FTDI admits to bricking innocent users' chips in silent update

The Rocketry Forum

Help Support The Rocketry Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
Yeah, saw that topic, pretty outrageous:

Chipmaker deliberately cripples user devices with driver update

https://www.csoonline.com/article/2...cripples-user-devices-with-driver-update.html

Excerpt:

In fact, the consumers who have been impacted by this update have committed no crime. Their only offense seems to be purchasing a product that was presumed to be legitimate in the first place. Even the experts could be fooled, as telling the difference between a real FT232 and a fake version requires a microscopic exam in most cases.

"Rather than targeting those who manufacture, sell, and distribute counterfeit products, they're attacking consumers that don't necessarily have the capability to know whether or not their devices have the authentic chips in them," commented Wesley McGrew, Assistant Research Professor, in Department of Computer Science & Engineering at Mississippi State University.

McGrew, along with a majority of the developers who have been forced to deal with the issue, said that FTDI has a right to protect their IP, but the company "should have written their driver such that it would not operate with counterfeit devices, stopping short of actually attacking the devices themselves."

Arduino forum: Unable to get FT232R drivers loaded under Windows 7 64bit

https://forum.arduino.cc/index.php?topic=270175.0
 
I read about this initially over on Ars Technica. It makes me really hesitant to update drivers especially since I'm pretty sure the crummy programming cable for my HT radio would be affected.

I'd also rather not risk my altimeters and other devices with ftdi chips ('duinos of different flavors mostly.)

I get FTDI writing drivers to detect and then refuse to work with fake chips. Notifying the user of the issue so they can contact the vendor of their device (or vendor of their chips if they are device maker themselves) would have been ok. Disabling the fake chip, thus rendering the device inoperative, in the manner that FTDI did is going to blow up in their faces PR-wise. (One could argue that it already is becoming a PR nightmare.)
 
I get FTDI writing drivers to detect and then refuse to work with fake chips. Notifying the user of the issue so they can contact the vendor of their device (or vendor of their chips if they are device maker themselves) would have been ok. Disabling the fake chip, thus rendering the device inoperative, in the manner that FTDI did is going to blow up in their faces PR-wise. (One could argue that it already is becoming a PR nightmare.)

Right? Unbelievable stunt... and it has blown up in their face.
Imagine the internal dialog they are now having??
 
Right? Unbelievable stunt... and it has blown up in their face.
Imagine the internal dialog they are now having??

Hey Jim, the M3 usb IO dongle uses an FTDI chip. As a hardware manufacturer, does this kind of stunt give you cause to reconsider parts suppliers, or is FTDI pretty much the only game in town when it comes to USB-to-serial conversion? (excluding counterfeit chips, of course)
 
Last edited:
There's quite a few vendors other than FTDI. Prolific, Atmel, Microchip, Silicon Labs, and Freescale are some of the more common. FTDI's chip is considered to be one of the better ones in terms of compatibility and throughput.
 
+1. If someone is affected by this, then they should be mad at the supplier who used the conterfeit FTDI chips not FTDI. Bravo FTDI.
 
Okay - I have no problem with FTDI writing the driver to stop working with the counterfeit chips. What I take issue with is also silently disabling the chip (by reprogramming its vid to 0000.)

A better move would have been to leave the chip alone. Refuse to communicate with it, and even go so far as to alert the user of what is going on. So the user can take appropriate action. (Inform the device manufacturer, parts supplier, etc.)

Say my legitimately purchased arduino was part of a run where the factory got a batch of fake chips from the supply chain. (It happens.) Yes, I should be complaining to the arduino folks when my board stops working. Yes I would hope the Arduino people would offer a recall/replacement program of some sort. They should also look at their supply chain people and fix that.

In the mean time FTDI should not be disabling my devices by reprogramming counterfeit chips they've detected. Their cause would be much better served by detecting and informing, not detecting and (silently) disabling.

Maybe I'm trying to develop a compatible chip and a set of linux drivers for it, and I'm doing some cross-platform testing. The FTDI windows drivers now render these chips useless on linux systems as well, because the reprogram the chip with an invalid vid.

