FTDI admits to bricking innocent users' chips in silent update

The Rocketry Forum

Help Support The Rocketry Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
Ok - maybe I'm reading more into that reply than there is at this point. The larger point I was trying to make is that FTDI might want to be more careful with the TONE of their communications around this issue. Flippant twitter replies send the message that they don't see why this is such a big deal and why so many potential (or future, or former) customers are upset.

Correct, FTDI should stay off Twitter. Nothing good comes from Twitter.
 
Exactly. And they are probably specifying those chips to the contractor making the boards for them. And that contractor is buying the chips.

So a little company like Missile Works or Featherweight has no real way of assuring that bad chips don't work their way into the supply chain from somewhere.

Yes they do. You work with a contractor you trust and specifiy they buy the commodities from authorized distributors, or you supply the componets. Component cost is a pass-along. CM's (contract manufacturers) simply do not ever alternatively source components without the consent of the client, unless its a commodity components (resistors, caps, inductors).

In my case I quote the components from the suppliers not the CM.
 
Last edited:
They have probably just flushed their company down the toilet. Time for employees to start updating resumes and thinking about what office equipment will be up for grabs when the layoffs start.

The thing with this is that FTDI did not only screw their intended target, the users of fake chips --- they also screwed their LEGITIMATE paying customers. Those customers are making products to sell to end users. And end users are not going to want FTDI chips in their devices, legit or fake, because they have no way of knowing if they really are legit. Why take a chance? Just buy something that does not use FTDI. Current legitimate customers of FTDI are surely already looking for alternatives, just so they don't have to deal with that question being raised by their end users. You won't keep your own customers if you cause doubt among THEIR customers, and FTDI just violated that.

You can argue back and forth all day whether FTDI was within their rights to disable fake FTDI chips, but that's really a legal and/or ethical question. As a practical business move, it was really stupid.
 
Yes they do. You work with a contractor you trust and specifiy they buy the commodities from authorized distributors, or you supply the componets. Component cost is a pass-along. CM's (contract manufacturers) simply do not ever alternatively source components without the consent of the client, unless its a commodity components (resistors, caps, inductors).

In my case I quote the components from the suppliers not the CM.

This ignores supply chain realities. Contract manufacturers are not supposed to substitute. But it happens.

Companies are not supposed to supply Malware through the auto-update feature of Windows, either. But guess what...

Sent from my iPhone using Rocketry Forum
 
Last edited:
They have probably just flushed their company down the toilet. Time for employees to start updating resumes and thinking about what office equipment will be up for grabs when the layoffs start.

The thing with this is that FTDI did not only screw their intended target, the users of fake chips --- they also screwed their LEGITIMATE paying customers. Those customers are making products to sell to end users. And end users are not going to want FTDI chips in their devices, legit or fake, because they have no way of knowing if they really are legit. Why take a chance? Just buy something that does not use FTDI. Current legitimate customers of FTDI are surely already looking for alternatives, just so they don't have to deal with that question being raised by their end users. You won't keep your own customers if you cause doubt among THEIR customers, and FTDI just violated that.

You can argue back and forth all day whether FTDI was within their rights to disable fake FTDI chips, but that's really a legal and/or ethical question. As a practical business move, it was really stupid.

Exactly. Very well said.


Sent from my iPhone using Rocketry Forum
 
This ignores supply chain realities. Contract manufacturers are not supposed to substitute. But it happens.

It doesn't ignore realities. I've been in this business 36 years. CM's do not substitute high value component sourcing without the client's consent. What has been your experience?

Edit: The because it can happen it will happen is not a measure of actual occurrence rate. Your cell phone battery can explode and burn your privates off. But it is so rare that you shouldn't worry about it. Can a reputable CM substitute a part without consent of the client? Sure but it is a very rare occurrance, maybe 1 per 100,000 runs? Then what are the odds that that rare substitution contains a fake part? The combination is rare indeed. It is WAY MUCH more likely to get a defective genuine part than an accidental fake.
 
Last edited:
In the same post you said reputable CMs don't do it, but that it is rare. My experience is not as great as yours in electronics but I have seen marine electronics with the wrong parts before.

