, 2019 (11:34 AM):

Hi Eric,

It will be able to arrive in June. The timeline will be fine. Could you give us the address, zip code, telephone so that we can arrange shipment.

Regarding the defective token, it is recommend to de register those tokens to all your accounts and discard it according the local regulation.

Best Regards,

FEITIAN Customer Care

So they don’t require you to ship the defective model back, and they just ask of you to dispose of it appropriately. Just in case they ask me to provide proof of ownership, I think I’ll hold onto my defective token and mark it defective so that I don’t accidentally use it.

My response on July 23rd, 2019 (3:18 PM):

Sure!

I am at [REDACTED].

My phone number is +82 [REDACTED] (South Korea).

Thanks!
Eric

Sent from my iPhone

On the same day, July 23rd, 2019 (6:18 PM), I got an email from FedEx saying that a package was en-route to my home. Their response time was seriously, crazily fast. Mad props to Feitian’s customer service team. This is what a good company should strive to achieve.

So all in all, a happy ending. Just make sure to get your keys replaced if you have one!