We recently got an industrial X-Ray machine in the Eclypsium office to use to make the next Doctor Manhattan do serious cybersecurity research. In between X-raying yet-to-be released industrial IT technologies on behalf of giant companies whose names we cannot reveal, we have done some other fun experiments.

One thing we’ve done with it so far was to x-ray some FTDI USB to UART cables. We had an old cable lying around that seemed a little suspicious and dysfunctional. It worked at slow speeds but it failed when transferring firmware images from a product. These failures drove us to purchase the known good cables from DigiKey, which worked as expected. It is possible that this older cable came from a factory which also produced older generations of authentic FTDI cables, but this particular chip didn’t meet the performance requirements for the FTDI brand. Or maybe it was just a production run based on stolen FTDI IP. Or it is actually completely unrelated to any FTDI IC but has been programmed to claim to be FTDI in software. Unless we could match the silicon exactly to a known supply chain, we can really only speculate.  

In either case, we wanted to see the difference between the suspicious cable and a newer, more obviously “legit” one that cost about $20 from DigiKey. It is not a stretch to assume that a suspicious looking cable is a counterfeit. FTDI has publicly announced issues with counterfeit devices. They have even fought back with drivers which brick counterfeit chips. Some people have even referred to this as vendor sanctioned malware.

Here’s what the two cables look like to the naked eye: 

Take a look at the two x-ray images below and see if you can tell which one is suspicious, and which one is authentic. Then scroll down and we’ll tell you what we see.

Before we tell you the answer, here are some clues to look out for in each picture. The authentic cable has the following features visible in the X-Ray image, not shared with the suspicious cable:

1. Ground pours (reduces impedance and ground loops while improving EMI resistance and thermal dissipation). While there is some debate about the actual value of copper ground pours, they are still used by reputable manufacturers.
2. Ground stapling
3. Decoupling passives nearer to the main integrated circuit (IC)
4. More isolation passives for USB data pins
5. Thermal pad under IC
6. Engineered strain relief for wire connections
7. More solder for mechanical tabs on USB A connector
8. Smaller/newer silicon process
9. Better passive alignment

OK, the top image above is the authentic cable. The bottom image is the more questionable one.

Did you get it right? If not, go back and see if you can pinpoint the various clues.

The point is that, even when you know what to look for, spotting a counterfeit isn’t necessarily easy. The consequences for a consumer buying a shady USB cable likely aren’t too bad. But what happens when an enterprise gets counterfeit network gear with a backdoor pre-installed? Or when a major bank receives grey market servers with another company’s data on them? Eclypsium has helped major worldwide organizations discover exactly these types of supply chain issues. 

Supply chain risk is growing rapidly. As AI data center projects capture more and more of the global supply for chips, memory, storage, and other key resources, the secondary market for all of these is heating up. The speed and complexity of these supply chains leaves gaps that cyber adversaries can exploit to introduce vulnerable components and backdoors into tech that makes its way into critical infrastructure.

To learn more, grab our white paper on Why Supply Chain Security Demands Focus on Hardware