Windows Update drivers bricking USB serial chips beloved of hardware hackers

[DRDNA]

Well this is interesting! Listen up Windows Support people.


http://arstechnica.com/information-...usb-serial-chips-beloved-of-hardware-hackers/

 

[FordGT90Concept]

*snnniiiiiiifffffffff* I smell a lawsuit brewing against FTDI and I wouldn't be surprised if it puts them out of business.

 

[DRDNA]

I can just see it now in the R&D department at work.... there are 50+ scientist running around screaming for the IT Technician as if the IT Technician one their personal assistant and 50+ secretaries doing the same thing.....lolz fun days at work.

 

[lilhasselhoffer]

....

No. No lawsuits, no legal actions, and no repercussions for FTDI.

FTDI is responsible for the most venerable, and thus most copied chips, on the market. They are made along side cheap knock-offs in the same Chinese factories. Because the manufacturers are functionally the same, the visual appearance of each chip is functionally identical. Attempting to cite piracy of IP, and actually go after the manufacturers, would therefore be impossible.

What FTDI did was the only thing they really could do. They laid the hammer on the chips that act like theirs, but that aren't up to the same quality standards. This means that the consumers get the middle finger because some idiot saved a couple of cents a chip on knonk-off parts. Consumers get angry, but almost nobody will single out a component manufacturer. People complain to the maker of the device, the device maker researches the failure, and finds a single chip caused the issue, they bounce it back to the chip "manufacturer," who demonstrates that the chip is infringing on their IP. FTDI gets the suppliers who are infringing on their IP, and they don't bear any culpability because the update for their chips broke none of their products.


This is a huge a-hole move for consumers, but it's smart for FTDI. Zero culpability, easy tracking of counterfeit producers, and people will be asking for their products in the future (to prevent another bricking). Weasel move, if very effective.

 

[FordGT90Concept]

These people, even for a counterfeit product, still paid money for a product and FTDI intentionally broke them by modifying the code on the device. FTDI had the right to disallow other manufacturers from using their drivers but they do not have the right to damage other manufacturer's products. FTDI will get class-action sued and they will lose. They crossed the line with that stunt.

What FTDI did would be no different than NVIDIA PhysX drivers intentionally bricking AMD graphics cards. Not acceptable, ever.

 

[lilhasselhoffer]

These people, even for a counterfeit product, still paid money for a product and FTDI intentionally broke them by modifying the code on the device. FTDI had the right to disallow other manufacturers from using their drivers but they do not have the right to damage other manufacturer's products. FTDI will get class-action sued and they will lose. They crossed the line with that stunt.

What FTDI did would be no different than NVIDIA PhysX drivers intentionally bricking AMD graphics cards. Not acceptable, ever.

You have precedent going against you here. While your response is the all too human middle finger (my emotional reaction was the same, though logically I cannot justify it), this is a legal matter.

Updating your devices requires a user agreement, which in general basically states that the code you install (even if it's from the manufacturer) is your own responsibility. The manufacturer provides the code under the auspices of support for their products, and expressly states that it is not to be used on other manufacturers' devices. That means they've legally insulated themselves from repercussion, assuming someone else uses their drivers. Assuming the driver update isn't enough of a legal barrier, FTDI claims no culpability in the damage because none of their goods were involved with anything. Physical good protection does not extend to software, so you've got no recourse on the grounds of intentional damage to property.

Finally, FTDI turns this into a problem for the manufacturers. They might well initiate a suit against FTDI, but consider the foolishness in that for a minute. Did FTDI intentionally damage their own product; no. Did FTDI damage product using code which still allowed their product to demonstrably work; yes. Can FTDI immediately prove such actions did not violate their own terms, and that the damaged goods were in fact infringing upon their intellectual property; yes. Could any half decent lawyer basically say FTDI is completely free of responsibility, despite the malicious intent of damaging counterfeit hardware; easy.



So you understand, your argument is flawed. It would be like if Saratoga corporation (fictional GPU manufacturer) created video cards. They didn't develop their own drivers, they just copied the hardware from Nvidea so that they spent 1/4 the price on reverse engineering it and none of the money on driver support because they just used Nvidea drivers. After a decade Nvidea gets angry that their sales are being scalped by Saratoga because their prices were lower. Nvidea releases their next driver with a unique section of code which will force black screens on hardware that Nvidea does not produce (because of a redundancy they built-in to the hardware that Saratoga stripped out to save money). Saratoga chips are sold through N Corp, S Corp, and X Corp to consumers. Each of these corporations is flooded with complaints over bricked cards, and they find out that it was an Nvidea driver causing it. The manufacturers sue Nvidea, who immediately say that their driver doesn't damage their products. Saratoga meanwhile is SOL. They need to spend money on driver development, but don't make money that way. The consumer gets royally screwed, and Saratoga and the manufacvturers duke it out in court for the next decade.

