Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Hardware Technology

FTDI Reportedly Bricking Devices Using Competitors' Chips. 700

janoc writes It seems that chipmaker FTDI has started an outright war on cloners of their popular USB bridge chips. At first the clones stopped working with the official drivers, and now they are being intentionally bricked, rendering the device useless. The problem? These chips are incredibly popular and used in many consumer products. Are you sure yours doesn't contain a counterfeit one before you plug it in? Hackaday says, "It’s very hard to tell the difference between the real and fake versions by looking at the package, but a look at the silicon reveals vast differences. The new driver for the FT232 exploits these differences, reprogramming it so it won’t work with existing drivers. It’s a bold strategy to cut down on silicon counterfeiters on the part of FTDI. A reasonable company would go after the manufacturers of fake chips, not the consumers who are most likely unaware they have a fake chip." Update: 10/24 02:53 GMT by S : In a series of Twitter posts, FTDI has admitted to doing this.
This discussion has been archived. No new comments can be posted.

FTDI Reportedly Bricking Devices Using Competitors' Chips.

Comments Filter:
  • by Rinikusu ( 28164 ) on Wednesday October 22, 2014 @01:45PM (#48205749)

    Now consumers are becoming aware that there's a massive counterfeiting problem and can be better educated to ask their vendors "Hey, is my device legit?" I certainly had no idea that this was going on.

    • by Anonymous Coward on Wednesday October 22, 2014 @01:46PM (#48205761)

      If they work, I don't care. The scumbags bricking devices are the problem.

      • by Anonymous Coward on Wednesday October 22, 2014 @01:58PM (#48205875)

        >We've discovered some non-factory parts in your car.
        -Oh, really? Well, I'm going to drive over to the dealership take that up with them.
        >We've already handled the problem. We crushed your car into a cube.
        -Uhhh...
        >You have 15 seconds to move your cube.

        • by The Eight-Bit Link ( 2447312 ) on Wednesday October 22, 2014 @02:03PM (#48205923)
          Not quite. Non-factory parts are fine. There are alternatives to the FTDI chips, just like there are alternative parts for your car. The problem here is the part is pretending to be genuine when it's not.
          • by nedlohs ( 1335013 ) on Wednesday October 22, 2014 @02:06PM (#48205961)

            Right, that makes all the difference, because this is perfectly reasonable:

            >We've discovered some counterfeit parts in your car.
            -Oh, really? Well, I'm going to drive over to the dealership take that up with them.
            >We've already handled the problem. We crushed your car into a cube.
            -Uhhh...
            >You have 15 seconds to move your cube.

            • by Thud457 ( 234763 ) on Wednesday October 22, 2014 @03:15PM (#48206737) Homepage Journal
              Fine, I'll just come out and say it, it's what we're all secretly thinking anyhow.

              This is just another nail in the coffin pushed by none other than then N S A.
              They want to be able have a documented chain of custody for every component in every piece of your equipment so the cyberpolice can backtrace any illegal encryption and punish scapegoats to justify their exponentially growing budgets. This way they can automatically tell if you done goofed and make sure the consequences will never be the same.

              WARNING : may contain MKPUPPET triggers. Processed on machinery that may have also been used to process peanuts. Oops, maybe we should have put that up front.
              • Re: (Score:3, Interesting)

                by Anonymous Coward

                Humor aside... It honestly wouldn't surprise me if supply chain documentation is what lead to some of this... the Aerospace and Defense industries are very very picky about knowing exactly what they're getting (aircraft falling out of the sky due to counterfeit components would be bad...).

          • by Darinbob ( 1142669 ) on Wednesday October 22, 2014 @03:15PM (#48206745)

            Problem is that all of this stuff on USB is using vendor-specific protocols. FTDI is the most popular because it is the most popular. Thus you don't have to hunt down obscure drivers, it works on Macs and Linux and BSD, you can find source code to implement your own driver just about anywhere, and so forth. For something plugged into a Windows PC you don't care, you just use the CD that came in the box with the serial adapter, but it becomes a much bigger problem if you're using an alternative device for a machine that can't just accept a Windows driver or you're writing an embedded system that needs to talk to it.

