Chipmaker Disables Counterfeits With Software Update - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Cybersecurity
News
10/28/2014
09:06 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Chipmaker Disables Counterfeits With Software Update

FTDI's update, targeting counterfeit chips, could disable systems widely embedded in healthcare, critical infrastructure, and consumer products.

11 Geekiest Halloween Costumes
11 Geekiest Halloween Costumes
(Click image for larger view and slideshow.)

A chipset maker's controversial decision to intentionally disable illegal copies of one of its products via a Windows software update could have implications for operators of critical infrastructure equipment.

Future Technology Devices Inc. (FTDI) is the UK manufacturer of a popular USB-to-serial converter for enabling USB support on legacy peripherals. The company's technology is used widely within the critical infrastructure and healthcare sectors, as well as in many test equipment and consumer products.

FTDI recently released a software update that essentially "bricked," or disabled, counterfeit copies of one of its chips running on products from numerous manufacturers.

[Unhealthy risks: DHS Investigates Dozens Of Medical Device Cybersecurity Flaws.]

The Windows driver update was designed to reset the product IDs used by clone manufacturers to identify their chipsets, making the products unidentifiable to the operating system and therefore useless.

"This isn't a case where fake FTDI chips won't work if plugged into a machine running the newest FTDI driver," Brian Benchoff wrote on Hackaday.com. "The latest driver bricks the fake chips, rending them inoperable with any computer," including Windows, Linux, and OS X systems.

FTDI's move was apparently designed to discourage clone manufacturers from profiting illegally from the company's intellectual property.

An FTDI chipset
An FTDI chipset

According to Hackaday's Benchoff, the chip that the FTDI driver disabled is one of the most cloned pieces of silicon on Earth.

In May, FTDI CEO Fred Dart warned that FTDI was committed to taking "appropriate measures" to detect and detect counterfeit activity involving its products.

Still, the company's decision to brick chips in the field surprised many, because it targeted end users of the technology and not the actual clone manufacturers.

As Hackaday noted, it's very hard for consumers and even manufacturers of USB-to-serial conversion technologies to tell if the chips they are using are genuine or counterfeit just by looking at them.

Reid Wightman, an analyst with Digital Bond, a consultancy that specializes in critical infrastructure and industrial control system security, cited reports that FTDI's process for identifying counterfeit devices was imperfect, resulting in the update killing legitimate chipsets, as well.

It is basically impossible for end users to know whether every FTDI chip in the USB devices they own is legitimate, Wightman said in a blog post. "Cables using FTDI chips often come included with hardware that has a serial port, such as network switches, [programmable logic controllers], and other embedded devices."

Often the chips come integrated in devices with USB ports, making it even harder for users to know if the chips are fake or genuine. As a result, FTDI's driver update could create critical infrastructure problems for owners of such devices, he said.

"The concern with critical infrastructure equipment is that older equipment -- which still makes up an unfortunate amount of control systems -- often have only a serial interface for configuration," Wightman said in emailed comments to InformationWeek. Newer computers no longer have serial ports, so engineers frequently use USB-to-serial cables to gain life from old gear. "I would worry if an engineer bricked all of his or her USB-to-serial adapters and could not reconfigure one of these old pieces of equipment in an emergency."

One example would be if a control systems group needed to reconfigure the network in a hurry to set up switch ports for a virtual LAN or to disable MAC address restrictions. Often, the only way to reconfigure an older switch in an emergency is to connect directly to the switch with a serial cable. But if the cable has been bricked by the FTDI update, it won't be possible to reconfigure the system, Wightman said.

So far, there have not been any reports of critical infrastructure owners running into a problem because of the update, he said.

FTDI's Dart quickly pulled the update last week in response to growing outrage over the company's move. In a note, Dart offered no apology but acknowledged that the update had caused concern within the company's genuine customer base.

"The recently release[d] driver release has now been removed from Windows Update so that on-the-fly updating cannot occur," Dart said. The driver is in the process of being updated and will be released again next week. "This will still uphold our stance against devices that are not genuine, but do so in a non-invasive way that means that there is no risk of end user hardware being directly affected," he said without elaborating.

Wightman said he is not sure if FTID has rolled back any devices that had already installed the update back to their original state. "It could be that systems which downloaded the patched firmware will brick FTDI controllers until end users roll back the patch," he said. "I really don't know the answer to this, as I was too afraid to download the patch in case any of my cables were affected."

Dart did not respond to a request for comment on concerns about the update potentially impacting systems in the critical infrastructure.

Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data. In the Partners' Role In Perimeter Security report, we'll discuss concrete strategies such as setting standards that third-party providers must meet to keep getting your business, conducting in-depth risk assessments -- and ensuring that your network has controls in place to protect data in case these defenses fail (free registration required).

