A security startup called CTS-Labs made waves yesterday when it claimed to have discovered 13 critical security flaws classified into four types of vulnerabilities, each one specific to AMD's Ryzen and Eypc processor lines. With the industry at large still reeling from Spectre and Meltdown, the knee-jerk reaction was, 'Oh great, here we go again.' Now that the dust has settled a bit, the legitimacy of the disclosure is being called into question.
There are several aspects of the disclosure that feel sketchy, not the least of which is that CTS-Labs gave AMD less than 24 hours to respond to its findings before making them public. That is highly unusual when it comes to these things—Google's Project Zero team gives companies 90 days to investigate and patch vulnerabilities before going public, and sometimes grants extensions when requested.
That's not the only thing that is suspect, however. Gamers Nexus (opens in new tab) took a deep dive into the whitepaper that CTS-Labs put together and found several instances of aggressive language, which is also unusual for a security disclosure.
"In our opinion, the basic nature of some of these vulnerabilities amounts to complete disregard of fundamental security principles. This raises concerning questions regarding security practices, auditing, and quality controls at AMD," CTS-Labs writes.
It doesn't read like a technical white paper, and adding credibility to the suspicion is the company's disclosure that it may have a financial stake in all this. There are also lines like the following that cast doubt on CTS' objectivity:
"Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports," CTS-Labs states (opens in new tab).
CTS-Labs is a rather new company with a domain that was registered on June 25, 2017. For the purpose of its AMD security disclosure, the company registered a separate domain last month, AMDFlaws.com, which is where the whitepaper is parked. The company appears to be comprised of just four individuals (opens in new tab), two of which have partial involvement with financial groups.
The small staff is not automatically suspect. What is suspect, however, is that a separate website called Viceroy Research (opens in new tab) put out a report based on the startup's findings, with the ridiculous conclusion that "AMD is worth $0.00 and will have no choice but to file for Chapter 11 bankruptcy in order to effectively deal with the repercussions of recent discoveries." According to The Register (opens in new tab), Viceroy Research confirmed it has a short position on AMD's stock and intends to increase that position—meaning that Viceroy has a direct financial stake in driving AMD's stock price down. Viceroy founder John Perring also said he received a copy of the report via an anonymous source and found it 'credible.'
Other voices have chimed in from across the tech community. Dan Guido is a security expert who was contacted by CTS-Labs regarding its exploits. In a tweet (opens in new tab), he states, "Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works." The exploits appear to center around BIOS updates and other attacks that require root or admin privileges, which implies security has already been compromised, but we still lack the full technical details. Linus Torvalds (principal developer of Linux) also chimed in (opens in new tab), saying to no one in particular, "I thought the whole industry was corrupt before, but it's getting ridiculous."
For AMD's part, the company is still investigating the matter, though it did say that CTS-Labs "was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings."
What this all means is difficult to say. Flashing a BIOS already implies a seriously compromised system, but if you can flash the BIOS, unlock TPM keys, leave a backdoor, and cover your tracks, it's a bit like breaking into a bank, stealing the money, leaving yourself future access, and hiding all evidence that any of this ever occurred. If the flaws are real, it's assumed the full technical details will be revealed at some point in the future. AMD, Microsoft, Dell, HP, and other large companies reportedly have the full technical details, and if necessary are presumably working to address any security flaws. We should hear more in the coming days, though whether it's good or bad news is impossible to say right now.