            Overall it would be better if USB had just created a standard for this class of devices. Vendor specific drivers are a pain in the ass if you're not using Windows, and it's not just serial adapters, but things like ethernet adapters, printers, etc.

            • by wed128 ( 722152 ) on Wednesday October 22, 2014 @03:54PM (#48207169)

              Overall it would be better if USB had just created a standard for this class of devices.

              You mean like the USB CDC standard? http://en.wikipedia.org/wiki/U... [wikipedia.org]

              • It's a really lousy standard though. It does not do a good job of supporting an ethernet bridge or a UART bridge. It's possible to adapt it this way though however nothing actually supported it that I could ever find except for some cable modems, so everyone has a proprietary protocol instead. I suspect the reason is because CDC is complex enough that it's difficult to implement efficiently on a tiny hub-powered device.

            • by AmiMoJo ( 196126 ) *

              There is a standard, and FTDI devices support it. It's called CDC, or Communication Device Class. It's been part of the USB spec since the early days. It supports RS232 serial and parallel printer ports.

              Most operating systems include a generic driver for USB serial converters that uses the CDC standard, including Windows. The reason FTDI provide a driver is that their chips have more features than the basic spec allows. They have some GPIOs, better support for surprise disconnects, better interrupt emulatio

              • by Alioth ( 221270 ) <no@spam> on Thursday October 23, 2014 @04:23AM (#48211001) Journal

                This has the potential though to backfire quite badly on FTDI. The vast majority of users don't know that the thing they bought is fake, all they know is that it's FTDI branded and all of a sudden it doesn't work, and they blame FTDI, and FTDI gets a bad reputation for unreliable crap (even though the hardware was counterfeit).

      • by lgw ( 121541 ) on Wednesday October 22, 2014 @02:34PM (#48206301) Journal

        If they work, I don't care. The scumbags bricking devices are the problem.

        Indeed. This will end badly for whoever thought this was clever. You'd think companies would have learned from the Sony rootkit fiasco, but no.

        FTDI just bought a ticket to the "fuck with the DoJ lottery". If they happen to brick anything used by the US Government for any official purpose, they're a winner! Who's that at the door, Ed McMahon with a giant check? No, it's the the DoJ with a giant fine! You may also have won: "being made an example of", with complementary federal prison time!

        • by mrchaotica ( 681592 ) * on Wednesday October 22, 2014 @03:17PM (#48206761)

          You'd think companies would have learned from the Sony rootkit fiasco, but no.

          What did companies learn from the Sony rootkit? That the criminal penalty for perpetrating literally tens of millions of felonies on behalf of a corporation is... absolutely nothing? Sure, that'll teach'em!

        • Re: (Score:3, Insightful)

          by Darinbob ( 1142669 )

          Well you'd have to prove the devices were bricked on purpose. Given that large number of clones I don't think they have a solution that could brick them all. This probably just bricks one big counterfeiter, and it's possible it's bricked by accident.

          In fact, bricking by accident sounds plausible given that many of these devices do the minimum work necessary to work with the popular drivers. If the drivers change the devices stop working. Even for things like USB mass storage where there's a real standar

          • by sjames ( 1099 ) on Wednesday October 22, 2014 @05:48PM (#48208207) Homepage Journal

            I think you misunderstood "brick" here. By that, TFA does not mean that the driver returns an error and doesn't init the device. It means the driver detects the counterfeit and then takes a positive action to maliciously re-program the chip so that it no longer works at all even for the old driver or a third party driver.

            The initial report was plug device into Linux box, works fine. Plug into windows box with latest FTDI driver, no work. Plug back into the linux box, no work.

        • by onepoint ( 301486 ) on Wednesday October 22, 2014 @03:27PM (#48206871) Homepage Journal

          Really, you think that they have a DOJ and or any fed regulator problem???
          Hmm...
          Specific chip driver, designed for that chip only
          Copycat chip using the above chip driver
          Change the driver code slightly for improvement or whatever reason
          Results:
          Your system crashed, if it was using the fake chip.
          Not the fault of the manufacture of the specific chip.
          The liability goes towards whom sold that configuration to you with the promise of that specific chip. They lied.

