Counterfeit Hardware May Lead To Malware And Failure

Counterfeit parts are becoming increasingly hard to tell the difference from the real deal, the technology used by the counterfeiters has come on leaps and bounds, so even the experts struggle to tell the real product from a good fake. Mere fake branding isn’t the biggest problem with a counterfeit though, as reports, counterfeit parts could contain malware or be downright dangerous.

Way back in 2014 the FBI charged [Marc Heera] with selling clones of the Hondata S300, a plugin engine module for Honda cars that reads sensors, and depending on their values can change idle speed, air-fuel mixture and a plethora of other car/engine related settings. What, might you ask, is the problem, except they are obviously not genuine parts? According to Honda they had a number of issues such as random limits on engine rpm and occasionally failure to start. While the fake Hondata S300 parts where just poor clones that looked the part, anything connected to an engine control unit brings up huge safety concerns and researchers have shown that through ECU access, they could hijack a car’s steering and brakes.

It’s not just car parts being cloned, remember the fake USB-to-serial chips of FTDI-Gate? Entire routers are also being cloned, which doesn’t sound too bad until you realise that the cloners could configure your internet traffic to be redirected through their network for snooping. In 2010 Saudi citizen [Ehab Ashoor] was convicted of buying cloned Cisco Systems gigabit interface converters with the intention of selling them to the U.S Dept of Defense. While nothing sinister was afoot in [Ashoor]’s case other than greed, these routers were to be deployed in Iraq for use by the Marine Corps networks. They were then to be used for security, transmitting troop movements and relaying intelligence from field operations back to HQ.

So who are the cloners and why are they doing it? It is speculated that some of them may be state funded, as there are a lot of countries who do not trust American silicon. Circuits are reverse engineered and find their way to the international market. Then just like the FTDI-Gate case, cloners want to make profits from others intellectual property. This also brings up another question, if there is a mistrust of American silicon, nearly everything is made in China these days so why should we trust anything from there? Even analog circuits can be made to spy on you, as you can see from the piece we recently featured on compromising a processor using an analog charge pump. If you want to defend yourself from such attacks, perhaps look at previous Hackaday Prize finalist, ChipWhisperer.

89 thoughts on “Counterfeit Hardware May Lead To Malware And Failure

  1. Wondering what techniques are used to clone chips. Slicing the layers and reproduce them or less advanced?

    Also how to detect a cloned chip. Asumming if they manage to copy the silicon it will be hard if not impossible

    1. So, I’ve got my theory, and I would like some feedback on it. Every PCB I have ever gotten from any fab in China has always had an added ID number printed very small somewhere on the silkscreen. My theory is this number goes into a national (or local) database and whenever anyone wants a PCB, they simply look it up by this value.

      1. I think they sell the PCB file for anything interesting to a Chinese device manufactures for a profit or even decide to make it themselves and sell it under another company name.

      2. I think they’re just order numbers so that the people de-paneling your boards know who to post them to. The numbering also doesn’t seem to be consistent between manufacturers.

  2. Quote [Jack Laidlaw]: “there are a lot of countries who do not trust American silicon”

    There is one country that *does* trust American silicon … wait … perhaps that’s not true. It’s the American government that is distrusted, not American people. But to some foreigners there is no difference.

    Great article [Jack Laidlaw].

    It’s not hard to clone anything and the only solution is perhaps signed encryption.

    1. You are right people not counties, Thanks RÖB ! I really liked reading about this myself so that is why I wrote about it, P.S with your knowledge a few spare hours a week you should apply to write for HackaDay, If you have spare time.

    2. American silicon is becoming expensive. The hardware may be getting better, but american software is getting shittier and shittier. If its not the software the hardware is garbage. Printers are software locked to shit features. Pc hardware is not updated past two years like routers and tv’s. soundbars may never receive a firmware update on known issues. Car radios.. lets not get into that.

        1. If it’s got Bluetooth it’ll need software. Even a pushbutton interface could well use software, though in that case it’d be simple enough not to need updating.

          Then, since they’re putting a CPU in there, why not add a few extra features? To attract the customer. That’s where it gets complex and needs fixing. Because it’s updatable at all (often through USB), means that bothering to get the software working before they ship the product isn’t considered important.

          The Internet’s only making things worse. Soon they’ll be selling products that don’t work at all until you download a software update. Actually somebody already has, I think.

  3. This is actually a good example of why cheap DIY silicon fab systems are needed. You won’t be making the latest 10nm series silicon chips but 200nm isn’t out of the question.