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jai Vijayan
50%
50%
Jai Vijayan,
User Rank: Apprentice
10/29/2014 | 9:49:41 AM
FTDI CEO Fred Dart responds
Fred Dart the CEO of FTDI downplayed the allged problems created by the company's decision to brick counterfeit chips and insisted that a majority of its customers were not affected by it at all. Here are his emaled comments in their entirety: Jai Vijayan.

Although in certain parts of the media it has been implied that there was some form of counterfeit detection algorithm in FTDI's latest driver, this was in fact absolutely untrue. There was no mechanism of that description in place and hence no flagging up of a counterfeit device ever occurred. Exactly the same commands were sent to a genuine chip as to a counterfeit chip. Some counterfeit devices simply failed to handle certain commands correctly (again something that's shows their lack of suitability for use in serious electronic system design) and they simply quarantined themselves.

Actually this whole episode has not affected our large or medium customers at all. They haven't been hindered in any way as they source chips either directly from us or via our global distribution partners (such as Farnell and Digi-Key).  Even the vast majority of smaller customers have not been impacted and we have been liaising directly with those who have had concerns, in order to ensure that they have genuine FTDI chips. Our priority has always been to make totally sure that our customer base is not inconvenienced. In Asia in particular sales have been actually boosted as people are coming to us rather than certain other less reliable sources so that they can guarantee they have real FTDI silicon and not fakes. Board level products featuring FTDI ICs from Sparkfun, Elektor and Adafruit, among others, are in no way harmed either.

With regard to critical infrastructure - no FTDI definitely has not had any concerns from clients in this area. For such applications engineers are obviously very careful about the source of the ICs they specify. If they incorporated inferior chips into a design then they would be leaving themselves exposed to the possibility that an operational failure might occur when in-situ. They simply can't afford to put themselves in that position, that's why they deal directly with us or with our distributors.

If you get a genuine FTDI USB chip, as opposed to a counterfeit one, there is complete assurance of its continued operation and long term reliability. The company puts all its products through rigorous testing, with USB-IF, WHQL and ESD protection certification all secured. With counterfeit chips none of this effort or engineering resource has been invested into their manufacture, as a result there is a constant risk of them failing and potentially having serious repercussions for those who sourced them. In addition FTDI USB chips can rely on well tested drivers, firmware and software development tools, plus high response technical support is available to deal with customer queries.

Furthermore, FTDI USB chips employ a hard-wired state machine approach, whereas counterfeit devices will use programmable microcontrollers. This means that they aren't anything like as highly optimised and as a result can't match the performance levels set by FTDI devices.

The threat to the semiconductor industry that counterfeiting poses is growing all the time. It is similar to what the film and music businesses are currently seeing - with DVD and album sales dropping dramatically due to pirate copies and illegal downloads sites. This is likely to have a long term effect on creativity, as the investments that chip manufacturers (just like music labels and Hollywood studios) can make in bringing innovative products to market will be smaller and smaller, since their revenue streams are getting diverted to counterfeiters. The semiconductor companies and their distributors, as well as industry bodies like the SIA, need to address the problem now before it is too late.

FTDI has shown itself to be very proactive in combatting the issue of counterfeiting and will continue to be vigilant. The company is working closely with the US customs on this. It is also attempting to take action in the Chinese law courts to prosecute infringers. The hope is that the seriousness of the problem is now beginning to be realized and everyone in the electronics engineering community will do their best to stamp out counterfeiting, as this will benefit the ongoing progression of technology and encourage future technological advances

Fred Dart, CEO, FTDI
ProfTheory
50%
50%
ProfTheory,
User Rank: Apprentice
10/28/2014 | 6:48:18 PM
Deja vu
Among Amateur Radio operators they have also run into this situation. In there case the manufacturer is Prolific who also makes a USB-serial chip. The chip is used in a programming cable for Chinese radios. You buy the cheap cable you get the knockoff chip. If the driver is updated - through Windows - the cable stops working. They then buy the more expensive cable and it starts working agian.
aws0513
100%
0%
aws0513,
User Rank: Strategist
10/28/2014 | 1:10:55 PM
A fascinating story about a perfect storm of ethics and IP rights
This story is amazing to me.

The idea that a hardware/firmware vendor could brick knock-off copies of the product that are widely in use touches on several several ethical and IP owner rights issues to include the rights of those people relying on those devices for critical operations.

Thanks for the great article.  It raises some very interesting questions.
Commentary
Study Proposes 5 Primary Traits of Innovation Leaders
Joao-Pierre S. Ruth, Senior Writer,  11/8/2019
Slideshows
Top-Paying U.S. Cities for Data Scientists and Data Analysts
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/5/2019
Slideshows
10 Strategic Technology Trends for 2020
Jessica Davis, Senior Editor, Enterprise Apps,  11/1/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll