back to article OK, deep breath, relax... Let's have a sober look at these 'ere annoying AMD chip security flaws

CTS-Labs, a security startup founded last year in Israel, sent everyone scrambling and headlines flying today – by claiming it has identified "multiple critical security vulnerabilities and manufacturer backdoors in AMD’s latest Epyc, Ryzen, Ryzen Pro, and Ryzen Mobile processors." Tuesday's glitzy advisory disclosed no …

  1. This post has been deleted by its author

    1. DeKrow

      Re: Closed black box firmware

      No, AMD doesn't look as bad as Intel, unless you're taken in by all the sparkles and glitter in the news release.

      And since when is Intel cheaper? Not in my living memory has Intel been the cheaper option.

      1. This post has been deleted by its author

    2. Teiwaz

      Re: Closed black box firmware

      but Intel's cheaper

      Thanks for stopping by from your strange parallel universe...

      1. big_D Silver badge
        Headmaster

        Re: Closed black box firmware

        "but Intel's cheaper"

        Their what is cheaper?

      2. Michael Wojcik Silver badge

        Re: Closed black box firmware

        Thanks for stopping by from your strange parallel universe...

        Perhaps he works for Viceroy Research. They see the world differently. Up is down, black is white, higher prices are cheaper, stock-price manipulation is ethical.

    3. Dragonstongue

      Re: Closed black box firmware

      intel cheaper LMFAO, cheaper when it comes to their "design" philosophy maybe, but not at all when it comes to the finished product.

      1. Anonymous Coward
        Anonymous Coward

        Re: Closed black box firmware

        Lots of AMD fanboys here. Enjoy your AMD/blackhat-controlled processors!

        1. EnviableOne

          Re: Closed black box firmware

          Enjoy your remotley pwnable without creds Intel processor with the AMT flaw.

          I'll stick to an AMD with a requires local root access to do anything

          1. Anonymous Coward
            Anonymous Coward

            Re: Closed black box firmware

            The flaws do seem awfully similar to the Intel AMT flaws.

            Once details are released to verify existing workarounds to this either work or require additional fixes then we can properly asses the impact.

            One day notice, unverified claims and an analyst citing the company being worthless makes this awfully suspicious.

            1. Bronek Kozicki

              Re: Closed black box firmware

              Actually, IIRC Intel AMT flaws are worse, because to exploit those you do not need:

              1) root access

              2) any local access at all

              The only unusual quality of these new AMD attacks is that they can remain under the radar for a very long time, making "evil maid attack" particularly dangerous.

            2. regregular

              Re: Closed black box firmware

              ...an analyst who has already been implicated of market manipulation.

              https://translate.google.com/translate?hl=en&sl=de&tl=en&u=https%3A%2F%2Fwww.handelsblatt.com%2Funternehmen%2Fit-medien%2Ffinanzmarkzaufsicht-bafin-nimmt-pro-sieben-kritiker-viceroy-ins-visier%2F21061952.html

          2. whitepines
            Megaphone

            Re: Closed black box firmware

            You do realize that's local root access *at any point in the life of the machine*, right? So how do you know that the person you bought the machine from didn't install malware? How do you even get a copy of a "golden" ROM to restore a potentially infected mainboard / CPU?

            There's a lot more to this than just "current local root"...

            1. zxq9

              Re: Closed black box firmware

              This is a ridiculous argument and leads right back to "trusting trust".

              If you don't trust the manufacturer, the shipper, the prepper, or the administrator of the system, then OF COURSE you don't trust the system. That point should be obvious.

              We have had a policy in the unit I was in previously (and now I have brought it to my current company) that "physical access is the final barrier". And that's it. TCM concepts and whatnot are simply never, ever workable. Even the classic "evil maid" attack isn't actually mitigated by UEFI or TCM because the firmware itself can be replaced with physical access (whether or not root on a running system). The softness of software makes it impossible to know anything about any mutual trustworthiness scheme where two soft modules verify one another.

              Go write a package manager. Or a "secure" compiler suite. Have fun figuring out where a reasonable "bottom" lies as you start digging into issues about trusting trust.

              This was CLEARLY a hit piece on AMD. I don't know if Intel funded it -- it seems highly plausible but unlikely because it could probably be easily traced back to them -- but whoever did certainly had an anti-AMD agenda and picked their moment to counteract the slew of recent Intel flaws.

          3. whitepines

            Re: Closed black box firmware

            Not everyone uses current Intel or AMD chips, for what it's worth. AC probably uses something else, like one of the old ME-free CPUs or even one of the non-x86 options out there.