In this hypothetical scenario Saratoga is a pirate outfit. They steal IP, profit from it, and aren't culpable until Nvidea lays the boot down and breaks the cards. Is Nvidea a dick for doing this; yep. Does it wind up damaging the counterfeit market; yep. Dick move, but 100% legal for them to do that.

 

[Steevo]

Considering the number of cheap counterfeit USB to RS232 adapters that don't meet advertised specifications due to the the end manufacturer putting a knock off chip in, I agree completely with their choice.


I got one a few years ago, and it caused a firmware update to fail, it was unable to handle 115K and froze during a update that damaged a $5,000 navigation controller, I bought and paid $29 for the real deal from newegg, but didn't get what I paid for. It cost hundreds of dollars to ship in the Controller to be wiped and reset at the factory, plus downtime, freight, and me looking like an asshole. Newegg send back quite a few to a manufacturer, which i am sure ended up on the market later running low speed devices. I got another from Best Buy this year, it works great at 48K, anything above and it gets flaky, and the only way to know the difference is to try it. Fortunately I now know I can test it on GPS receivers first at high speed and if it fails its crap.

But who gets the bad rap for the failures, support calls? Its much cheaper to make a chip with a tiny buffer than to make one that can handle the full monte, and the high side of voltages too.

 

[newtekie1]

I smell a lawsuit brewing against FTDI and I wouldn't be surprised if it puts them out of business.

How would they be liable in any way? They develop drivers for THEIR hardware. If people have been choosing to use that driver on non-FTDI hardware, and the new driver breaks that, it isn't FTDI's fault. FTDI has no obligation to continue to support other vendor's hardware.

These people, even for a counterfeit product, still paid money for a product and FTDI intentionally broke them by modifying the code on the device. FTDI had the right to disallow other manufacturers from using their drivers but they do not have the right to damage other manufacturer's products. FTDI will get class-action sued and they will lose. They crossed the line with that stunt.

What FTDI did would be no different than NVIDIA PhysX drivers intentionally bricking AMD graphics cards. Not acceptable, ever.

They paid money for the hardware, they did not pay FTDI for the driver. Their beef it with the hardware manufacturer that illegally used FTDI's driver, not FTDI.

And you comparison is wrong. In your comparison you are talking about a a driver that has nothing to do with the part it would brick. That isn't the case here. A better comparison would be if AMD graphics cards were using nVidia's graphics card drivers. So nVidia decided to change the driver to prevent AMD from using it with their cards, bricking AMD's cards. It isn't nVidia's fault, they are paying to develop and support the driver for their cards. AMD should be using their own drivers, not stealing other's work.

And basically the argument in court would be:

Plantiff: I was illegally using FTDI's drivers with my hardware that falsely identified itself as FTDI hardware and FTDI released an update that caused damaged to my hardware.
Defendant: Um...did you seriously just admit to illegally using our software and counterfieting our hardware?!? I think we'll go ahead an counter sue at this point.
Judge: Judgement for the Defendant.

There is no way to go after FTDI without openly admitting to illegally using their drivers with counterfeit hardware.

 

[eidairaman1]

FTDI is protecting their ip.

 

[twilyth]

I'm not so sure FTDI has no liability if they intentionally wrote the drivers to make counterfeit chips unusable - even if people reverted to old drivers. This is the sort of self-help remedy that the law generally frowns upon. It's a little like finding your car was stolen, tracking it down only to find it was sold to someone else and then nuking it.

Certainly FTDI would have the right to make drivers that would not run on counterfeit hardware. But to create ones that actually destroy the hardware is something very different.

Presumably they had their attorneys sign off on this move. For their sake though, I hope their attorneys were thorough and gave them good advice. Personally I have my doubts about that.

 

[eidairaman1]

It be like if people with knock off iphones had their stuff squelched.

 

[lilhasselhoffer]

I'm not so sure FTDI has no liability if they intentionally wrote the drivers to make counterfeit chips unusable - even if people reverted to old drivers. This is the sort of self-help remedy that the law generally frowns upon. It's a little like finding your car was stolen, tracking it down only to find it was sold to someone else and then nuking it.

Certainly FTDI would have the right to make drivers that would not run on counterfeit hardware. But to create ones that actually destroy the hardware is something very different.

