I noticed that both of the Feitian USB/NFC U2F Security Keys I purchased on Amazon a few years ago are unfused. This means that the pre-personalization step was partially performed but not completed in a irreversible way. The devices are otherwise working normally. I have no idea if more recently purchased devices are in a similar state. The runtime on the device is JCOP.
Based on my own limited understanding, this would allow anyone with the transport key to be able to wipe and reconfigure the device. If the device is also unprotected in addition to being unfused, then it might even allow for secret extraction (again, assuming you have the transport key).
I'm curious if anyone with more knowledge on the subject could elaborate on the security implications of this condition. Specifically, I'm wondering how concerned I should be about using these security keys. If the concern is truly limited to the device being wiped by someone with the transport key, then I am not concerned since very few people would have access to that key. However, if someone with the transport key could load a patch to the runtime that allows the secrets to be exported, then that would be something I'd like to avoid using.