  2. Anonymous Coward
    Anonymous Coward

    Martin Shkreli or Paul Singer?

    John Fraser Perring sounds like either Martin Shkreli or Paul Singer, depending upon your druthers, of the technical world, in other words, parasites looking to make money on other's misfortune. And as usual, Linus Torvalds has a great quote.

    1. bombastic bob Silver badge
      Thumb Up

      Re: Martin Shkreli or Paul Singer?

      "And as usual, Linus Torvalds has a great quote."

      Yep

    2. MyffyW Silver badge

      Linus, I love you....

      ... but we only have 14 hours left to save the Earth!

  3. Will Godfrey Silver badge
    Unhappy

    Odiferous Rodent

    This whole thing stinks. A security company nobody's ever heard of. Instant 'disclosure'. No truly independent confirmation. No context. This can't possibly be anything except an attempt to damage AMD.

    1. Tom 64
      Pint

      Re: Odiferous Rodent

      Certainly looks like an intel smear campaign doesn't it. Intel are known to have a big presence in Israel, I wonder if they have recently invested in any 'security' startups.

    2. Long John Brass
      Facepalm

      Re: Odiferous Rodent

      CTS-Labs, a security startup founded last year in Israel

      Whats the bet a Wholly-owned subsidiary of intel letni corp USA

      1. Anonymous Coward
        Anonymous Coward

        Re: Odiferous Rodent

        Don't forget the significant funding from the NSA, Mossad and all the other usual suspects who just love, really love backdoors.

        1. Korev Silver badge

          Re: Odiferous Rodent

          Don't forget the significant funding from the NSA, Mossad and all the other usual suspects who just love, really love backdoors.

          If this is the case then why would they publicise the flaws?

          1. Doctor Syntax Silver badge

            Re: Odiferous Rodent

            "If this is the case then why would they publicise the flaws?"

            Maybe they think Intel are easier to compromise than AMD.

      2. Anonymous Coward
        Anonymous Coward

        Re: Odiferous Rodent

        Whats the bet a Wholly-owned subsidiary of intel letni corp USA

        Looking at it it has to be part of the publicity department.

        This report is designed to counter the drop in sales if Intel gear to the general public (I know several gamers that were going to get new Intel kit but have now got Ryzen instead and I doubt they are the only ones).

    3. hellsatan

      Re: Odiferous Rodent

      I would tend to agree, the whole website is slickly put together with fancy logos, catchy brand damaging names for bugs 'Ryzenfall' etc. Talk of 'risk to life' and other sensationalist nonsense.

      No doubt in my mind its a thoroughly unsubtle Intel smear campaign regardless of whether the bugs are all legit.

      Funny how this sort of thing pops up when another company dares to challenge the mighty intel and its bottom line

      1. Robert Carnegie Silver badge

        Re: Odiferous Rodent

        The names are not 'Ryzenfall' etc. but RYZENFALL - to make it scarier. FALLOUT. CHIMERA. MASTERKEY. DEATHNOTE. EBOLACOLA. ANTANDEC. (I put some of those in as well as the original ones.)

        "Rise and fall" also is (the second part) what they seem to have wanted to make happen to AMD's stock price. Which, we are told, has not.

        If this was a long time planning, with or without real flaws (or some real and some fake), then maybe the wind was taken out of its sails by Spectre and Meltdown - someone else's discovery of serious security flaws in lots of AMD processors and, if I have this right, more of serious security flaws in Intel processors.

        Although if Intel is behind RYZENSHINE as well, maybe Spectre etc is where they got the idea, and perhaps they wanted to equalise after arguably coming off worst that time. They knew about those problems a long time before we did.

    4. Dragonstongue

      Re: Odiferous Rodent

      it is an intentional smear campaign...if this issue has been KNOWN about for 6+ years, how is it that we just hear about it NOW, let alone only 24 hours ago from a company that HIDES all their actual info for contact to contact etc..they use GoDaddy FFS...smear campaign period, last I checked Intel was very much sided with their israel team (who was the prime design team behind core solo (and since all the Core base designs e.g core 2 duo core 2 quad, core i series et al)

      I have a feeling it is meant to be a "short" to drive stock price down so that Intel can make a little side action purchasing, especially because the updated Ryzen 2000 series as well as more substantial x4xx motherboard line is very soon to come out, Intel is likely scrambling the best way they can to avoid loss of revenue, if they smear them enough, than perhaps it will mean some countries/vendors will not bother going with AMD.