    1. unless you don’t mind working with some very nasty chemicals like HF acid it IS out of the question. And 200nm IS already a stretch for anything people might be able to achieve at home. 1 micrometer down to maybe 500 nm is probably doable though (Anthing within the dry iRF and ARF litho range). Immersion systems will certainly be too complicated for home building. Size of the systems needed is probably the biggest problem here. You probably need a space the size of the average house to put all the coating, litho, etching, PVD, CVD, ion implanting, wirebonding, etc equipment you need. Wafers can actually be obtained from ebay or commercial suppliers. They are not the hard part.

  4. I have had counterfeit FTDI adapter cause major damage to the circuit (blew a pricey FPGA) and a laptop (dead usb port)
    I’m not entirely sure what killed the USB port but the 3v3 configured FTDI chip was passing 5v high thew both RX and TX and only noticed the markings were not quite right after everything went wrong and I was not paying attention to what I was using on such a critical design
    I have never again trusted any low price eBay buy for anything critical (seams like a no-shit thing but something so common on the bench you tend to just accept it as a tool)

    1. The FTDI parts have a 5V-3.3V LDO onboard for just this purpose. FTDI can be taken to task if it doesn’t perform per the datasheet, so they presumably spend a bunch of money on characterization and production test.

      The clones however…

    2. That because you didnt used galvanic isolation. UART can be isolated easily using even cheap PC817(max 19200b/s) optocoupler. USB is other story and not so cheap. Famous ADuM chips for USB 1.1 max 12MBit/s and i dont hear anything about isolated 480MBit/s

      1. You do not need galvanic isolation. That was no problem of different ground levels, loops or ground currents. It was a problem of wrong logic levels. For that boring slow speeds (19200) often simple series resistors are sufficient. Otherwise I would use suitable gates a s level shifters.

    1. Exactly!

      The clones bricked by the malware distributed by FTDI via windows update were not fakes nor counterfeit.

      So, [Jack Laidlaw], what I rememner is that the FTDI-Gate definitely was not about any FAKE USB-to-serial chips, but FTDI breaking people’st legit hardware CLONES otherwise would have not been a FTDIGate

      1. No, No, No,

        The FTDI Chips was a silicon based state machine by the most part. The clone wasn’t a clone – it was a micro-controller that had the FTDI state machine programmed in and worked in most situations but lacked the full speed of the FTDI chip or the FTDI chips ability to address additional pins like CTR RTS DTR DSR or even have a JTAG port.

        Basically the FTDI “clone” was never a clone at all. It worked in many applications but was severely lacking compared to the original FTDI chip.

        It was however counterfeit and displayed the FTDI registered trade marks on the epoxy chips ( there was also Chip On Board (COB)) versions of the fake.

        The problem was that the FTDI chip was an old design on old silicon so it was a “low hanging fruit” for the Chinese to emulate in a more modern micro. The reason that it was a low hanging fruit was the price FTDI wanted for it was much higher than the cost of emulating it’s function with a uC (micro-controller).

        FTDI-Gate was about how the company FTDI responded to this situation. They bricked fake chips.

        Designers didn’t realize that fake FDTI chips had entered their manufacturing process so FTDI more or less caused end product uses to see their designers (suppliers) as fools on the basis that these designers chose what they believed to be genuine FTDI chips. Such a sad marketing model. Most designers I know switched to a different chip.

        Windows also removed external control of the altercation of VID/PID and updates from external sources as the Windows update feature was used an an “attack vector” to brick these devices. The lesson here for them is “Don’t with Microsoft”.

        This modern world is a lot about corporate ethics. I personally believe that FTDI got what they deserved (market loss) for what they did to their legitimate clients.

          1. You have an example of a chip that uses the FTDI driver but does not come with FTDI markings on the IC? That would be the first one, so far I have only seen fake FTDI chips that try to pass themselves off as the genuine article. As soon as you do that, it’s no longer legit.

          2. The “FTDI cables” that were bricked by the FTDI malware drivers had legit unmarked chips or a COB as RÖB pointed out. Look for them if you want examples.

            And as you well know, not even using the “FTDI cable” term try to pass off as having a genuine FTDI chip but as a common name for USB-to-serial with whatever bridge.chip.

          3. If they are clones, and not authorized by FTDI, they are not allowed to use FTDI´s drivers also. The bricked chips/cables/cobs were things that used FTDI brand but were not made by FTDI. The designers that used the counterfeit chips were naive to think chips sourced from ebay or obscure venders to be ok. or understood they were fakes but disconsidered the problem.

          4. If I am not mistaken, these “legit functional clones” were also using FTDI’ registered vendor ID which is extremely frowned upon because you are essentially stealing their license.

