New research claiming to have identified major vulnerabilities in AMD chips is raising more questions than answers from many security professionals. Yesterday, CTS Labs, a little-known cybersecurity firm based in Tel Aviv, published its findings about "13 critical security vulnerabilities and manufacturer backdoors" in AMD's EPYC and Ryzen chips in a white paper and a dedicated Web site, amdflaws.com.
However, AMD as well as a number of security experts say the company's unorthodox disclosure methods merit skepticism about those claims.
Among skeptics' concerns: CTS Labs gave AMD little time to investigate its findings before releasing them to the press; market-watchers have noticed a recent spike in short selling of AMD stock; and researchers' lack of technical information and proof-of-concept code.
'Highly Unusual Disclosure'
Researchers at CTS Labs released their findings after giving AMD less than a day to review the reported vulnerabilities, U.K .security architect Kevin Beaumont noted yesterday in a post on his Double Pulsar blog. "This is a highly unusual and reckless disclosure of security flaws," Beaumont said.
In its response to the research, AMD posted a statement on its Web site that said, "We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings."
Software engineer and Linux creator Linus Torvalds also weighed in with criticisms about how the research was publicized, stating on his Google Plus page that "it looks like the IT security world has hit a new low."
Not Like Spectre, Meltdown
At first glance, CTS Labs' disclosure appeared similar to how different research teams revealed their findings about the major processor vulnerabilities Spectre and Meltdown earlier this year. However, at that time Intel and other chipmakers had been aware of the research for months and were working on fixes when news about the bugs got out.
Yesterday, CTS Labs CEO Ido Li On and CTO Ilia Luk-Zilberman told Motherboard that they released their findings shortly after informing AMD for reasons of "public interest disclosure."
Security researcher Dan Guido said his organization, Trail of Bits, had reviewed CTS Labs' findings and confirmed the vulnerabilities. He acknowledged on Twitter today that he was paid by CTS Labs to conduct an extensive review, but added that doesn't alter the fact that the AMD vulnerabilities are real.
"Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works," Guido said in a separate tweet yesterday.
Viceroy Research, another organization that reviewed the CTS Labs findings, published a post yesterday that predicted the bugs would leave AMD with "no choice but to file for Chapter 11." However, citing comments by Viceroy founder Fraser Perring, Reuters reported yesterday that Viceroy "spent much of the evening analyzing the situation and ended up taking a 'sizeable' short position in AMD."
Beaumont said in his blog post yesterday that the way the situation has been handled is not good for cybersecurity.
"I would encourage security researchers not to disclose vulnerabilities like this," he said. "If you have vulnerabilities that you truly think are serious and truly want to provide information so people can protect themselves, work to get them resolved and work with the cyber security community around mitigations."
Beaumont added, "The only real public exploit here at the moment is a press exploit. This situation should not be happening."