          I am guessing that this should be happening more often in the next 5 to 10 years, built in clones killing.

        • They're also playing the class-action lawsuit lottery.

          In fact, it might be worth the $5 to buy one of those cheap shit USB-to-serial adapters, let them brick it, and hope the settlement is that they have to give everyone affected a genuine FTDI one...

    • The good news (Score:2, Insightful)

      by Overzeetop ( 214511 )

      Now that we know it's happening we can all join the class action lawsuit which will utterly bankrupt FTDI because what they are doing is illegal and they can be held liable for damages, which could easily run into the billions.

      • Re: (Score:2, Insightful)

        by Tharkkun ( 2605613 )

        Now that we know it's happening we can all join the class action lawsuit which will utterly bankrupt FTDI because what they are doing is illegal and they can be held liable for damages, which could easily run into the billions.

        You are running a driver/firmware update on a product which isn't theirs. Just like with a laptop if you run a BIOS update on the wrong product and it destroys your machine the vendor isn't responsible.

        • Re:The good news (Score:5, Insightful)

          by Richy_T ( 111409 ) on Wednesday October 22, 2014 @02:06PM (#48205973) Homepage

          Intent.

        • Re:The good news (Score:5, Insightful)

          by Anonymous Coward on Wednesday October 22, 2014 @02:25PM (#48206177)

          This all goes out the window the minute you write code that intentionally does harmful things to your hardware. And it would be fairly easy to prove said intent: no driver should be mucking with USB PIDs ever, especially not when they've proven that the hardware in question isn't theirs. A driver that says, "Okay, this hardware clearly isn't mine, let's go break it" is malicious software.

          This is shit that Nintendo flashcart vendors do.

        • Re: (Score:3, Insightful)

          by RavenLrD20k ( 311488 )

          Except there's a difference between this and your example. When you update your BIOS there are ways to verify that the BIOS you have is compatible with the update you are going to use. With this FTDI crap, if you physically examine the chip, it has all the markings of a legit FTDI chip, down to the model stamp. When you look at the chip driver in Windows before the update, it reports back chip information for a chip that's legitimate. Upon verifying these things, you go ahead and run Windows Update wit

      • by hhawk ( 26580 )

        I don't see how it isn't not only illegal, but also terroristic -- and if any device that fails results in loss of life, limb or just economic damages I would think they would be culpable as well.

    • Consumers are becoming aware that FTDI is breaking their stuff and will hopefully be replacing it for free...

  • Is this legal? (Score:5, Insightful)

    by Calibax ( 151875 ) * on Wednesday October 22, 2014 @01:48PM (#48205771)

    A component manufacturer is unhappy that someone else is using his product id so he puts code in a driver that sets the product id to zero. This prevents the fake component being recognized by his driver or any other driver. The license for the driver explicitly states that using the driver with a fake component may irretrievably damage the component.

    If the component manufacturer doesn't want the fake product to work with his driver he can code his driver to ignore the fake. Modifying the product id to brick the component is another matter entirely.

    This doesn't hurt the people who created the fake, or even the people who purchased the fake and used them in their manufacturing. It only hurts end users who have done nothing except purchase a product in retail channels. Deliberately destroying equipment because it uses a fake component goes to a whole new level of nastiness.

    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Wednesday October 22, 2014 @01:54PM (#48205841)
      Comment removed based on user account deletion
    • Re: (Score:3, Insightful)

      I think the question should be, is this patch they're applying that's bricking these devices a functional patch that does benefit the official FTDI hardware? If the answer is yes then there's no malicious intent or action being taken place here. You cant expect the company to test an update against counterfit hardware and you cant expect them to lose any sleep over it.

