Scottish design firm Future Technology Devices International (FTDI) pushed an updated driver for automated installation in Windows Update for devices that use the FT232 chipset, which converts RS-232 (specifically, UART) to USB. The driver update leaves devices that use counterfeit FTDI chips in an unusable state. After a public outcry, the update was pulled from Windows Update, but a great deal of damage had already been done.
How the exploit works
When installed, the driver software identifies the counterfeit silicon, and sets the PID (Product ID) to zero, making the device unidentifiable to the driver. As a result, uninstalling the offending driver will not return the devices using this chipset back to a usable state. Even if the device is plugged in to any other computer, running any other operating system, the device will still be inoperable unless the PID is rewritten to the correct value. Although the device is not completely unrecoverable, the resultant effect is that the device is bricked, to the extent that an average user would not have the ability to restore the PID that the chipset originally held in EEPROM.
Buried in the INF file of the latest drivers, the comments warn "Use of the Software as a driver for, or installation of the Software onto, a component that is not a Genuine FTDI Component, including without limitation counterfeit components, MAY IRRETRIEVABLY DAMAGE THAT COMPONENT." Naturally, as the driver is installed using Windows Update, this notice is not presented to the user prior to installation.
Why this is a problem
As the product in question is not generally a product that end users would purchase, but rather a component to be placed in or used in conjunction with other materials and sold as a "finished good," users of counterfeit chips are likely unaware that the product they have purchased contained counterfeit chips. Accordingly, depending on how long the end user has owned the product, it is likely difficult to return the product to the vendor, or perhaps remember the vendor from which the product was purchased. In general, it is difficult to identify counterfeit chips by looking at them without the assistance of a microscope. The Russian R&D firm ZeptoBars did an analysis of the two chips.
The security implications of this move extend far beyond FTDI, however; it is of paramount importance that security updates not gain the reputation of breaking hardware previously known to be working. If this type of attack were allowed to continue unabated, users would likely become resistant to installing security updates, which would leave systems far more vulnerable to potential security issues.
What is FTDI's response?
In a posting on the company blog, FTDI acknowledged that the driver has been removed from Windows Update, noting that "FTDI will continue to follow an active approach to deterring the counterfeiting of our devices..." and that "The driver is in the process of being updated and will be released next week. This will still uphold our stance against devices that are not genuine, but do so in a non-invasive way that means that there is no risk of end user's hardware being directly affected."
What is your response?
In consideration of FTDI's behavior in these circumstances, are you more or less likely to purchase FTDI chips for your own projects, or products that use FTDI chips in finished goods? Is the prospect of having devices marketed as FTDI disabled by driver updates make you wary of purchasing any FTDI-branded chips altogether due to the possibility of buying a counterfeit? Let us know your thoughts in the comments.
James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware.