The response from FTDI seems to indicate that they’re aware of what’s going on and this isn’t some accident.
Wow. Talk about a big, fat FUCK YOU to everyone bit by this. I think twitter user @macegr sums it up nicely:
.@FTDIChip @davbbley @mikelectricstuf Your [FTDI’s] response to a supply chain issue is the digital equivalent of sugaring end users' gas tanks?
…and a day later, that link is now dead and Mr. CEO is in full damage-control mode: http://www.ftdichipblog.com/?p=1053
“Though our intentions were honorable…”
I’ve contacted Microsoft to report the issue, both by phone and by email to their security folks. Response by email has been prompt and efficient. I spent half an hour being bounced around various people by phone, with everyone I spoke to unable to assist with the reporting of a security issue. Very poor form there.
An update to this: the security folks have told me it’s not a security issue, but they’re forwarding it to the appropriate team.
Perhaps I’m biased, but I’d have thought that a Windows Update that ships malware that bricks thousands of consumer devices without warning would constitute a security issue.
But hey … at least they’re actioning it, and they responded so quickly. So, FYI: if you have a security issue to report to Microsoft, do it by email. Phone staff are utterly, completely useless for this.
Another update: Microsoft had already been made aware of the issue, and were investigating. I’ve lodged a formal compliment over the way their security team responded to my report (once I found them). Prompt, helpful, efficient and reassuring.
FTDIs own website says their chips are used on medical devices:
Let’s hope that all the manufacturers are 100% certain of their supply chains, from top to bottom. And that there are no bugs in the driver that might cause inadvertent bricking.
Way to go, FTDI.
What was wrong with the previous story on this subject? https://lobste.rs/s/fi1h79/watch_that_windows_update_ftdi_drivers_are_killing_fake_chips
I’ve merged them.
[meta] Well that’s a cool new trick, thanks @jcs!