Biz & IT —

FTDI on counterfeit chip bricking: “Our intentions were honorable”

"Less intrusive" measures may just annoy users and not help prevent piracy.

All in all, FTDI's counter-counterfeit maneuvers are just another brick in a wall that pirates will bypass and customers will run into.
All in all, FTDI's counter-counterfeit maneuvers are just another brick in a wall that pirates will bypass and customers will run into.

A driver update from the Scottish electronics firm FTDI that intentionally “bricked” USB devices with counterfeit FTDI chips has been removed from Windows Update by the firm. The move follows an uproar from users who found devices they thought used the company’s chips disabled without warning. However, the company plans on re-releasing the update with code that “will still uphold our stance against devices that are not genuine, but do so in a non-invasive way that means there is no risk of end user’s hardware being directly affected,” the company’s CEO said in a statement.

While the changes made in the firmware of chips affected by the driver’s counter-counterfeiting code can be reversed, there are questions about whether what FTDI did in the name of protecting the company’s intellectual property was ethical—or even legal. Commenting on FTDI’s driver tactics through Twitter, American Civil Liberties Union principal technologist Christopher Soghoian said, “It isn’t a stretch to view FTDI’s intentional bricking of chips as an unfair business practice.” Others were concerned that the move undermined the security of Windows’ automatic update system, possibly discouraging users from applying security updates in the future.

In a post to the company’s blog, FTDI CEO Fred Dart apologized for the move.

As you are probably aware, the semiconductor industry is increasingly blighted by the issue of counterfeit chips and all semiconductor vendors are taking measures to protect their IP and the investment they make in developing innovative new technology. FTDI will continue to follow an active approach to deterring the counterfeiting of our devices, in order to ensure that our customers receive genuine FTDI product. Though our intentions were honorable, we acknowledge that our recent driver update has caused concern amongst our genuine customer base.  I assure you, we value our customers highly and do not in any way wish to cause distress to them.

But those assurances haven’t calmed users of hardware affected by the initial driver update or others in the “maker” community who frequently use hardware based on FTDI’s USB chip to connect their own creations to computers. The scandal has drawn comparisons to the infamous Sony copy protection “rootkit” scandals of 2005 and 2007, in which Sony installed software onto music CDs that essentially hacked customers’ personal computers to prevent file sharing.

The motivations behind FTDI’s measures are understandable. Cheap counterfeit versions of their USB-to-serial adapter chip have been hurting the company’s profitability and leveraging FTDI’s software. But FTDI’s driver software was different from the Sony copy-protection scheme and similar counter-piracy measures in that it targeted people who had no way of knowing they were using a counterfeit product.

Unfortunately, the company’s plans for less intrusive anti-counterfeiting measures may end up doing little more than annoying end-users, not to mention those deliberately using counterfeit hardware will likely easily circumvent the measures anyway. Microsoft Windows’ history of counter-piracy offers a textbook example of that.

Genuine disadvantage

Microsoft’s efforts to fight counterfeit software date back to its release of Windows XP, which rapidly became one of the most pirated operating systems ever. That still persists on computers worldwide despite the end of support from Microsoft. The counterfeiting and piracy of XP went on in the face of Microsoft’s “Windows Genuine Advantage” (WGA) program—a software tool that the company started providing to customers in the early 2000s that became mandatory for Windows XP updates in 2005. WGA was also part of Windows Vista and Windows 7.

Ultimately, WGA didn’t entirely disable computers when it detected a counterfeit copy of Windows. Instead, it blocked non-critical software updates from Microsoft and used a number of “nagging” features. For example, WGA would change the wallpaper to a plain black background and pop-up a message box alerting the user. But if the user never connected to the Internet, or used a firewall or other measures to prevent the computer from contacting Microsoft, none of these measures could kick in because the software depended on a “phone home” feature to validate the license code used to install the operating system.

At one point with Windows Vista, Microsoft gave the user a limited amount of time to fix the problem before turning off features by switching to a “reduced functionality” mode. This approach was eventually dropped in favor of further messages. In part, that was because legitimate users would often find themselves slammed by WGA if they made changes to their computers’ configurations, such as adding memory or changing a graphics adapter card. And while the software allowed Microsoft to gather information that led to some cases against distributors of counterfeit copies of Windows, it didn’t put an end to counterfeiting and piracy—especially in China, where at one point a majority of personal computers ran counterfeit versions of Windows XP.

Catch 22 for “customers”

In his statement, FTDI CEO Dart reiterated that “we recommend to all our customers, to guarantee genuine FTDI products please purchase either from FTDI directly or from one of our authorized distributors.” But FTDI’s customers are often not the end-users of its products, and there’s no way for them to identify whether their hardware comes from a legitimate FTDI customer or from someone who purchased bad chips through an unscrupulous distributor. That’s because FTDI isn’t about to share its customer list with anyone, as per this Twitter exchange with complaining users:

An interaction between an FTDI spokesperson and users on Twitter. Playing coy may just lose customers.
Enlarge / An interaction between an FTDI spokesperson and users on Twitter. Playing coy may just lose customers.
Not knowing who is and isn’t a legitimate source of hardware based on FTDI chips may end up having a negative effect on all of FTDI’s business. Cautious end-user customers may need to simply avoid purchasing anything apparently based on the technology to entirely avoid the threat of “nagware” or chips failing to function. And those affected by the original, intentionally damaging driver update may still come after the company for damages.

The problem spans further than just a USB-to-serial chip and its driver, however. By distributing an anti-piracy tool as part of a driver update, “FTDI has threatened the entire security-critical ecosystem of silent automatic updates," tweeted Dan Kaminsky, chief scientist at information security firm White Ops. "It's not optional to manage this.”

Channel Ars Technica