- Researchers from CTS Labs found serious and potentially dangerous flaws in computer chips manufactured by AMD.
- But exactly how CTS disclosed the vulnerabilities has raised concerns among security researchers: It allegedly didn’t give AMD enough time to respond and get fixes ready before going public.
- Some skeptics believe that CTS might have a financial interest in seeing AMD flounder in response.
- The flaws are unlikely to affect individual users, and will be most concerning to big businesses using AMD chips.
- CTS has also been criticized for failing to provide key technical details of the vulnerabilities.
On Tuesday, an Israeli-based security firm named CTS Labs revealed a series of “critical” vulnerabilities affecting computer processors made by $11 billion chipmaker AMD — serious flaws that, in the wrong hands, could allow hackers access to otherwise-secure systems.
While the dangers posed by these vulnerabilities may well be real, the whole episode is raising eyebrows among the security community. First, CTS didn’t follow security industry protocol in revealing these flaws to the world. That, coupled with the fact that CTS didn’t disclose certain key technical details, has some experts scratching their heads.
And AMD doesn’t appear to be happy about it, either. In an official blog entry, AMD said that it is investigating the claims made by CTS, but expressed disapproval for the way the vulnerabilities were disclosed.
“This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings,” the post reads.
Despite the uncertainty, though, the vulnerabilities appear to be real. Still, unless you’re in the IT department of a Fortune 500 company, you probably shouldn’t worry too much about the CTS report.
“This is not something the general public should lose sleep over. Enterprise customers will have to deal with this more as their threat models and workloads are significantly different and these vulnerabilities would expose them to more risk,” Jake Williams, founder of security firm RenditionSec, told Business Insider.
AMD had no official comment beyond the blog entry. CTS did not immediately respond to a request for comment.
CTS appears to have flouted normal protocol
CTS unveiled the flaws on a slick website, amdflaws.com, which comes complete with showy graphics and a 20-page whitepaper explaining the vulnerabilities in high-level terms. They even gave the vulnerabilities flashy names: “Ryzenfall,” “Fallout,” “Masterkey,” and “Chimera” — echoing Google’s high-profile disclosures of the “Spectre” and “Meltdown” security vulnerabilities earlier this year.
The CTS-made website also includes a video of both the CEO and the CFO of CTS-Labs talking about the vulnerabilities in front of what appears to be a greenscreen.
But it’s exactly the level of sophistication in the announcement that has security researchers suspicious: The way that CTS handled the disclosure, and the website itself, are “highly unusual” in the security industry, says RenditionSec’s Williams.
On the amdflaws.com website, CTS says that it “has shared this information with AMD, Microsoft, and a small number of companies that could produce patches and mitigations.”
Yet, CTS only informed AMD about the flaws 24 hours before the site went live, according to a person familiar with the situation — a timeframe that flouts industry protocol. Microsoft did not immediately respond to a request for comment.
Normally, researchers are supposed to inform companies between 60 and 90 days in advance of public disclosure. For example: Intel, AMD, and other chip manufacturers had about a seven month lead time before “Spectre” and “Meltdown” became public. That time was used to develop and deploy at least partial fixes. That was an extreme case, given the massive impact of those vulnerabilities.
Meanwhile, according to publicly-searachable domain records, amdflaws.com was registered on February 22 — weeks before CTS first appraised AMD of the situation. Williams believes that such a short span didn’t give AMD any time to respond, let alone start on the difficult task of solving the problem.
“There’s no point in reaching out 24 hours in advance, unless you want to check that box that you’ve reached out in advance,” Williams said.
Additionally, the CTS website contains a disclaimer, saying that it may have “an economic interest in the performance of the securities of the companies.” This gives skeptics reason to believe that CTS is using these flaws to bet against AMD’s stock, Williams said.
“Most security researchers aren’t financially involved in the companies they’re researching,” Williams said.
CTS told CNET that it doesn’t have “any investment (long or short) in Intel or AMD.”
The problems seem to be real, but details are missing
In a technical sense, the vulnerabilities discovered by CTS have to do with AMD’s Secure Processor. The Secure Processor is, essentially, a second processor that comes embedded in certain AMD chips. It’s designed to handle sensitive computing tasks.
These vulnerabilities would provide a way for an attacker to get into the AMD Secure Processor and allow them to both access sensitive data, and potentially install malware that would go undetected by any conventional means. It’s not known if a hacker has taken advantage of these vulnerabilities for an attack in the real world.
According to the CTS whitepaper, malicious actors could permanently install malicious code and “expose AMD customers to industrial espionage that is virtually undetectable by most security solutions.” It also says that it’s not aware of a fix — and that fixing “Chimera” might require AMD to redesign its processor hardware.
Still, despite the unusual nature of how the CTS revealed the vulnerabilities, many seem to believe the company’s conclusions. On Twitter, Dan Guido, the CEO of security research firm Trail of Bits, claimed that his team had been contracted by CTS to review the findings before release — and verified that the issues are real.
“Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works,” wrote Guido in a tweet. Guido did not respond to Business Insider’s request for comment.
So this https://t.co/vYktqat10K business… CTS Labs asked us to review their research last week, and sent us a full technical report with PoC exploit code for each set of bugs.
— Dan Guido (@dguido) March 13, 2018
Still, other researchers are skeptical of the stated danger of the security flaws because only very limited technical details were released. This was by design, says CTS-Labs.
“All technical details that could be used to reproduce the vulnerabilities have been redacted from this publication,” writes amdflaws.com in its FAQ section. Experts don’t seem impressed by this logic.
“The website makes extreme claims about the vulnerabilities – the FAQ section is worse than Buffy fanfic. No mitigation advice was provided to organisations,” security researcher Kevin Beaumont wrote in a post on Medium.
But, to Williams’ earlier point: even if the CTS revelations pan out, the attacks in question are generally hard to pull off. So generally speaking, it’s not worth worrying too much about — especially since fixes are on the way.
CTS did not respond to a request for comment at the time of publication.