      Now if what they're doing is specifically targeted at doing this and doesnt change anythign at all on official hardware? Then there may be a

      • by Shoten ( 260439 )

        Two things. One, the cloned FTDI subcomponents are in and of themselves essentially indefensible. The notion of "unclean hands" absolutely applies here. Two, that notion further applies to the manufacturer who included the cloned subcomponent in their product. To use a car metaphor, if a car is supposed to use a Bosch-made airbag sensor that has been well-tested and proven to be reliable, but the manufacturer instead knowingly uses counterfeit sensors, they open themselves up to enormous risk in any sit

        • Re:Is this legal? (Score:5, Interesting)

          by dgatwood ( 11270 ) on Wednesday October 22, 2014 @03:23PM (#48206827) Homepage Journal

          One, the cloned FTDI subcomponents are in and of themselves essentially indefensible.

          Not necessarily. It is not a crime to use the USB ID of a competing product. It is a violation of the rules set by the USB standards body, but if you are not a member of that organization and have no prior business relationship with them, you are under no legal obligation to comply with those rules. More to the point, reusing a USB ID is absolutely not the same thing as counterfeiting. As far as I know, no country in the entire world has a law that says that devices are counterfeit merely because they conform to another device's programming interface. For something to be counterfeit, it has to be designed and marketed as the real thing, with the intent to defraud the purchaser.

          What this means is that if the outside of the packaging claims that the part was made by FTDI, then the counterfeits are indefensible. However, if they were sold as FTDI-compatible chips, then the chips are almost certainly not in violation of counterfeiting laws. And if there's no way for the software to know the difference between those two, and if even one single device that was sold legitimately as a clone gets bricked, then FTDI is committing the crime of destruction of property. And if their actions ends up destroying medical equipment, they could be charged with even more serious crimes, up to and including manslaughter.

          The reality is that in this sort of cat-and-mouse game, nobody wins, because everybody loses. It is vital that the authorities in Scotland take immediate legal action against FTDI to ensure that other companies are not tempted to pull similar stunts in the future. Their actions are clearly indefensible criminal actions, and should be treated as such, regardless of who fired the first salvo or how much harm they believe they have suffered at the hands of the counterfeiters.

        • by sjames ( 1099 )

          The end user who gets harmed DOES have clean hands. He has no way to know if the parts are or are not legit but also has no reason to suspect they are not.

          The unclean hands happen several transactions back in the chain and belong to someone who doesn't suffer in the slightest for this.

  • Why should they let people ride their coattails for no compensation? To be fair, bricking a device is a little overkill, and simply refusing to recognize a fake device may have been a better approach.
    • Because they destroy a device of someone who doesn't even know about the bickering behind the scenes. If I have a restaurant and the customers of my competitor park on my parking lot I can tell them to get lost because it's my parking lot and I can decide who may and who may not use it. I may NOT, though, simply go there and trash their cars because, hey, they were parked on my ground.

  • by Anonymous Coward on Wednesday October 22, 2014 @01:51PM (#48205807)

    ... by issuing a driver that works with their h/w, but bricks the FTDI components.

  • by supersat ( 639745 ) on Wednesday October 22, 2014 @01:52PM (#48205811)

    It looks like they are trying to hide behind their EULA [ftdichip.com], which says that "Use of the Software as a driver for a component that is not a Genuine FTDI Component MAY IRRETRIEVABLY DAMAGE THAT COMPONENT." But there are reports that this new driver is being delivered via Windows Update, which presumably doesn't show you this EULA.

    Microsoft would be wise to pull this update.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      "Use of the Software as a driver for a component that is not a Genuine FTDI Component MAY IRRETRIEVABLY DAMAGE THAT COMPONENT."

      That only covers their asses for incidental damage. If they went out of their way to deliberately damage property, they are in trouble. If there is an internal email that touts this as a feature and not a bug...even jokingly...they are in deep shit. Some class action firm is going to have fun with this.

    • by Anonymous Brave Guy ( 457657 ) on Wednesday October 22, 2014 @02:32PM (#48206267)

      Their EULA could say that if you use their software with something other than a genuine FTDI component they may send a hit man round, but I doubt that would stand up too well in court either. If they think they're going to get away with deliberately breaking someone's gear because of some weasel words in the EULA, they need better lawyers. Or they needed better lawyers, I should say, because if the reporting of what's going on is accurate then by this point I suspect they're already in serious trouble even if they don't realise it yet.

