January’s disclosure of serious flaws in mainly Intel microprocessors – Meltdown and Spectre – put the issue of vulnerabilities in hardware microcode and firmware front and centre.
Those were, of course, serious issues the industry has been working flat out to mitigate ever since.
But has an unknown Israeli company called CTS Labs tried to exploit worries over this type of flaw for financial gain?
On 13 March, researchers working for CTS Labs published what quickly turned into one of the most contentious security disclosures ever made.
The company said it had uncovered 13 individual flaws, including backdoors, in AMD’s Ryzen chip family which “put networks that contain AMD computers at a considerable risk.”
Echoing the publicity over January’s Meltdown and Spectre proof-of-concept mega-vulnerabilities in mainly Intel designs, the Ryzen flaws were even grouped into families with dramatic-sounding names – Masterkey, Ryzenfall, Fallout and Chimera.
CTS Labs had of course…
…privately shared this information with AMD, select security companies that can develop mitigations, and the US regulators.
While this is correct, it should be noted that AMD were given only 24 hours notice ahead of the disclosure. Responsible disclosure for security flaws should be months not one day, inviting accusations that CTS Labs was behaving unethically.
Scorn quickly followed from many experts, with Linus Torvalds of Linux fame musing about ulterior motives:
It looks more like stock manipulation than a security advisory to me.
A serious accusation, of course, prompted by CTS Labs’ report disclaimer that:
We may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.
And there was another problem – all of the flaws CTS Labs found required admin access. As numerous experts pointed out, any attacker with this access would already have control of the system even without exploiting security flaws.
A third-party hired by CTS Labs to assess the flaws confirmed it had received proof-of-concept code to exploit them while still concluding:
There is no immediate risk of exploitation of these vulnerabilities for most users. Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities.
Two weeks on, and AMD this week published its own assessment of the vulnerabilities that should reassure alarmed users.
All four classes of flaw would be fixed through BIOS updates “within the coming weeks,” none of which were expected to hurt performance, while systems running on hypervisors would afford an additional layer of protection, the company said.
It would be easy to conclude that this isn’t as big a deal as Meltdown or Spectre because it can be fixed fairly easily.
That might be too complacent. However hyped, the fact that a small research outfit was able to find serious flaws in recent microprocessors, including the Secure Processor that is supposed to carry out integrity checks, is hardly reassuring.
And the issue of having to gain admin access to take advantage of them ignores the fact that should that happen, an attacker wielding one of these flaws might have another avenue to achieve persistence (i.e. the ability to hide on a system without being detected).
A lot now hinges on how quickly and simply AMD mitigates these flaws. As with any security vulnerability, the clock is always ticking.
Anonymous
Yeah…. I wonder about that too. Did CTS find the exploits? Or was it maybe Intel that, after meltdown and spectre, put a whole team o try to find something wrong with AMD chips no matter what? Is it possible that Intel knew that if they disclosed to AMD all it would take is a bit of time and the perception that AMD chips are as unsafe as Intel’s (which still have meltdown) would never happen? Is it possible that Intel simply provided the information to CTS, plus maybe some money to make the website and videos, and that is why we are seeing the result we see? Is it possible that CTS thought to profit from the information received and teamed with the short seller? That would explain why the shortseller says it did not hire CTS to find these bugs but on the other hand had the information before anyone else. Why is Intel never mentioned anywhere, even when Intel also suffers the Chimera issue?
Quite frankly, like you, I doubt this was detected by a team of 6 that just started doing this 8 months ago. We need more intel on this.
mike@gmail.com
I’m sure that’s what a lot of people are wondering too. Revenge? Corporate espionage? I bet there’s more to this story. Glad the vulnerabilities are in reality not that serious, and that AMD is going to be quick to patch them.
Byson
We need more “intel” on this.
*Badum tssss….* X-D
Yet unfortunately also very true in that sense. :'(
I’ve had the feeling myself that Intel must’ve gone into damage control mode the minute they knew they were worse off than AMD in terms of Meltdown and Spectre.
While Intel is generally speaking technologically competent if a little on the uninnovative and complacent side, unfortunately for AMD their combined marketing, bribing (oh sorry, “OEM rebate”) and misinformation/FUD skills are phenomenal.
I have a hard time believing that a minor slap on the wrist and a measly $1.2 billion fine (less than a few percent of what Intel actually profitted from this) discouraged them. Heck, considering they haven’t even paid the fine yet because the courts are re-evaluating it, I’m guessing if anything it has made them bolder. And maybe a little more careful, going through proxies this time rather than doing the dealings directly.
Anyone else find it a coincidence that Intel is negotiating with Israeli goverment about a huge $5 billion factory investment, meanwhile a new “security” company pops up, and a few months after the deal was finalized suddenly this new company unleashes a potential PR nightmare on Intel’s biggest rival…
Mahhn
Interesting, “a small research outfit was able to find serious flaws in recent microprocessors” or were these feed to the small company by Intel that was hording these exploits from when they reverse engineer competitors products to look for concepts to expand upon (everyone does), to prevent to many vendors running from them to AMD…. Crazy conspiracy theorist like me ask these questions. (unfortunately we get it right often)
Paul Ducklin
If you want to implicate Intel in this – you are making rather serious accusations, albeit that you have pretended otherwise – you need to come up with some evidence.
Mahhn
That, I am not capable of. However, I’m not the only one wondering that, as Anonymous posted this also. (There were no comments visible when I made mine, or I would have just given Anonymous a like and saved typing)
Steve
I don’t see any accusation; Mahhn is just raising questions. Nothing wrong with that.
Paul Ducklin
OK. I’ll see your “just raising questions” comment, and raise you: “I put it to you that tossing in the word ‘maybe’ all over the place and splashing around a few question marks is a weaselly rhetorical device deviously designed to disguise unsubstantiated accusations with a veneer of decency.”
If you think Intel bankrolled this whole thing, but have nothing but your own scepticism as evidence, why not just say so outright?
Mike
This is just depressing for me… I like to build my own rigs from the ground up. But I also have to follow this flaws very closely because of my day job. Since Meltdown & Spectre, now this.. I’m gradually losing interest on upgrading my current CPU know about all this flaws and shenanigans.