FTDI needs to be charged under the Computer Fraud and Abuse Act

FTDI is a company that makes computer chips for USB peripherals. Their chips are frequently cloned, which is an issue they have a right to deal with. But they have to be careful.

Breaking suspected cloned chips that consumers bought in good faith is the wrong answer. If I did that, it would be called hacking, and I would be sitting in jail right now, and probably would be facing a quarter-century in prison.

In the United States, corporations (in)famously are people, but in practice, they way it usually goes down is that they’re people when it’s beneficial to be people and they’re not people when it’s beneficial not to be. So I don’t expect a corporation to get charged with computer hacking.

Here’s the problem. This month, FTDI released a revised driver for their chips, then distributed it through Windows Update, so thousands, if not millions of people unwittingly downloaded it. Unwittingly because if the driver sees a chip it doesn’t like, it changes the USB ID of the chip to an invalid number so no computer can recognize it anymore. Then the device ceases to work in any computer, and most consumers have no way of figuring out what happened. This would be like Intel creating an update that damaged people’s computer if it found an AMD chip in it.

The correct way to handle this, as Hackaday put it, is to go after the purveyors of (possibly) illegal chips in court–not to damage consumer’s property. When Intel and AMD have their differences, they sort it out in court, which is the right approach. Shipping a driver with a Trojan Horse in it is not.

The Hackaday article includes instructions for fixing your chip after FTDI Trojans it, but unfortunately, many victims will never know how to find the cure.

If you found this post informative or helpful, please share it!