Hardware hackers and security researchers are furious at chip maker FTDI for issuing a silent update that bricks cloned FTDI FT232 [USB to UART] chips.
FTDI used a recent Windows update to deliver the driver update to brick all cloned FTDI FT232s.
On October 24 Fred Dart, CEO of FTDI posted a response to the backlash over its decision to brick cloned chips, as well as having deleted all tweets it had made in response to people on Twitter dating October 22. The company referred to the issue as a 'driver problem.'
The post addressed what FTDI singled out as its "genuine customers" -- maintaining its stance that all users of FTDI chips affected by its actions are knowingly using fakes.
Dart said he acknowledged that silently bricking the chips of its users "caused concern amongst our genuine customer base" and that FTDI did not wish to cause distress "to them" -- yet the post holds no apology for FTDI's actions.
FTDI said,
The recently release driver release has now been removed from Windows Update so that on-the-fly updating cannot occur.
The driver is in the process of being updated and will be released next week.
This will still uphold our stance against devices that are not genuine, but do so in a non-invasive way that means that there is no risk of end user’s hardware being directly affected.
Twitter user John Crouchley asked FTDI for a list of approved sellers, but FTDI declined to help him.
The chip is extremely common on a wide variety of devices and there is no way of knowing which devices have cloned chips -- and the tainted supply chain could hit anyone.
FTDI's surprise new driver reprograms the USB PID to 0, killing the chips instantly.
The hardware hackers at Hack A Day first reported that a recent driver update deployed over Windows Update is bricking cloned versions of the very common FTDI FT232 [USB to UART] chip.
So FTDI showed us that is possible to nuke devices via Windows Update, you just need the right drivers
— xikaos (@xikaos) October 23, 2014
In response to increasing anger and criticism from security researchers on Twitter, FTDI admitted using the remote kill switch and is adamant that this move is necessary to fight counterfeiting.
So, @FTDIChip admitted+defending using Windows Update to brick random people's equipment because it doesn't use FTDI chips. Yes. Literally.
— InfoSec Taylor Swift (@SwiftOnSecurity) October 23, 2014
FTDI says it's not targeting users, but shifts the blame to users in a tweet suggesting users may -- somehow -- knowingly be using cloned chips. In a now deleted tweet from October 22, 2014 @FTDIChip wrote, "@mikelectricstuf FTDI is definitely not targeting end users - if you're unsure if ICs are genuine then please don't use the drivers."
@mikelectricstuf FTDI is definitely not targeting end users - if you're unsure if ICs are genuine then please don't use the drivers.
— FTDIChip (@FTDIChip) October 22, 2014
Companies and individuals who buy and use the chip have had no reason to suspect -- and often, no way of knowing -- they might be getting chips from a cloned batch.
@mikelectricstuf @FTDIChip Exactly this. Consumers can't know if every IC in their devices are genuine or not. Avoiding FTDI from now on.
— Lance Tjessem (@LanceTjessem) October 23, 2014
@EMSL @FTDIChip You're actually saying that if I buy a kit that has an unlicensed FTDI chip in it, I'm a willful cyber-criminal? Really?
— Kevin Fox (@kfury) October 23, 2014
The FTDI FT232 is one of the most common chips on devices with USB-serial port hardware functions. It's used to add a USB serial port to a device or project.
Hack A Day explained, "The FTDI FT232 chip is found in thousands of electronic baubles, from Arduinos to test equipment, and more than a few bits of consumer electronics. It’s a simple chip, converting USB to a serial port."
this is technical, but basically details a chip kill switch used in the wild - "FTDI driver kills fake FTDI FT232": http://t.co/CdIt88lNif
— Robert Marchini (@RobertMarchini) October 23, 2014
The company's evident overreach has created a situation that leaders in the security communities consider unethical and untenable -- it will no doubt damage the company's reputation, and possibly its bottom line.
FTDI has threatened the entire security-critical ecosystem of silent automatic updates. It's not optional to manage this.
— Dan Kaminsky (@dakami) October 23, 2014
We only get @FTDIChip products from reputable channels. But will our future customers assume that? =>Best not to design FTDI products in.
— Evil Mad Scientist (@EMSL) October 23, 2014
Updated October 25 to reflect FTDI's response post.
Updated October 27 with a link to FTDI's deleted tweets saved here.