Then again, I'm not a chip designer. Or a driver software developer. I'm a neophyte 'duino tinkerer, at best. I'd like the things that I've bought, built, coded, and got working to continue to keep working after a routine update. Or at least be presented with some information as to why it broke. Not to have it mysteriously stop working, and actually be disabled.

Kudos to FTDI for taking a stand against counterfeits, sure. But I think they should have taken a different tack.
 
FTDI is doing the right thing for standing up to counterfeiting. Their chip work great and it would suck to ruin the market with counterfeit ones.

But from a legal perspective, they are interfering with (disabling) the product they have not manufactured. It's bad precedent and ftdi will end up on the loosing end of legal battle (and i bet it's coming).

Manufacturers who use FTDI chips are not going to be happy. Rather than identifying and processing a recall in an orderly matter, they are now forced to deal with it now, regardless of manufacturer's inventory or cashflow.

if i read it correctly, some driver updates came with Windows update so i hope Microsoft gets upset quickly and rolls back driver version.
 
Last edited:
https://www.ftdichipblog.com/?p=1053

Fair points above in the previous two points.

Manufacturers who use FTDI chips are not going to be happy. Rather than identifying and processing a recall in an orderly matter, they are now forced to deal with it now, regardless of manufacturer's inventory or cashflow.

I am not sure. Counterfeit FTDI chips do not accidentally find their way into supply chains. It is not a "commodity" chip like a SN7401. If you are buying from an authorized distributor (digikey, Avnet, Arrow, Mouser etc) you are getting the real thing. From what I understand many of the affected units were very cheaply priced cloned products sold on eBay and the like from China.

No respectable manufacturer buys components from Alibaba.

Also this is not a new issue, there were driver compatibility issues with suspected fakes reported as early as this Feb.
https://hackaday.com/2014/02/19/ft232rl-real-or-fake/

But I am sympathetic to the argument that FTDI should not punish the users of the counterfeit products.
 
Last edited:
Hey Jim, the M3 usb IO dongle uses an FTDI chip. As a hardware manufacturer, does this kind of stunt give you cause to reconsider parts suppliers, or is FTDI pretty much the only game in town when it comes to USB-to-serial conversion? (excluding counterfeit chips, of course)

I agree with the notion of FTDI trying to thwart Chinese clones... my paintball biz was in fact the victim of the same thing. A board I designed for an OEM customer (Taiwanese) was taken by said customer and cloned by another Taiwanese entity. Said customer subsequently sold clones of my board (and still does). Unfortunately, while I had great chances for a court injunction to block their sales based on copyright infringement (yes, the code is formally copyrighted thru the US Copyright office), pursuit of this would have been a black hole for ca$h. What happened instead was we blackened their eye in the US market as Chinese cloners...

Because I'm vested in the FTDI silicon, I won't be migrating... but at the same time, nuking the silicon ID's was a bad corporate tactic... I would have opted to create nagging error dialogs or simply go inert.
 
Wasn't there a bad string of cloned CPU's that stung Newegg a few years back?
There's always someone out there willing to cut corners to pad their profits.
Ultimately the biggest loser in the end is; the consumer!

JD
 
I applaud FTDI for having the balls to do this.
"Their only offense seems to be purchasing a product that was presumed to be legitimate in the first place. Even the experts could be fooled, as telling the difference between a real FT232 and a fake version requires a microscopic exam in most cases.

Rather than targeting those who manufacture, sell, and distribute counterfeit products, they're attacking consumers that don't necessarily have the capability to know whether or not their devices have the authentic chips in them," commented Wesley McGrew, Assistant Research Professor, in Department of Computer Science & Engineering at Mississippi State University.


What he said... Making their driver not work with counterfeit chips I can agree with, permanently disabling (short of smd removal/replacement) the hardware of innocent users and hardware manufacturers who did not intentionally use counterfeit chips I do not agree with.
 