  • by flu1d ( 664635 ) on Wednesday October 22, 2014 @01:55PM (#48205847) Homepage
    Most people won't have any technical knowhow to understand why their device bricked, just that it bricked. Bricked devices will be blamed on the device manufacturer not the chip supplier.
  • I've used FTDI products for *years* and with just a very few exceptions have had zero issues with compatibility and performance. They are my number one supplier of USB to serial chips, and I still don't have any issues recommending them. Their drivers are very stable, and they work hard to make them for every platform. If they want to go after the counterfeiters, more power to them. Filing a lawsuit against a small shell company selling back-room chips pretending to be FTDI chips won't do any good. Bri

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      >Brick a thousand shitty chips and things might change.

      Yeah, I'll stop buying devices with genuine FTDI chips so I can avoid having to put FTDI malware on my system. That's what will happen.

  • by steelfood ( 895457 ) on Wednesday October 22, 2014 @02:00PM (#48205893)

    Device manufacturing companies may just avoid FTDI chips outright. This is especially true if some suppliers are mixing the real chips with the counterfeit chips.

    Worse, since it's coming through Windows Update, the engineers working on Windows Update might outright blacklist FTDI. And Microsoft would be at least partially liable for any bricked device, which would make their lawyers a bit uncomfortable. I wouldn't be surprised to see Microsoft release a patch in the future to automatically unbrick the affected devices.

    • by Richy_T ( 111409 )

      Device manufacturing companies may just avoid FTDI chips outright. This is especially true if some suppliers are mixing the real chips with the counterfeit chips.

      Excellent point. Why take a chance that some otherwise perfectly functional fakes get into your supply chain and costs you hundreds of thousands down the line? Just go with a different provider.

  • This is just wrong. (Score:3, Informative)

    by ChrisMaple ( 607946 ) on Wednesday October 22, 2014 @02:11PM (#48206027)
    Unless the non-FTDI chips are using some patented technology without permission, or are using FTDI trademark, they are doing no wrong. Second-sourcing of integrated circuits has been going on for at least 45 years, and it's completely legal. The fact that their silicon looks completely different indicates that the copiers are not violating copyright as far as the chip is concerned. Unless I'm missing something, FTDI is engaging in willful destruction of private property and should suffer immense fines.
    • by yo303 ( 558777 )

      OK, your main argument is wrong. Second-sourcing is when a company licences its IP to another manufacturer.

      There was no licencing here.

    • by AmiMoJo ( 196126 ) *

      The fakes do use the FTDI logo and part numbers. They also use FTDI's VID/PID pair and usually ship with the FTDI driver. That doesn't excuse FTDI's actions of course, but these are proper fakes and not just compatible/second source parts.

      The standard Windows CDC serial driver (usbser.sys) leaves a few things to be desired. It works, but can have issues with unexpected device disconnects and stuff that serial ports were never designed to do. It doesn't support GPIOs either, a common feature of FTDI chips. T

  • by Insomnium ( 1415023 ) on Wednesday October 22, 2014 @02:33PM (#48206293)

    Are there alternatives to this tech? I would happily buy from a competitor if one is available and boycott a company who would fuck over consumers like this. Is there even a way to choose or tell the difference between fakes or competitor products?

    Where are they used? Who uses them? What alternatives are there?

    • Well the arduino guys switched to using a small ATMega chip to do their serial to USB conversion on the Uno, so at the very least that's an option.

      Also, since I haven't seen it mentioned anywhere yet, you can reprogram the bricked chips using the FTDI tools and get them working again, supposedly it requires linux for WinXP but it is possible

  • by ArcadeMan ( 2766669 ) on Wednesday October 22, 2014 @02:37PM (#48206329)

    Some people say they're going to "avoid FTDI chips in the future". Good luck with that because FTDI makes the most reliable Serial-to-USB ICs on the planet. Going with anything else is just asking for trouble.