Presumably they had their attorneys sign off on this move. For their sake though, I hope their attorneys were thorough and gave them good advice. Personally I have my doubts about that.

Anybody actually reading this? The error is basically something that can be fixed with some minor technical skills. The identification is set to 0, which counterfeit chips don't like. There is a work-around, which manually changes the identification back to useable numbers, and already a host of people working on software easy patching that will make the process more idiot resistant. If FTDI wanted these chips bricked they could have done worse. No permanent damage, no damage to their products, and no real legal recourse from anyone makes this a dick move that benefits FTDI immensely.


There is no damage to the chips. They are only rendered bricked for a short time, assuming users don't have the skill to fix them themselves.

 

[newtekie1]

I'm not so sure FTDI has no liability if they intentionally wrote the drivers to make counterfeit chips unusable - even if people reverted to old drivers. This is the sort of self-help remedy that the law generally frowns upon. It's a little like finding your car was stolen, tracking it down only to find it was sold to someone else and then nuking it.

Certainly FTDI would have the right to make drivers that would not run on counterfeit hardware. But to create ones that actually destroy the hardware is something very different.

Presumably they had their attorneys sign off on this move. For their sake though, I hope their attorneys were thorough and gave them good advice. Personally I have my doubts about that.

Couple things to consider from the article though:

1.) No one is even sure if this is done purposely from FTDI or if the new driver is just sending signals to the counterfeit parts that cause them to freak out.
2.) FTDI has a tool to recover broken parts.

Though, again FTDI is pretty untouchable here. To bring up a suit against them you'd have to admit that you were making counterfeit parts and fraudulently using their driver. When you are using something fraudulently, you can't sue when it doesn't work correctly or damages something. The fact comes down to the point that you shouldn't have been using it in the first place.

 

[twilyth]

Anybody actually reading this? The error is basically something that can be fixed with some minor technical skills. The identification is set to 0, which counterfeit chips don't like. There is a work-around, which manually changes the identification back to useable numbers, and already a host of people working on software easy patching that will make the process more idiot resistant. If FTDI wanted these chips bricked they could have done worse. No permanent damage, no damage to their products, and no real legal recourse from anyone makes this a dick move that benefits FTDI immensely.


There is no damage to the chips. They are only rendered bricked for a short time, assuming users don't have the skill to fix them themselves.

Good point. I missed that on the first read. However for the average user, a device using a counterfeit chip will, for all practical purposes, be rendered useless since they don't have the technical expertise to change the PID. FTDI would have to realize that. So the end result in the vast majority of cases is that users would discard the chips rather than attempt to have them repaired since it simply wouldn't be cost effective for them. When something costs more to fix than it is worth, that would be considered effectively destroying the item.

1.) No one is even sure if this is done purposely from FTDI or if the new driver is just sending signals to the counterfeit parts that cause them to freak out.

This is the real issue from a legal standpoint. If FTDI knew or even if they could reasonably have been expected to know that their update would have this result, that would constitute constructive intent. It's like driving your car into a crowd of people. If someone dies, you can still be held criminally liable since you should have been able to see the likely result of your actions.

In terms of who would have the right to sue, certainly the end users would. They purchased the counterfeit chips in good faith and had no way of determining the FTDI products from the bogus ones. So a class action would make some law firm quite a lot of money.

 

[Steevo]

the amount of butt-hurt in this thread for counterfeit devices that may be causing a myriad of other issues they don't want to support or be blamed for is amazing. We have some saying they are as liable as a murderer, some comparing it to AMD selling a Nvidia card.


FTDI makes a chip. It cost them to design, engineer and manufacture it, money to build drivers, get them certified, and distribute.

A knock off company makes a cheaper chip, uses their device ID and sells to to the final fabricator for less than FTDI, people buy the cheaper version that says its good, FTDI gets blamed when they have issues.


This is like going to buy a Ford, Chevy, dodge, or whatever car, only to find that it won't go 75 on the interstate, you take it back to the dealership and call Ford, and they say, here install this new software, which prevents the car from starting as it only has 2 cylinders instead of 8, and when it doesn't start you want to sue them as you bought a Dihatsu Furd F-015 that was $10,000 cheaper?

Tough shit princess, take it back, get your money back and buy a real F-150 or realize that sometime things are cheaper for a reason.

 

[twilyth]

the amount of butt-hurt in this thread for counterfeit devices that may be causing a myriad of other issues they don't want to support or be blamed for is amazing. We have some saying they are as liable as a murderer, some comparing it to AMD selling a Nvidia card.


FTDI makes a chip. It cost them to design, engineer and manufacture it, money to build drivers, get them certified, and distribute.

