Given the recent widespread reports of the Meltdown and Spectre vulnerabilities, CPU security is a hot button topic at the moment. AMD has found itself dragged into a security controversy of its own this week, after a questionable research firm known as CTS Labs published a paper claiming to detail four vulnerabilities in Zen-based processors, which was immediately followed up by a report from Viceroy Research. On the surface, it looks like bad news for AMD, but digging deeper into the story, there is plenty of reason to be suspicious of CTS Labs, Viceroy Research and some of their claims.
So what do we know so far? CTS Labs claim to have found four key vulnerabilities in AMD’s Zen-based processors, named: ‘Ryzenfall’, ‘Chimera’, ‘Fallout’ and ‘Masterkey’. The first three exploits listed are said to ‘require that an attacker be able to run a program with local-machine elevated administrator privileges’, essentially meaning that physical access to a PC is required in order to run malicious code. Masterkey on the other hand, requires that ‘an attacker be able to re-flash the BIOS with a specially crafted BIOS update’. The folks at GamersNexus spoke to a few security experts about the matter, and rightly pointed out that if you have physical access to a system, then you could run malware on a PC of any kind, whether it is powered by AMD or not. The important part is where the vulnerability exists in the chain, which the CTS Labs research paper does not detail.
The CTS Labs paper plays up the vulnerabilities, with claims that they could survive OS reinstallations and pave the way for ‘virtually undetectable espionage’. However, the paper does not include any technical details or proof of concepts. This is important, as much of the paper reads like an attack on companies, rather than an objective and technical breakdown of facts, as we typically see in security reports. A sentence towards the end of the paper reads: ‘In our opinion, the basic nature of some of these vulnerabilities amounts to complete disregard of fundamental security principles. This raises concerning questions regarding security practices, auditing and quality controls at AMD’. This sentence in particular, is a good example of some of the charged writing found throughout the paper. Much of it seems geared towards driving investors away, rather than helping AMD advance its security for the good of the public.
In an effort to ‘ensure public safety’, CTS Labs says that it chose to remove technical details from its publicly published paper. Instead, the company says it handed technical information over to AMD, security companies and US regulators. It is important to note that this was only done after first sending an outline of the vulnerabilities out to press outlets. AMD has confirmed that it has received information but was given less than 24 hours to investigate before it all went public. This is a far cry from typical security research practice. With Google’s Project Zero, for instance, companies are given 90 days to investigate and fix vulnerabilities before they are made public. AMD was afforded no such opportunity by CTS Labs.
Do keep in mind that CTS Labs’ findings could well be accurate and real. However, the presentation of these findings, and the way this information is being spread, is an issue. These vulnerabilities are being played up to be high-level risks despite the fact that in most cases, physical access to the system and admin privileges are required for these vulnerabilities to be exploited.
It is also worth noting that CTS Labs is a relatively unknown player in the security world. AMD’s own statement acknowledging the matter shows unfamiliarity with the company. Upon further digging, it has been discovered that CTS Labs was only founded in mid-2017, the website amdflaws.com went live yesterday and the PDF document published went live less than three hours after the website did. The domain for the site was registered in February but the person or entity that registered it hid their identity, which is unusual in this case given the claims being made and their public attribution to CTS Labs. Another peculiar fact is that the ‘amdflaws’ website is directing questions towards a PR firm.
We’ve talked a lot about CTS Labs so far, but we haven’t touched on Viceroy Research. While CTS Labs is the company that posted the initial findings, Viceroy Research published a 25-page long PDF on the matter around the same time that the initial CTS Labs site went live. It is currently believed that Viceroy Research had access to CTS Labs’ information ahead of time and had its own PDF pre-written. Viceroy’s PDF is titled ‘AMD- The Obituary’, and goes as far as to say that ‘AMD is worth $0.00 and will have no choice but to file for Chapter 11 (Bankruptcy)’ in order to deal with the fallout derived from CTS Labs’ vulnerability findings.
Viceroy Research’s PDF is filled with outlandish claims like the one above, and primarily uses scare tactics, seemingly in an effort to spook investors. In a prior interview with Business Day, Viceroy Research stated that it is an ‘independent research group based in the US’ adding that it takes ‘a financial position’ in its research and that readers ‘should assume’ it has a position on the stock. With that in mind, it seems quite likely that Viceroy Research has a financial incentive to go after AMD.
Currently, there is nothing directly connecting CTS Labs and Viceroy Research together, outside of the suspicious timing of their postings. However, it is also worth noting that CTS Labs’ CFO is also the founder and Managing Director of NineWells Capital, a hedge fund that invests in public equities. Notable security researchers including Jake Williams, Arrigo Triulzi and Google’s Tavis Ormandy have all expressed concern over CTS Labs’ findings and how they have been shared and talked up in the media.
At the time of publishing, AMD’s stock has dropped by 1.59 percent. AMD has publicly stated that it is investigating the claims made by CTS Labs and will update when it has more information.
Discuss on our Facebook page, HERE.
KitGuru says: While there is plenty of reason to be suspicious of CTS Labs, Viceroy Research and the claims being made in their public papers, it is important to note that the vulnerabilities outlined could still be real. With that said, they are unlikely to be nearly as drastic and damning as they are being dressed up to be. As Google Project Zero lead, Tavis Ormandy puts it, “nothing in this paper matters until the attacker has already won so hard it’s game over”.