          5. Ah FTDIgate argument again. It’s been a few years and all the straw man arguments are still being used w/o any of the doomsday scenarios thrown around ever coming true.

            “Software compatible Clone” stops working? Well you are using the wrong driver. Go the the manufacture of the device you bought and demand they release a driver. Why would you be upset at Canon when your HP printer stops working when you’ve installed Canon driver to run it?

            “Counterfeit” stops working? Well it’s counterfeit so that’s on you. “But what if I thought it was real!!!” Well, as stated by the CEO: ‘We’ve not had one single instance of a fake chip being sold by our listed sales distributor chains’ you took the risk by buying outside the trusted chain, that’s on you. If you bought it through the trusted chain and it’s counterfeit, that’s on the chain and they should be liable. But we have yet to see that.

            Personally I doubt FTDI saw any discernible market loss from the new coverage on how they fought clones. What they did was never a risk for customers who follow proper supply chain procedures. I still see them used in new devices all the time including the medical industry.

          6. it is a nasty practice that is border line illegal in FTDI’s part and how they did the detection and bricking use what could at best be described questionable programming practices that have no place in production software.
            The idiot in management who decided it was a good idea and the head software engineer both should face charges for any loss of life or property happened because of that “feature”.

          7. I never used illegitimate FTDI devices (I always buy from DigiKey or Mouser), but I will never use them again, because now that FTDI has shown a willingness to weaponize their driver, there’s a non-zero chance that an error in a future update could mistakenly brick or screw up *legitimate* devices as well.

          8. @nsayer

            “now that FTDI has shown a willingness to weaponize their driver, there’s a non-zero chance that an error in a future update could mistakenly brick or screw up *legitimate* devices as well.”

            I’m sorry, what? There’s always been a non-zero chance a firmware/driver update can brick a device. Searching Slashdot for “driver update bricks -FTDI” returns 4,000 results. I actually feel safer knowing they (hopefully) applied rigorous regression testing on their intentional disablement mechanism before release to make damn sure it worked right. That’s preferable then 100% unplanned and unintentional disablement that we see across the tech world on nearly a monthly basis do to lack of planning or testing.

          9. There’s non-zero, and then there’s non-zero. In this case, we’re talking about code that is *designed* to brick devices and we’re talking about a potential bug or not in deciding which devices to do it to.

        1. Indeed, I for once, stopped using ANY device that had an FTDI on it. For two reasons: First, practical, you never know whether the FTDI is legit or not and why would I risk my design/product being bricked by them? Second, why do business with a crooked company like FTDI? So, no thanks. For el cheapo things I switched to CH340 thingies. They all work fine and are cheap.

          1. Both Arguments are invalid. The first problem can be solved by buying through the official channel. Oh, you want to buy cheaper? Well… you get what you pay for. The second… the crooked company is not FTDI but the one that made the clone to piggyback on FTDI’s success and get a piece of the cake while, at the same time, not having to write a driver or shell out the money for a USB VID.

            As for the CH340, they seem to work most of the time but I read that they have problems with baudrates that are a bit off which can be a problem with microcontrollers that use a crystal where you can’t get a perfect baud rate from. Other USB/RS232-ICs do have some annoying issues. Like the MCP2221 which inserts a pause of a few microseconds after every Byte send. Throttles throughput at high baud rates.

          2. It’s easy. If you buy from an authorized distributor, it’s legit. If you don’t, it’s probably not. If you don’t because it’s a lot cheaper, it’s almost certainly not.

            I never did really make up my mind solidly one way or another on this. There were NO legit chips targeted by FTDI. They were ALL varying degrees of grey at best. The chips used FTDI’s vendor ID at the very minimum. That right there is shady for a business.

            Dave Jones’ rant about manufacturers not knowing what to trust was BS. Show me one actual case of his highly theoretical “a bad worker swaps genuine parts for clone parts” scenario. Everyone else who professionally manufactures things will know about the problems of counterfeiting in electronics and how important authorized dealers are. It’s not like a car dealership’s authorized service center… authorized distributors for electronic parts actually matter. If you manufacturer stuff and CHOOSE to go with cheap over known, well, you live with the consequences.

            I don’t care if it’s a microcontroller emulating a chip or not. It pretends to be an FTDI chip so they can use someone else’s hard work writing device drivers, so it’s a clone. If it’s actually cloned silicon is besides the point, and just adds to the level of the theft.

            I feel bad for the random hacker who bought stuff off eBay or whatever and was hurt by this… some of them might not have known. However, if you knew you were buying something from a company ripping another company off, I just don’t have sympathy for you.