A knock off company makes a cheaper chip, uses their device ID and sells to to the final fabricator for less than FTDI, people buy the cheaper version that says its good, FTDI gets blamed when they have issues.


This is like going to buy a Ford, Chevy, dodge, or whatever car, only to find that it won't go 75 on the interstate, you take it back to the dealership and call Ford, and they say, here install this new software, which prevents the car from starting as it only has 2 cylinders instead of 8, and when it doesn't start you want to sue them as you bought a Dihatsu Furd F-015 that was $10,000 cheaper?

Tough shit princess, take it back, get your money back and buy a real F-150 or realize that sometime things are cheaper for a reason.

That would be a legitimate argument if you can successfully argue that end users had some way of knowing that the devices they bought didn't contain real FTDI hardware. I'm not sure that even then it would be a successful argument, but it would be a step in the right direction at least.

However from what I've been able to gather, that wasn't the case. If the only argument you can make against the end users that bought the counterfeits was that they didn't pay enough and therefore should have known, that's simply ridiculous. In a situation where there is a gross difference in price between say a genuine Rollex and a knockoff Bollex, sure, then you would have a point. But again, as far as I can understand this particular market, that wasn't the case here.

 

[de.das.dude]

holy crap! i have updates turned off i hope it did not sneakily update! i use arduino!

 

[newtekie1]

In terms of who would have the right to sue, certainly the end users would. They purchased the counterfeit chips in good faith and had no way of determining the FTDI products from the bogus ones. So a class action would make some law firm quite a lot of money.

In that case, the end users claim would be with the counterfeiter not FTDI.

If someone sells you a stolen car, and the actual owner of the car activates the security system disabling the ignition, making "your" car useless, would you sue the original owner of the car? No. You'd go after the person that sold it to you.

That would be a legitimate argument if you can successfully argue that end users had some way of knowing that the devices they bought didn't contain real FTDI hardware. I'm not sure that even then it would be a successful argument, but it would be a step in the right direction at least.

However from what I've been able to gather, that wasn't the case. If the only argument you can make against the end users that bought the counterfeits was that they didn't pay enough and therefore should have known, that's simply ridiculous. In a situation where there is a gross difference in price between say a genuine Rollex and a knockoff Bollex, sure, then you would have a point. But again, as far as I can understand this particular market, that wasn't the case here.

Doesn't matter. The end user's claim is with the counterfeiter, not FTDI.

Furthermore, FTDI has an official sales network list on their website. So if you didn't buy from one of the authorized dealers, it is pretty obvious you are getting a counterfeit.

 

[eidairaman1]

the amount of butt-hurt in this thread for counterfeit devices that may be causing a myriad of other issues they don't want to support or be blamed for is amazing. We have some saying they are as liable as a murderer, some comparing it to AMD selling a Nvidia card.


FTDI makes a chip. It cost them to design, engineer and manufacture it, money to build drivers, get them certified, and distribute.

A knock off company makes a cheaper chip, uses their device ID and sells to to the final fabricator for less than FTDI, people buy the cheaper version that says its good, FTDI gets blamed when they have issues.


This is like going to buy a Ford, Chevy, dodge, or whatever car, only to find that it won't go 75 on the interstate, you take it back to the dealership and call Ford, and they say, here install this new software, which prevents the car from starting as it only has 2 cylinders instead of 8, and when it doesn't start you want to sue them as you bought a Dihatsu Furd F-015 that was $10,000 cheaper?

Tough shit princess, take it back, get your money back and buy a real F-150 or realize that sometime things are cheaper for a reason.

I definitely Agree, FTDI is only trying to protect their ip.

 

[Steevo]

That would be a legitimate argument if you can successfully argue that end users had some way of knowing that the devices they bought didn't contain real FTDI hardware. I'm not sure that even then it would be a successful argument, but it would be a step in the right direction at least.

However from what I've been able to gather, that wasn't the case. If the only argument you can make against the end users that bought the counterfeits was that they didn't pay enough and therefore should have known, that's simply ridiculous. In a situation where there is a gross difference in price between say a genuine Rollex and a knockoff Bollex, sure, then you would have a point. But again, as far as I can understand this particular market, that wasn't the case here.

No, this is where you have a choice to return it, enough people get together and hold a class action suit against the fraudulent end manufacturer and the free market does what is right.

