My hardware hacking friends have been all a-twitter (and all a-pick-your-favorite-social-platform) about recent actions by FTDI. In case one of my three or so regulars haven’t heard about this dust-up, here’s a brief synopsis.
- FTDI makes a series of chips which translate between USB and either RS232 serial or TTL level serial signals. These chips are used in (among many other devices) many types of Arduino boards and many USB dongles that are used to program them.
- Because of their popularity, clones of these chips have been created. These chips are not simple copies, but functionally equivalent replicas, designed to operate the same as FTDI’s chips. There are benefits to this: since they operate the same as FTDI chips, they do not require separate drivers. They are also drop-in replacements for existing designs.
- Because they are drop-in replacements, unscrupulous parts distributors have “rebadged” this clone chips as the genuine article. These chips are genuine counterfeits. But in many cases, the buyers of these chips have idea that counterfeits have been substituted for the genuine article.
- Microsoft Windows has a mechanism that automatically updates operating system components (including device drivers) automatically. These updates, annoying as they are, are necessary to patch security vulnerabilities. FTDI releases driver updates as part of these regular updates.
- FTDI decided to crack down on counterfeits. They released a new driver which attempts to detect non-FTDI chips. When it find ones, it disables the chip by overwriting the USB PID (the coded indentifier used by the USB system to find the proper driver for the device) to zero. This effectively keeps the USB system from using the device: it’s dead. Moving the device to any other machine (Mac OS X, Linux) doesn’t help either. The device is essentially bricked.
- Note: while it is illegal to rebadge a chip and make it seem to be a genuine FTDI chip, clone chips are not illegal. The FTDI update does not attack counterfeits: it attacks clone chips. This puts all the pain not on the people guilty of fraud, but directly on end users, who have no way of even knowing if an FTDI chip or counterfeit is even in the product that for some reason, mysteriously stops working.
- Because this update occurred as part of the silent windows update process, it now causes end-users to question whether they should accept updates. This is very, very bad for security.
FTDI: you screwed up. Big time. I know a number of people who manufacture goods using your chips, and they are scrambling to find alternatives because you have destroyed the trust relationship that they have with their customers.
Their reaction via Twitter has been equally without clue. To whit:
ZDNet’s article on FTDI debacle.
I was actually considering using an FTDI serial chip in my revision of my Minima project. Now, I’m looking for alternatives. Way to shoot yourself in the foot, FTDI.
Addendum:
From my twitter feed:
We only get @FTDIChip products from reputable channels. But will our future customers assume that? =>Best not to design FTDI products in.
— Evil Mad Scientist (@EMSL) October 23, 2014
@xek Folks at @CypressSemi make a drop in replacement for the FT232RL. I'll be switching the GoodFET and Facedancer as soon as I test them.
— Travis Goodspeed (@travisgoodspeed) October 24, 2014
Today @FTDIChip ensures it is protecting innovation, by causing entire hardware community to ask how we can make devices without FTDI.
— Star Simpson (@starsandrobots) October 22, 2014
These guys put a Trojan horse in their driver update. Deploying a Trojan horse that damages or destroys a computer system is a crime. Self help is not a defense.