FTDI admits to bricking innocent users' chips in silent update
Summary: In a move that has surprised and angered security researchers, chip maker FTDI has admitted to issuing a silent update that bricks cloned FTDI FT232 [USB to UART] chips.
Hardware hackers and security researchers are furious at chip maker FTDI for issuing a silent update that bricks cloned FTDI FT232 [USB to UART] chips.
The chip is extremely common on a wide variety of devices and there is no way of knowing at this time which devices have cloned chips -- and the tainted supply chain could hit anyone.
FTDI appears to have used a recent Windows update to deliver the driver update to brick all cloned FTDI FT232s.
FTDI's surprise new driver reprograms the USB PID to 0, killing the chips instantly.
The hardware hackers at Hack A Day first reported that a recent driver update deployed over Windows Update is bricking cloned versions of the very common FTDI FT232 [USB to UART] chip.
So FTDI showed us that is possible to nuke devices via Windows Update, you just need the right drivers
— xikaos (@xikaos) October 23, 2014
In response to increasing anger and criticism from security researchers on Twitter, FTDI admitted using the remote kill switch and is adamant that this move is necessary to fight counterfeiting.
So, @FTDIChip admitted+defending using Windows Update to brick random people's equipment because it doesn't use FTDI chips. Yes. Literally.
— InfoSec Taylor Swift (@SwiftOnSecurity) October 23, 2014
FTDI says it's not targeting users, but shifts the blame to users in a tweet suggesting users may -- somehow -- knowingly be using cloned chips:
@mikelectricstuf FTDI is definitely not targeting end users - if you're unsure if ICs are genuine then please don't use the drivers.
— FTDIChip (@FTDIChip) October 22, 2014
Companies and individuals who buy and use the chip have had no reason to suspect -- and often, no way of knowing -- they might be getting chips from a cloned batch.
@mikelectricstuf @FTDIChip Exactly this. Consumers can't know if every IC in their devices are genuine or not. Avoiding FTDI from now on.
— Lance Tjessem (@LanceTjessem) October 23, 2014
@EMSL @FTDIChip You're actually saying that if I buy a kit that has an unlicensed FTDI chip in it, I'm a willful cyber-criminal? Really?
— Kevin Fox (@kfury) October 23, 2014
The FTDI FT232 is one of the most common chips on devices with USB-serial port hardware functions. It's used to add a USB serial port to a device or project.
Hack A Day explained, "The FTDI FT232 chip is found in thousands of electronic baubles, from Arduinos to test equipment, and more than a few bits of consumer electronics. It’s a simple chip, converting USB to a serial port."
this is technical, but basically details a chip kill switch used in the wild - "FTDI driver kills fake FTDI FT232": http://t.co/CdIt88lNif
— Robert Marchini (@RobertMarchini) October 23, 2014
The company's evident overreach has created a situation that leaders in the security communities consider unethical and untenable -- it will no doubt damage the company's reputation, and possibly its bottom line.
FTDI has threatened the entire security-critical ecosystem of silent automatic updates. It's not optional to manage this.
— Dan Kaminsky (@dakami) October 23, 2014
We only get @FTDIChip products from reputable channels. But will our future customers assume that? =>Best not to design FTDI products in.
— Evil Mad Scientist (@EMSL) October 23, 2014
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.