      However, AMD deals with NASDAQ, which is new york based, if AMD pulls this other company into court for defamation/slander/libel they can be awarded triple damages (if win)..and likely Intel will have gotten crafty to make sure they are "ept at a distance" because of the fact that Intel had to pay out billions to AMD (from my understanding still have not paid this sum in full)

      Intel will do whatever they possibly can to make sure their largest direct cpu competitor gets the lowest amount of potential market share as possible (5-6% would be a drop in the bucket for Intel revenue but a massive gain for AMD funding) Ryzen very much caught Intel off guard, they have been forced to rush products out, had many teething issues that could have and should have easily been avoided.

      Anyways, IMHO this sounds like a duck, it quacks like a duck therefore it can only be....FFS a brand new security firm in Intel "home" design land this company formed a at least as far as the godaddy account almost 2 months to the day BEFORE Ryzen launched, seems to me they had AMPLE time to "let folks know" they did not, I call pure BS on them outright.

      1. Anonymous Coward
        Anonymous Coward

        Re: Odiferous Rodent

        In Intel's defence, this looks too much like shorting AMD for ANY listed company to get involved with.

        If any links are found to Intel in this, expect a lot of rapid terminations to try and distance themselves from any SEC retaliation.

        As for the security agencies, I suspect they would have preferred it wasn't publicly released. Maybe a former employee looking to cash in after finding themselves short of work?

    5. Anonymous Coward
      Anonymous Coward

      Re: Odiferous Rodent

      "Odiferous Rodent"

      Brilliant name for the next major release of Windows.

      1. PNGuinn
        Boffin

        Re: Odiferous Rodent

        Re "Brilliant name for the next major release of Windows."

        Or the next release of Umbongo with added systemd?

  4. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: Cui bono?

      "I wonder if the money trail leads back to Intel?"

      Especially given that Intel has a major facility in Israel.

    2. Anonymous Coward
      Anonymous Coward

      Re: I wonder if the money trail leads back to Intel?

      Guess that depends on how good Intel's accountants are.....

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        Re: I wonder if the money trail leads back to Intel?

        and lawyers - corporate black ops goes via the legal departments so they can appeal to client confidentiality ... allegedly

      3. Tom 7

        Re: I wonder if the money trail leads back to Intel?

        I think you will find money trails are a lot harder to follow than working out how to diagnose the most obtuse security problems. Which is strange when, of modern business skills, accountancy is the one that should be most easy to make completely transparent and traceable.

        Strange that.

    3. low_resolution_foxxes

      Re: Cui bono?

      Intel are a massive employer in Israel (10,000s), so it wouldn't be surprising if a few Intel workers had also worked in security and would like a bite at AMD following Intel's woes..

      There's a lot of geo-political business related tension in Israel recently, the most valuable company in Israel (Teva Pharmaceutical) just had the patent rights expire on a blockbuster drug (~$4bn pa revenue, big news for a small ~ 8m population), so with Intel and Teva on the ropes, it's not surprising some of their workers would potentially consider pointing out flaws in the opposition.

      Do not underestimate the power of finance share geezers shorting a stock to make £100m in a day either by posting 'market changing information' in public - it would not be the first time, that's usually the US or London traders though.

  5. Wade Burchette

    Something is not right

    I say a comment somewhere which proved the people from "CTS" were using a green screen for their promotional video. They easily found stock photos of the backgrounds used in the video.

    https://i.imgur.com/OkWlIxA.jpg

    Regardless, something is not right when you give a company 24 hours to fix a security hole. And the AMD flaws website (what was it again?) was registered in late February, so they at least knew for over 24 hours. And something is not right when the WHOIS records for your websites are registered using Domains by Proxy. Why would would a serious company go to such trouble to conceal their identity? Everything about this feels wrong.

    1. Anonymous Coward
      Alien

      Re: Something is not right

      @Wade Burchette: "I say a comment somewhere which proved the people from "CTS" were using a green screen"

      AMD Flaws Interview

      1. ADRM

        Re: Something is not right

        https://youtu.be/ZZ7H1WTqaeo

        Gamers Nexus call it an assassination attempt.

  6. Carl D

    *Yawn*

    Meltdown... Spectre... and now this.

    The only question I'm asking is have these chip 'flaws' surpassed Y2K yet as the biggest non event in computing history?

    Gotta keep that good old 'security company' money making gravy train rolling along... I'm sure MS love it too as it enables them to maintain control of peoples' computers with the never ending updates.

    Perhaps we might have a more peaceful, 'security flaw' free computing experience if these security companies went out of business.

    1. Carl D

      Not sure what the downvotes are all about for my last post?