          3. I do agree the first driver that physically bricked the chip was a bit too far, ethically. I am 100% behind the random “NON GENUINE DEVICE FOUND!” sentence injected into the serial stream. Device isn’t bricked, but application will probably stop working right and the issue will come to light. Frustrated end user will either see the error of their ways if they choose non-trusted supply line or will put pressure on the end device manufacture that made that poor decision.

    1. Yes, I have to agree.

      There is a massive body of literature on the risks of counterfeit and backdoored electronics, specifically focusing on government use cases. One would also add the revealed USG catalogs of implant technologies which are themselves the USG doing backdooring other countries (ref: ANT catalog, NSA TAO etc. etc.)

      I’d also suggest the author search the term “Chisco”, counterfeit Chinese Cisco devices. I have done consulting engagements in China, and seen clearly counterfeit Cisco hardware in use by companies there. Cisco even added anti-counterfeiting technologies in the mid-2000’s, due to the hassle this was causing them, especially when the counterfeits failed and the unwitting customers called Cisco.

      This is such a well-established risk with a ton of papers and articles, senate reports and advisories. It’s a pity that the author doesn’t seem to have done the research which uncovered these.

    2. The S300 was for early ’90s Hondas – not much tying in to steering or brakes on those. While it was certainly not kosher to sell fake Hondata parts, the potential for damage there is pretty much limited to broken engine parts, unless the damage comes at a point where an engine failure could send the car out of control without crippling the steering or brakes.

      1. The company I work for, occasionally receives clones for their products in for repair. Apparently the owners thought they were getting the real product, just at a lower price, through that Worldwide Garage Sale. The clones are returned unrepaired.

        1. thats a missed opportunity tho, the company could have shipped back the un-repaired clones with a discount to buy the real thing straight from the manufacturer. Its win win really, the OG company makes money on the sale (obv the discount wouldn’t not be below the cost) and the vendor selling the clones on line gets trashed while the OG company gets good publicity. The prices of the discount would be set in such a way that it doesn’t create an incentive to buy a clone and then get the discount.

          1. @s, i was asking for references of people saying that counterfeits function better than the OEM chips, in the first link it seems as people are complaining about the driver update breaking chips as is the second one.. in fact the only thing close that ive found that would be in this realm was : “Since @suicidaleggroll didn’t read the original discussion, he is uninformed that there is no reliable way for ANYONE (including legitimate distributors and board assemblers) to definitively identify genuine chips vs counterfeit. Many legitimate, official, authorized supply lines have discovered counterfeit chips, sometimes only revealed when the end-user tried to use the product.”

            which not only contradicts other statements made in several of the HAD threads (namely that buying from the approved distribution vendors approved from FTDI is the only way to get a guaranteed genuine chip) but also doesn’t prove anywhere that clones or counterfeits work better than the genuine FTDI chips. On top of that it seems plain ridiculous that the vendors that FTDI recommends would not be able to tell if the chips that they are genuine or not. Now if a board manufacturer goes outside of those recommended vendors and makes a board for you with fake chips then the board manufacturer is just trying to pull a fast-one and it is not the fault of FTDI in any way.

            It seems as if the general complaint is that people dont know how to tell if they are getting genuine chips or clones, which is really short sighted in the worst of ways. First off FTDI has a list of approved vendors, if you aren’t buying your chips from one of them then there are no guarantees. Second i have also yet to hear of anyone who has purchased from an approved vendor to have the drivers not work with their product.

            What i am specifically challenging in my above post is the idea that people say that counterfeits work better than the original. that is what references i am looking for and that could be for any product on the market. i just want to see somewhere that someone can prove that a counterfeit operates better than the original

            but in conclusion, the major problem with that entire saga is that FTDI abused Microsoft’s update system to brick chips that used their driver with out paying them (either clones or counterfeits). that isn’t necessarily a business decision i would have gone with but they can make their own decisions. In the end the only people really effected are windows users who are now the product anyways so which corporation is going to care what they think.

          2. @Mike: The links I posted have exactly what you asked for. ;)

            That is just one example for FTDI chips, and other manufacturers like Microchip also have issues. Plenty more examples if you bother to look for them.

            FTDI’s sample application for the D2XX driver shows that FT232R has broken bitbang mode timing, where clones work perfectly.

            FT232R, original (up) vs. clone (bottom), outputting a 38kHz square wave in bitbang mode, same exact code driving both shows FTDI’s buggy silicon.

            The broken behaviour unfixed since several silicon revisions is even documented in the FTDI errata despite the misleading “no known issues with this silicon revision” subtitle note.