This is a dumb move on their part, as it opens them up to liability. They'd better hope these chips aren't used in any mission-critical applications, medical devices, or anything if the sort. I'm sure the parent of a kid who dies because the medical device wasn't working properly will totally understand that it was the fault of some unknown counterfeiter...not.


Sent from my iPhone using Rocketry Forum
 
From a post today on a high altitude balloon mailing list:

"Microsoft issued a statement late in the evening on Thursday, confirming that the driver update had been removed from their systems."

In a follow-up, FTDI confirmed the same, adding in part:

"The recently release driver release (sic) has now been removed from Windows Update so that on-the-fly updating cannot occur. The driver is in the process of being updated and will be released next week. This will still uphold our stance against devices that are not genuine, but do so in a non-invasive way that means that there is no risk of end user’s hardware being directly affected."


But too late for how many innocent users? Whoever approved the destruction of innocent user's hardware in the first place should be fired, but since it probably came from some moron at high levels, that probably won't happen.
 
Amen! Buy your parts from an ECIA authorized distributor (see eciaauthorized.com) and you don't have to worry about it.

I buy serial cables from a Taiwanese vendor that I've been dealing with for 3 years, I know they're not going to screw me, and the chips are Prolific which is a Taiwanese company so they're close to the source. The newer cables have the PL2303TA chip, which works with all Windows versions without having to roll-back the driver to Vista, and as far as I know haven't been cloned... yet.

FTDI has the right to defend their intellectual property, and since the Chinese government turns a blind eye to the rampant counterfeiting that goes on there they probably felt compelled to pursue the chip-kill option.


https://www.ftdichipblog.com/?p=1053

Fair points above in the previous two points.



I am not sure. Counterfeit FTDI chips do not accidentally find their way into supply chains. It is not a "commodity" chip like a SN7401. If you are buying from an authorized distributor (digikey, Avnet, Arrow, Mouser etc) you are getting the real thing. From what I understand many of the affected units were very cheaply priced cloned products sold on eBay and the like from China.

No respectable manufacturer buys components from Alibaba.

Also this is not a new issue, there were driver compatibility issues with suspected fakes reported as early as this Feb.
https://hackaday.com/2014/02/19/ft232rl-real-or-fake/

But I am sympathetic to the argument that FTDI should not punish the users of the counterfeit products.
 
Amen! Buy your parts from an ECIA authorized distributor (see eciaauthorized.com) and you don't have to worry about it.
About that idea, the first problem with it is that the part has to actually be available from such sources:

[video=youtube;eU66as4Bbds]https://www.youtube.com/watch?v=eU66as4Bbds[/video]

Much interest about this topic?

Topic: FTDI driver kills fake FTDI FT232?? (Read 99895 times)

https://www.eevblog.com/forum/reviews/ftdi-driver-kills-fake-ftdi-ft232

On this topic, the primary takeaway is don't intentionally brick hardware. Common sense, but from the video above it seems that, sure enough, the insanely stupid decision to do so was undoubtedly cleared by the CEO, an "idiot at high levels" as I suspected. His response to the EE is in the video above.
 
Amen! Buy your parts from an ECIA authorized distributor (see eciaauthorized.com) and you don't have to worry about it.
Specifically about that at 17 minutes 7 seconds into the above video:

https://www.youtube.com/watch?v=eU66as4Bbds&feature=youtu.be&t=17m7s

Member comments from his forum:

The ONLY thing that FTDI had was their name and reputation.

That value no longer exists. I can program an Atmel Tiny85 to act as a USB-to-RS232 converter for 1/4 the price of an FTDI chip. It will work with my OS's generic drivers. (And that's an expensive way of doing it).

The Arduino Uno has been doing that for years. Look at the schematic, there's an ATMega16U2 doing the job that used to be done by the FTDI chip.

On newer designs like the Arduino Leonardo the USB interface has moved to the main microcontroller chip (which now has hardware support for it). It's total integration onto a single chip.
 
Last edited:
FTDI parts are sourced by several ECIA authorized distributors. DigiKey is showing 214,000 of the FT232RL chips in stock. They wouldn't be carrying them if nobody bought them.

