A chipset maker's controversial decision to intentionally disable illegal copies of one of its products via a Windows software update could have implications for operators of critical infrastructure equipment.
Future Technology Devices Inc. (FTDI) is the UK manufacturer of a popular USB-to-serial converter for enabling USB support on legacy peripherals. The company's technology is used widely within the critical infrastructure and healthcare sectors, as well as in many test equipment and consumer products.
FTDI recently released a software update that essentially "bricked," or disabled, counterfeit copies of one of its chips running on products from numerous manufacturers.
[Unhealthy risks: DHS Investigates Dozens Of Medical Device Cybersecurity Flaws.]
The Windows driver update was designed to reset the product IDs used by clone manufacturers to identify their chipsets, making the products unidentifiable to the operating system and therefore useless.
"This isn't a case where fake FTDI chips won't work if plugged into a machine running the newest FTDI driver," Brian Benchoff wrote on Hackaday.com. "The latest driver bricks the fake chips, rending them inoperable with any computer," including Windows, Linux, and OS X systems.
FTDI's move was apparently designed to discourage clone manufacturers from profiting illegally from the company's intellectual property.
According to Hackaday's Benchoff, the chip that the FTDI driver disabled is one of the most cloned pieces of silicon on Earth.
In May, FTDI CEO Fred Dart warned that FTDI was committed to taking "appropriate measures" to detect and detect counterfeit activity involving its products.
Still, the company's decision to brick chips in the field surprised many, because it targeted end users of the technology and not the actual clone manufacturers.
As Hackaday noted, it's very hard for consumers and even manufacturers of USB-to-serial conversion technologies to tell if the chips they are using are genuine or counterfeit just by looking at them.
Reid Wightman, an analyst with Digital Bond, a consultancy that specializes in critical infrastructure and industrial control system security, cited reports that FTDI's process for identifying counterfeit devices was imperfect, resulting in the update killing legitimate chipsets, as well.
It is basically impossible for end users to know whether every FTDI chip in the USB devices they own is legitimate, Wightman said in a blog post. "Cables using FTDI chips often come included with hardware that has a serial port, such as network switches, [programmable logic controllers], and other embedded devices."
Often the chips come integrated in devices with USB ports, making it even harder for users to know if the chips are fake or genuine. As a result, FTDI's driver update could create critical infrastructure problems for owners of such devices, he said.
"The concern with critical infrastructure equipment is that older equipment -- which still makes up an unfortunate amount of control systems -- often have only a serial interface for configuration," Wightman said in emailed comments to InformationWeek. Newer computers no longer have serial ports, so engineers frequently use USB-to-serial cables to gain life from old gear. "I would worry if an engineer bricked all of his or her USB-to-serial adapters and could not reconfigure one of these old pieces of equipment in an emergency."
One example would be if a control systems group needed to reconfigure the network in a hurry to set up switch ports for a virtual LAN or to disable MAC address restrictions. Often, the only way to reconfigure an older switch in an emergency is to connect directly to the switch with a serial cable. But if the cable has been bricked by the FTDI update, it won't be possible to reconfigure the system, Wightman said.
So far, there have not been any reports of critical infrastructure owners running into a problem because of the update, he said.
FTDI's Dart quickly pulled the update last week in response to growing outrage over the company's move. In a note, Dart offered no apology but acknowledged that the update had caused concern within the company's genuine customer base.
"The recently release[d] driver release has now been removed from Windows Update so that on-the-fly updating cannot occur," Dart said. The driver is in the process of being updated and will be released again next week. "This will still uphold our stance against devices that are not genuine, but do so in a non-invasive way that means that there is no risk of end user hardware being directly affected," he said without elaborating.
Wightman said he is not sure if FTID has rolled back any devices that had already installed the update back to their original state. "It could be that systems which downloaded the patched firmware will brick FTDI controllers until end users roll back the patch," he said. "I really don't know the answer to this, as I was too afraid to download the patch in case any of my cables were affected."
Dart did not respond to a request for comment on concerns about the update potentially impacting systems in the critical infrastructure.
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data. In the Partners' Role In Perimeter Security report, we'll discuss concrete strategies such as setting standards that third-party providers must meet to keep getting your business, conducting in-depth risk assessments -- and ensuring that your network has controls in place to protect data in case these defenses fail (free registration required).