      1. The name brand stuff is also manufactured in china, cheaper and cheaper, it is only sold at 10* the price. If I buy cheap, I know to get cheap quality for a cheap price. If I pay more I can not be sure to get better quality, only to pay more.

  5. ” In 2010 Saudi citizen [Ehab Ashoor] was convicted of buying cloned Cisco Systems gigabit interface converters with the intention of selling them to the U.S Dept of Defense. ”

    Supplier vetting.

  6. No surprise here. As an M.E. I worked on tire design for a large O.E.M and aftermarket company, saw plenty of clones from tire molds made in China make it into the US market. Companies from China bought up the US mold shops and magically we started seeing counterfeit tires pop up in the US being imported from China. We got clued into what was happening because NHTS did an investigation on an accident due to faulty tires. The give away that the tire was a clone was the manufacturer quit making the tire years ago, the date code on the tire was years after the final year of production. The counterfeit tires generally look identical to the genuine article but the rubber compounds and construction where sub par and dangerous. We noticed that the counterfeit tires that did not fail catastrophically tended to wear out in a third of the millage of the real article.

  7. In the late 1970s I woked for a US government agency that operated an in-house silicon foundry to make ICs for select applications for which even US manufacturers were not trusted. The risk of counterfeits and back doors in integrated circuits has been recognized for more than 40 years.

    The US government was not particularly secretive about knowing these risks exist because the silicon foundry was one of the things shown to people being recruited for employment at that agency.

    This article has its place because seemingly obvious knowlege does not always get handed down to succeeding generations of engineers – perhaps because it seems obvious.

  8. If you’re interested, China has inexpensive reverse engineering services available, just send them your part/circuit and they send it back reverse engineered. Then you modify it and send it back to China for production.

    1. No! They wouldn’t dare! he he… Then they would be spreading my potentially malware infested hardware all over the place and they would be blamed for it! No, couldn’t happen ;)

  9. It all comes down to supplier vetting, most businesses understand this and work diligently to ensure that they are purchasing from reliable suppliers. Unfortunately the global society we live in puts short term cost as the number one factor in purchasing something and because of that counterfeiting will always be a problem. Hell, if they cant stop people from counterfeiting money how is anyone going going to stop people from doing the same with anything else.

    Nothing is going to change until we realign the priorities of society, if people cant think rationally in the short, medium and long term when considering all the options and consequences then nothing will ever change. We will just keep up this cat and mouse game over and over and the only people that benefit are the ones with the money and power (both the original creators and the counterfeiters).

  10. What about the eventual reverse-ftdi-gate. Picture the p0wned-stux-cry worm that spreads everywhere, but because clones aren’t perfect, Everyone with a fake copy of a chip is fine and everyone with the real thing is comprised.

    “News flash fake Intel chipsets found in circulation, everyone else’s computer caught fire.”

    1. Possible if the worm used an undocumented feature in the legit part that was not copied over to the clone.
      Such as if the Chinese managed to fully copy a i series Intel cpu but their implementation of ME was incomplete or missing entirely.
      I’m actually very surprised the Chinese have not been producing socket compatible X86 clones as this should be well within their abilities though the companies there who can pull off such a feat such as All Winner and Lemote Tech Co., Ltd have mainstream business with the west and probably wouldn’t want to risk losing it.

  11. I’ve always stocked on ‘clone’ routers from china, but trashed the stock firmware in favor of openwrt the day they’ve arrived. If the software’s all open – it doesn’t really matter where the hardware comes from. Well, unless you are going to use it in some mission-critical application.

  12. Every comment I read here misses what I see as the point of this article… The writer [Jack Laidlaw] seems to try to imply that there’s a security concern with counterfeit and/or cloned parts.
    My response is that if someone is concerned about security, they should also be concerned with the source of the hardware AND software. If they want to risk cloned or counterfeit hardware/software, then all I have to say is – Survival of the fittest! Caveat emptor!

  13. Several years ago where I work we had some Microchip parts sourced directly from Digikey that were fakes(temp sensors I think). When we showed them to Microchip, they had no record of the labelled numbers. Point being, don’t always trust the “trusted” sources either. Since then I’m sure they’ve improved their buying practices. At least I hope so.

  14. best way to avoid clones is to not buy $1/2 Arduinos,STM32F103 or similar boards from aliexpress and then integrate them into your designs. Try purchasing all parts/boards from digi-key, mouser or directly from the manufacturer themselves.

    If you buy the cheapo boards from Aliexpress…then remember that you’ll get what you pat for.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.