It isn't FTID's fault that Arduino was too cheap to use the real product, and user who bought it as it may have been cheaper should be protected by the consumer laws. Arduino should be one of the ones to pay however, they made the money by selling a known counterfeit product.

back to the car example, if I look at 10 Cars, and they all cost the same, and here is one and its significantly less, should i not be somehow liable for not using my brains at all and just buying it? Is this the type of society you are after? One that doesn't have to think, just buy whatever crap is the cheapest and its all perfectly the same? In that scenario I would like to sell you a Ferrari for $8000 dollars, it looks like a van, and the steering wheel may say GMC, but its really a Ferrari, since you can't go faster than the speed limit how would you ever know?

 

[twilyth]

In that case, the end users claim would be with the counterfeiter not FTDI.

If someone sells you a stolen car, and the actual owner of the car activates the security system disabling the ignition, making "your" car useless, would you sue the original owner of the car? No. You'd go after the person that sold it to you.



Doesn't matter. The end user's claim is with the counterfeiter, not FTDI.

Furthermore, FTDI has an official sales network list on their website. So if you didn't buy from one of the authorized dealers, it is pretty obvious you are getting a counterfeit.

End users would obviously have a claim against the counterfeiters as well. That's certainly true. But the issue here would be illegal destruction of property. The mere fact that someone infringes your intellectual property doesn't, AFAIK, give you the right to destroy devices made using your IP. If I happen to be wrong about that, then FTDI has no issues. But I'll be very surprised if I am.

The accepted recourse for IP infringement is a lawsuit. The fact that you might not be able to pursue a cause of action against the violators isn't the problem of the end users, it's yours. Deliberately destroying hardware that someone purchased in good faith just because of an IP violation is a bit different than the stolen car example.

As far as buying from authorized dealers, that might be a valid point. It would depend on how much of a burden a court would want to place on consumers in doing due diligence before buying a product. I seriously doubt though that a court is going to expect this in the case of something that is widely marketed and incorporated into other devices such that the end user can't really tell if a device is using a genuine FTDI product or something else.

 

[twilyth]

No, this is where you have a choice to return it, enough people get together and hold a class action suit against the fraudulent end manufacturer and the free market does what is right.

It isn't FTID's fault that Arduino was too cheap to use the real product, and user who bought it as it may have been cheaper should be protected by the consumer laws. Arduino should be one of the ones to pay however, they made the money by selling a known counterfeit product.

back to the car example, if I look at 10 Cars, and they all cost the same, and here is one and its significantly less, should i not be somehow liable for not using my brains at all and just buying it? Is this the type of society you are after? One that doesn't have to think, just buy whatever crap is the cheapest and its all perfectly the same? In that scenario I would like to sell you a Ferrari for $8000 dollars, it looks like a van, and the steering wheel may say GMC, but its really a Ferrari, since you can't go faster than the speed limit how would you ever know?

As I said, if there is a gross difference in price, you're starting to make a valid point but as I understand it, that wasn't the case here. My understanding is that the use of counterfeits didn't save manufacturers a great deal of money, but if I'm wrong about that, ok.

Even in that case though, as I said above, you still have the issue of illegal destruction of property. No one will contest that FTDI has the right to protect their IP. What I don't believe they have the right to do however is destroy products that happen to infringe on that IP.

 

[Frick]

This could set an interesting prescedent considering how many counterfeits everything there is. If they get away with it, why shouldn't others? If they don't get away with it, is it open season then?

 

[newtekie1]

But the issue here would be illegal destruction of property. The mere fact that someone infringes your intellectual property doesn't, AFAIK, give you the right to destroy devices made using your IP. If I happen to be wrong about that, then FTDI has no issues. But I'll be very surprised if I am.

They are allowed to change their software any way they wish as long as their products that use it to continue to work properly. Their software is designed for their hardware. If the software breaks other hardware that is using the software illegally, intentionally or not, they are not liable. It sucks for the end user, but any way you shake it FTDI is not liable.

 

[twilyth]

They are allowed to change their software any way they wish as long as their products that use it to continue to work properly. Their software is designed for their hardware. If the software breaks other hardware that is using the software illegally, intentionally or not, they are not liable. It sucks for the end user, but any way you shake it FTDI is not liable.

Well, yes and no. If it was unintentional in the sense that FTDI couldn't reasonably have foreseen that their driver changes would brick counterfeit hardware, then yes, I can't see FTDI being liable to anyone. Shit happens.

But if what they did IS deemed intentional, whether actually or constructively, then it becomes an intentional tort in my book.

Remember, other manufacturers still provided something of value in producing their counterfeit products. It cost time, labor and resources to make the the bogus chips. It's not those things were stolen from FTDI, only the IP was stolen. So FTDI's legal remedy is to sue the people infringing their IP, not to deliberately destroy all of the chips that infringed their IP.