The FTDI chips add LED status displays, full hardware handshaking support, and have a high throughput; you would not be able to get that with an ATTINY. Sometimes you WANT to have the separate TTL serial support, so that you can connect your MCU to a variety of communication devices rather than being tied to USB. They all have a common interface, TTL/CMOS.
 
Even if FTDI had only popped up persistent, nagging error messages, end users would've bitched. It doesn't matter what FTDI did, if an end user was affected by it, they'd bitch and FTDI would be "wrong".

The problem is that we, as consumers, have been led to believe that we're entitled to everything we want at dirt cheap prices.

Do some reading sometime about the problems companies are having due to cheap chargers of various types. The flagrant counterfitting is rampant across the entire spectrum of electronics.

-Kevin
 
Even if FTDI had only popped up persistent, nagging error messages, end users would've bitched. It doesn't matter what FTDI did, if an end user was affected by it, they'd bitch and FTDI would be "wrong".

The problem is that we, as consumers, have been led to believe that we're entitled to everything we want at dirt cheap prices.

Do some reading sometime about the problems companies are having due to cheap chargers of various types. The flagrant counterfitting is rampant across the entire spectrum of electronics.

-Kevin

You have no basis for saying that at all. I would have no problem with them saying that they could not allow their drivers to work with counterfeit products. Heck, they quite possibly have a very solid case that allowing the drivers to work with products they didn't manufacture opens them up to unwanted liability.

I just don't accept your premise that they would have gotten the same reaction. I think they have done tremendous damage to their own brand.

A better way to handle this would have been to announce that future versions of their drivers would no longer work with counterfeit chips. Then publish tools for determining if products were indeed counterfeit. Then release new drivers that balked at working. Users, especially those that had no clue at all that they were in possession of fake chips, would have understood that. But going out and disabling hardware in some sort of sneak attack crosses a line. It is beyond the pale.
 
Last edited:
ftdi.png
 
Wow, talk about tone-deaf. Now is not the time for flippant Twitter replies to what is actually a legitimate question. Smiley or no... so why not

Update: I had something else to post here, but network issue ate it. why not just post a link to the distributors page on thier site?

Granted FTDI really shouldn't be releasing customer info without prior consent, but this was really not the tone to take. Whoever is in charge of FTDI's Twitter account should really think carefully about how/what they post. (Or hire a REALLY good PR person)
 
Last edited:
So here's a question that's relevant. What devices in rocketry use these chips? Any altimeters or GPS locators? Other devices?
 
I know missileworks uses them. The USB dongle for the RRC3 has an FTDI chip.
 
Granted FTDI really shouldn't be releasing customer info without prior consent,

FTDI response was totally accurate. They said they can't identify customers not that they won't. The reason that they can is that the majority of FTDI chips are sold through distributors not direct to the manufacturer. I can tell you who the largest customers are of FTDI, Arrow Electronics, Avnet, Newark first tier, second tier, Digikey, Mouser etc.
 
MissileWorks, Featherweight and MARSA all use them.

-Kevin

Exactly. And they are probably specifying those chips to the contractor making the boards for them. And that contractor is buying the chips.

So a little company like Missile Works or Featherweight has no real way of assuring that bad chips don't work their way into the supply chain from somewhere.

If I were them, my next gen devices would be designed for different chips.

Not only that, but FTDI had compromised the entire auto-update security system by essentially pushing malware through it. I bet they are getting an earful from Microsoft about that now. If I were MS their drivers would no longer be welcome.


Sent from my iPhone using Rocketry Forum
 
Ok - maybe I'm reading more into that reply than there is at this point. The larger point I was trying to make is that FTDI might want to be more careful with the TONE of their communications around this issue. Flippant twitter replies send the message that they don't see why this is such a big deal and why so many potential (or future, or former) customers are upset.

I've had my say - I'm not a board designer so I don't really have a dog in this race other than being worried that a product I have purchased will have sourced a fake part (either purposefully or no) and that my device will be rendered inoperable because of this kerfuffle. I'm glad that this discussion is happening and have enjoyed reading the responses.
 
Last edited:
Back
Top