New research claiming to have identified major vulnerabilities in AMD chips is raising more questions than answers from many security professionals. Yesterday, CTS Labs, a little-known cybersecurity firm based in Tel Aviv, published its findings about "13 critical security vulnerabilities and manufacturer backdoors" in AMD's EPYC and Ryzen chips in a white paper and a dedicated Web site, amdflaws.com.
However, AMD as well as a number of security experts say the company's unorthodox disclosure methods merit skepticism about those claims.
Among skeptics' concerns: CTS Labs gave AMD little time to investigate its findings before releasing them to the press; market-watchers have noticed a recent spike in short selling of AMD stock; and researchers' lack of technical information and proof-of-concept code.
'Highly Unusual Disclosure'
Researchers at CTS Labs released their findings after giving AMD less than a day to review the reported vulnerabilities, U.K .security architect Kevin Beaumont noted yesterday in a post on his Double Pulsar blog. "This is a highly unusual and reckless disclosure of security flaws," Beaumont said.
In its response to the research, AMD posted a statement on its Web site that said, "We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings."
Software engineer and Linux creator Linus Torvalds also weighed in with criticisms about how the research was publicized, stating on his Google Plus page that "it looks like the IT security world has hit a new low."
Not Like Spectre, Meltdown
At first glance, CTS Labs' disclosure appeared similar to how different research teams revealed their findings about the major processor vulnerabilities Spectre and Meltdown earlier this year. However, at that time Intel and other chipmakers had been aware of the research for months and were working on fixes when news about the bugs got out.
Yesterday, CTS Labs CEO Ido Li On and CTO Ilia Luk-Zilberman told Motherboard that they released their findings shortly after informing AMD for reasons of "public interest disclosure."
Security researcher Dan Guido said his organization, Trail of Bits, had reviewed CTS Labs' findings and confirmed the vulnerabilities. He acknowledged on Twitter today that he was paid by CTS Labs to conduct an extensive review, but added that doesn't alter the fact that the AMD vulnerabilities are real.
"Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works," Guido said in a separate tweet yesterday.
Viceroy Research, another organization that reviewed the CTS Labs findings, published a post yesterday that predicted the bugs would leave AMD with "no choice but to file for Chapter 11." However, citing comments by Viceroy founder Fraser Perring, Reuters reported yesterday that Viceroy "spent much of the evening analyzing the situation and ended up taking a 'sizeable' short position in AMD."
Beaumont said in his blog post yesterday that the way the situation has been handled is not good for cybersecurity.
"I would encourage security researchers not to disclose vulnerabilities like this," he said. "If you have vulnerabilities that you truly think are serious and truly want to provide information so people can protect themselves, work to get them resolved and work with the cyber security community around mitigations."
Beaumont added, "The only real public exploit here at the moment is a press exploit. This situation should not be happening."
Image credit: AMD; iStock/Artist's concept.
Read more on: Cybersecurity
, Top Tech News
Posted: 2018-03-17 @ 11:55am PT
AMD should above all not respond to CTS-Labs' alleged AMD Security Vulnerabilities using any of CTS Labs' concocted Vulnerability Naming/Nomencalture(Ryzenfall, Etc.) or concocted graphics used to represent these claimed Vulnerabilities.
AMD/others should require that all these alleged Vulnerabilities be Re-listed/Re-Classified under their proper Common Vulnerabilities and Exposures(CVE) Headings and not those obviously nefariously concocted CTS-Labs' Vulnerability Classification "Names" or Graphics Images.
AMD must not lend any credence towards the legitimacy of those CTS-Labs Questionable Vulnerability Classification Scheme Names(Ryzenfall, Etc.) and Graphics that are obviously there to Pander to that Fear Uncertainty and Doubt.
The entire Security Community Must only use the Common Vulnerabilities and Exposures(CVE) Headings and not allow their industry to be fruther shamed(See the Linus Torvalds Comments on that Matter). These Names/Graphics chosen BY CTS-Labs are not objective by any streatch of the imagination and should never be used to describe any security Vulnerabilities. These Vulnerabilities must have CVE headings and all makers' processors/platforms need to be tested outside of the sphere of influnce surrounding CTS-Labs' and any of its paid/contracted representatives or CTS-Labs' Clients(Viceroy Research, etc).
Do not pander to the stock minipulators that these folks are acting in collusion with. This has all the hallmarks of a snow job regardless of any merits these folks claims may have. CTS-Labs are not concered with any security threats reduction they are only taking advantage of any threats, actual or not actual, to target AMD/AMD's reputation.
That kind of behavior must never be rewarded, ever!
The Online Press needs to refrain from using anything but Common Vulnerabilities and Exposures(CVE) headings or else be hijacked into inadvertently assisting these entities in achieving their nefarious goals. And it's that CTS-Labs concocted naming/nomenclature and graphics symbolism that CTS-Labs/co-conspirators wish to use against AMD, in spite of any real or nonreal security issues that there may be.
Posted: 2018-03-17 @ 11:50am PT
AMD should sue CTS labs into nonexistence.
Very appropriate names:
Posted: 2018-03-16 @ 5:49pm PT
There are many people in the world who are desperate for us to not question the facts and immediately freak out... all of whom have a financial stake in chaotic panic against AMD.
In countless ways this study could have illuminated potentially grave security concerns and compelled a rational, comprehensive examination into the integrity of ASMedia and [all] CPU microarchitectures. Against all odds the parties involved somehow managed to execute this shallow, transparent, exploitive, ill-conceived, greedy, overdramatized, scaremongering hack-job attack in a way that destroys all credibility behind what very well may have been/still be legitimate concerns.
It's their own fault that this accusation is so thoroughly unbelievable! There may be serious problems that demand study and mitigation against widespread vulnerabilities, but now because of these money-grubbing morons, it's a punchline.
Linus said it best: "They look like clowns."
Not a Sheep:
Posted: 2018-03-15 @ 5:39am PT
In reply to Scared citizen who wrote: "Can anyone stop for a second and think about the actual implications of the reaserch instead of criticizing CTS-Labs? If what they say is true the situation is horrible and everyone needs to go home and get rid of all AMD products..."
You should do more research on CTS and the website they setup, if you're not aware of a "hit job" is, this reeks of it... also what the article fails to mention is they had root access... if any hacker gains root access you're screwed.... try informing yourself of how these exploits work.
Posted: 2018-03-15 @ 3:18am PT
Can anyone stop for a second and think about the actual implications of the reaserch instead of criticizing CTS-Labs?
If what they say is true the situation is horrible and everyone needs to go home and get rid of all AMD products...