The fact remains that I do not want products from a manufacturer who is willing to sneak malware onto my computer. This includes Sony with their root kit fiasco years ago. It includes altimeters with FTDI parts in them.

Make your own decisions, but I'm not buying those parts any more when I can avoid it, and that means that I am not buying products that contain them. I consider ftdi's actions to be highly unethical and a complete breach of security standards and protocols.


Sent from my iPhone using Rocketry Forum
 
Last edited:
... FTDI had compromised the entire auto-update security system by essentially pushing malware through it. I bet they are getting an earful from Microsoft about that now. If I were MS their drivers would no longer be welcome.

I'm sure Microsoft is letting them have it right now. This is another reason the whole idea was so stupid!

They didn't consider the blowback on their own customers when end users start calling up to ask if is safe to allow automatic Windows updates, or if the update is going to kill their devices. And they didn't consider the blowback on Microsoft and other companies when people start blaming the Windows update for ruining their gear. Microsoft and every other company who sends out critical fixes through Windows automatic updates wants people to have faith in that system and not to worry or be reluctant to update because the last time they did it, it killed off some piece of equipment they had paid good money for. This stunt is going to shake faith in the automatic update system, and I bet FTDI will pay a price for compromising that faith.
 
I'm sure Microsoft is letting them have it right now. This is another reason the whole idea was so stupid!

They didn't consider the blowback on their own customers when end users start calling up to ask if is safe to allow automatic Windows updates, or if the update is going to kill their devices. And they didn't consider the blowback on Microsoft and other companies when people start blaming the Windows update for ruining their gear. Microsoft and every other company who sends out critical fixes through Windows automatic updates wants people to have faith in that system and not to worry or be reluctant to update because the last time they did it, it killed off some piece of equipment they had paid good money for. This stunt is going to shake faith in the automatic update system, and I bet FTDI will pay a price for compromising that faith.

I could not agree more.


Sent from my iPhone using Rocketry Forum
 
Microsoft has released a statement and rolled back two versions of the FTDI driver to prevent counterfeit chips from being bricked.

The affected versions of the FTDI driver are 2.11.0 and 2.12.0, released on August 26, 2014. The latest version of the driver that does not have this chip bricking functionality is 2.10.0.0, released on January 27th. If you’re affected by the latest driver, rolling back the driver through the Device Manager to 2.10.0.0 will prevent counterfeit chips from being bricked.

You might want to find a copy of the 2.10.0 driver; this will likely be the last version of the FTDI driver to work with counterfeit chips.
 
They have probably just flushed their company down the toilet. Time for employees to start updating resumes and thinking about what office equipment will be up for grabs when the layoffs start.

The thing with this is that FTDI did not only screw their intended target, the users of fake chips --- they also screwed their LEGITIMATE paying customers. Those customers are making products to sell to end users. And end users are not going to want FTDI chips in their devices, legit or fake, because they have no way of knowing if they really are legit. Why take a chance? Just buy something that does not use FTDI. Current legitimate customers of FTDI are surely already looking for alternatives, just so they don't have to deal with that question being raised by their end users. You won't keep your own customers if you cause doubt among THEIR customers, and FTDI just violated that.

You can argue back and forth all day whether FTDI was within their rights to disable fake FTDI chips, but that's really a legal and/or ethical question. As a practical business move, it was really stupid.

I guess 90% of FTDIs end customers don't care. They either only know that a D-SUB connector won't fit into their USB port or they have no idea that their device still uses an UART internally, despite the external USB port. Manufacturers on the other hand, at least the reputable ones, are mostly concerned with a product that works well and won't cause them a customer service nightmare. In this regard, FTDI is still going strong. I had problems with the above mentioned ATMega16U2 solution as well as a Prolific that both went away after switching to FTDI. After 100+ FTDI adapters, the worst I have seen was the need to update or reinstall the driver in rare cases (if it is an corrupted driver, it is probably not even FTDIs fault).

FTDIs approach might have been an overreaction or a bit of a jerk move - I'm not sure where I stand in this regard - but this won't cause me to drop my supplier of choice.

Reinhard
 
Last edited:
Back
Top