Should Microsoft do more to stop the use of counterfeit hardware?

Friday, 24 October 2014

The recent trouble with the FTDI drivers attracted my attention. The story here is that the chip market is flooded with low-cost and (often) poor-quality clones of a popular chip called the FT232. The clones use the same software drivers as the originals. FTDI made drivers that detected the clones and reprogrammed them so that they would not work again without some effort on the user's part. The new drivers were distributed by Windows Update. There was an outcry, Microsoft was unhappy about the use of Windows Update as a weapon against the FT232 knockoffs, and the driver update was withdrawn.

I sympathise with FTDI. I see why they did it. And I rather admire their guts. It was a bold strategy. But it's not necessary. In this battle, FTDI will always have the upper hand against the clones, as it can make new drivers faster than the cloners can make new designs. The right thing to do is to make drivers that just detect the clones and refuse to work. The cloners will respond with better clones, but FTDI can respond very quickly with better detection.

In this case, Microsoft has actively put a stop to FTDI's strategy of "bricking" the FT232 knock-offs

But Microsoft could, and I think, should do more to stop the use of knock-off hardware in general.

Last year I wanted to buy a micro SD card to upgrade the storage on my MP3 player. I looked on Ebay and Amazon Marketplace and it was quickly obvious that the micro SD card market is flooded with fakes. These fakes are labelled as high-capacity cards but the prices are strangely low. Are any of them real? Are genuine parts competing with fakes at that price point?

Curious about this, and aware of Ebay's general willingness to side with the buyer in any dispute, I ordered one from an Ebay seller. It was marked as a "64Gb SDHC card", which (if you happen to know about these things) is a dead giveaway that it's fake, because "SDHC" is a standard covering 2Gb to 32Gb cards only. There are no 64Gb SDHC cards. (There are 64Gb micro SD cards, but they are SDXC, not SDHC.)
Fake: less than a quarter of the price of a genuine part,
and it's a 64Gb SDHC card (no such thing).
I expected that my Windows PC would be better at detecting the fake. But it wasn't. It didn't spot it at all. The phoney SD card formatted without errors. Disk checks passed.
So I copied a large number of music files to the device. Still no errors.

It was only when I attempted to read the files back that I found the problem. There were no errors from the operating system, but the files were now empty, their contents vanished like fairy gold.

There was only 4Gb of usable space on the card: its microcontroller had been programmed to report 64Gb of space, when the real figure was only 4Gb.

Obviously, had I been unaware of the likelihood that this device was fake, I would have been caught out. Perhaps I would have used it in a camera, and filled it with family photographs. And as newer photos were added, older ones would silently vanish. I would never know that my niece's third birthday party photos had overwritten her second birthday party.. until it was too late! (I would be foolish to keep only one copy of important files, but that is a different matter.)

But the operating system is not powerless to detect knockoffs like this. It can be done at several levels. FTDI did it in their device drivers: detecting differences between a clone and the real thing. That will be more difficult for a generic component such as an SD card, where the implementation is standardised. However, the file system and card formatter can also perform checks, detect a likely fake, and warn the user.

The key behaviour of a fake is that it claims to be a large device (e.g. 64Gb) and is actually much smaller (e.g. 4Gb). The file system and formatter should explicitly check for this while writing data to the device. The check needs only to be performed once. The fake card relies on the assumption that the operating system will not do this check.

The check would probably involve writing test data to one or more locations that, on a fake card, may be mapped to the same physical location. Then the test data is read back. If it has changed, then the card is fake. The OS pops up a dialog box: "Warning, this SD card is probably a fake". The buyer returns it to the seller and (if appropriate) complains to Amazon or Ebay.

The eventual result of these improved checks would be better counterfeits. But the software maker always has the edge, because it's easier to update the software than create new hardware.

Sellers of fake cards know that some people will figure it out and return the cards within a few days. The seller may try to convince them it's their own fault:
Hi, there are a few things you can try. 1. Put the micro sd card into the adaptor and then flick the notch down and flick it back up to the top and then insert the card back into your device, If you are using the micro sd card just pull it out of the adaptor and put into your device. (This can be a common problem with sd cards) 2. If this does not work then try formatting the card a few times and make sure its in fat 3. 3. Other than that there might be a compatibility problem with your device. '
No doubt, many people will be put off by this, though some will continue to demand a refund.

The business is profitable. If the major software platforms would automatically attempt to detect fake SD cards, and indeed fake USB memory sticks, fake hard disks, fake SSDs and so forth, that market would collapse.

Ebay does remove counterfeit items, and in fact the one I bought was delisted shortly after I got a full refund, but the business continues. And it will go on and on....

Until software strikes back!