  • by ewhac ( 5844 ) on Wednesday October 22, 2014 @03:26PM (#48206865) Homepage Journal
    Assuming FTDI manages to weasel out of lawsuits for willful destruction of property (do NOT let them hide behind the so-called EULA), they have basically made themselves the vendor to avoid for either chips or drivers for said chips.

    Can you tell, by merely looking at it, whether a given device is using GenuineFTDI(TM)(R)(C)(BFD) chips, or whether it's a counterfeit? Can you tell by using whatever the Windows equivalent of lsusb is? No? Then there is a random, non-trivial chance that plugging in your serial-ish device will either:

    • Work (old non-destructive drivers),
    • Not work (new, non-destructive drivers),
    • Ruin the device (new, destructive drivers), so that it not only Not Works, but also Stops Working on every other machine on which it previously worked.
    • Thus, in the mind of the user, FTDI == Flaky. And Flaky == Avoid.

      Congratulations, FTDI. Ten points for avoiding your feet, but minus several million for shooting yourself straight in the head.

  • by chuckugly ( 2030942 ) on Wednesday October 22, 2014 @03:47PM (#48207065)
    Bricked implies that the change is irreversible. This is simply a change to the PID, which can be undone or set to some other PID pretty easily. So no, not bricked, not destroyed, just fake detected and it's fakery undone as a matter of configuration.
  • by tibit ( 1762298 ) on Wednesday October 22, 2014 @03:53PM (#48207153)

    I actually ship a device that implements FTDI's protocol in an MCU, and simply glue an otherwise unused FTDI chip to the board as a physical "license token". It's more reliable that way, and I can offer way better buffering and sync than the FTDI chip would allow. As long as they don't use real crypto in their chip, I'm not worried - an afternoon with a protocol analyzer should solve any issues. And if they do use crypto, then I'll probably have my buddy decap the chip and look for the private key bits on the die.

  • by citizenr ( 871508 ) on Wednesday October 22, 2014 @04:49PM (#48207729) Homepage

    and here we have very first attack of BadUsb. Computer malware infecting and destroying USB connected peripherals, possible because USB device had no firmware signing/authentication and was build to let anyone update it.

  • by Osgeld ( 1900440 ) on Wednesday October 22, 2014 @06:42PM (#48208613)

    FTDI has .... interesting level of support, they THINK they are the only ones in the universe with a USB to various serial devices, but they are not, prolific chips are easier to design with since they are pretty much a drop n go part, TI and Microchip have some good ones, and any yahoo can take a cheap usb device capable micro and make their own which is what arduino did years ago.

    so I applaud you FTDI for taking a stand, DONT make it a pain in the ass for me, the guy who has no problems using someone else's chip in my design

  • by knorthern knight ( 513660 ) on Wednesday October 22, 2014 @11:46PM (#48210167)

    One difference I've noticed between Windows and Linux...

    * in Linux, plug in a USB key, or hard drive, or other USB device, and if you have the appropriate driver, "it just works". One USB "mass storage device" driver works for all USB keys and hard drives

    * in Windows...
    --- plug in a brand X USB key the first time, and Windws goes off onto the internet and installs a special driver
    --- plug in a brand Y USB key the first time, and Windws goes off onto the internet and installs a special driver
    --- plug in a brand Z USB key the first time, and Windws goes off onto the internet and installs a special driver

    Come on guys, a USB key is a USB key, is a USB key. If it has some esoteric functionality, OK, otherwise don't clog up the registry and the hard drive with drivers for every USB key model that has ever been inserted into the machine..

    I have a USRobotics USR5637 http://www.usr.com/en/products... [usr.com] USB CDC "56K" dialup modem for backup on the rare occasions my broadband goes down. It's a hardware modem that works in Windows, Mac, Linux, DOS, etc. Once I set up the kernel options in linux "it just works", without constantly downloading updates. WTF is Windows always updating?

A consultant is a person who borrows your watch, tells you what time it is, pockets the watch, and sends you a bill for it.

Working...