      I thought it would be obvious by now that we are all being played for suckers with these never ending security issues. I know of a group of people (using Windows 7) who have not updated for nearly a year now and they have had ZERO security issues with their computers. And, yes... they do use them online (unlike myself, who has taken the wise step of keeping Windows 7 offline for good now and using Linux Mint for everything I do online).

      I'm convinced that the world would never hear about things like Meltdown, Spectre, etc. if these so called security companies kept their mouths shut instead the constant "Ooohh... look what I've found" boasting that we see constantly these days. Reminds me of a juvenile dick measuring contest. Of course, their big fat pay cheques no doubt have a lot to do with it as well.

      I'll bet the average hacker wannabe/script kiddie would never discover the majority of these so called security vulnerabilities in a million years.

      1. Mark 65

        I thought it would be obvious by now that we are all being played for suckers with these never ending security issues. I know of a group of people (using Windows 7) who have not updated for nearly a year now and they have had ZERO security issues with their computers.

        The think they've had ZERO security issues. FTFY. The point of some of these exploits is it is near impossible to tell. More so for people who haven't updated in 12 months and have saloon doors for security.

      2. eldakka

        > I know of a group of people (using Windows 7) who have not updated for nearly a year now and they have had ZERO security issues with their computers.

        >...I'm convinced that the world would never hear about things like Meltdown, Spectre, etc. if these so called security companies kept their mouths shut instead the constant "Ooohh... look what I've found"

        I know a group of people who have never been killed in a car crash, therefore car safety is overrated.

        I know a group of people who drive without seatbelts, and none of them have died in a car accident, seatbelts are overrated.

        I know a group of people who haven't vaccinated their kids, vaccines are overrated.

        I know a group of people who haven't died from cancer, cancer is overrated.

        I can continue drawing false equivalencies like you have if you like.

      3. BinkyTheMagicPaperclip Silver badge

        @Carl D - Y2K was a big issue, and the problems were real. The software we used at the time would have broken if unpatched, I tested it and the scheduling went haywire.

        It's probably fair to say a reasonable amount of the defects were display issues, but then again, if you're writing 19100 out to a file and it's being used elsewhere...

        1. katrinab Silver badge

          Sure but the warnings that your washing machine will self-combust because it thinks that Queen Victoria is back on the Throne were probably a bit overdone.

          "As we emerge from the bunker and see not a world in flames, but merely several websites displaying the date as 19100 and a frantically back-pedalling Ed Yourdon, we have come to regret our decision to trade NTK's webserver for eight sacks of lentils."

          http://www.ntk.net/2000/01/07/

          1. BinkyTheMagicPaperclip Silver badge

            That's unavoidable due to humans and business. Someone is always going to try and make a quick buck, so yes, the average user buying a patch to stop their software displaying 19100 is probably wasting their time.

            No-one sells papers by saying 'IT industry are responsible, there will be no problem' when they can sell papers twice by first claiming it will be a disaster, and afterwards that it was hot air.

            The message had to be broadcast, as everyone uses computers these days. A side effect to any large event is always someone trying to exploit it.

          2. Robert Carnegie Silver badge

            http://www.ntk.net/2000/01/07/

            But where is NTK now?

            Stuck in the year 19107 as far as I know.

      4. Jamie Jones Silver badge

        "Not sure what the downvotes are all about for my last post?"

        Like many here I was deeply involved in fixing Y2K issues, and the problem was very real - most of them embarrassingly so.

        We expect ill-informed comments like that from the tabloids, not El Reg readers.

        What if Y2K when it happened had caused loads of real problems? The tabloids would have moaned that with all their warnings, and "all the money thrown on it [by poor tax payers already propping up immigrants and doleys]", we still couldn't sort it out.

        P.S. Incorrect use of question marks bugs me. Are you not sure, or unsure whether you're not sure?

        </grumpyoldgit>

        1. nijam Silver badge

          > Like many here I was deeply involved in fixing Y2K issues

          Whereas, like many others here, I was involved in wasting my time confirming that none of our software or IT equipment would be affected by the Y2K issues. (And just to make the point, I'll point out that it was repeatedly hyped as a "millennium bug", when it was merely a "century bug".)

      5. Anonymous Coward
        Anonymous Coward

        "I know of a group of people (using Windows 7) who have not updated for nearly a year now and they have had ZERO security issues with their computers.!"

        How do they know?

        Hey look I've house full of IoT stuff I bought of eBay for a fiver and I've never had security issues!

        Are they actually worth worrying about? Do they have corporate secrets on there? Are they Domain administrators on a 100,000 strong network? Are they running websites?

        Or is it just Dave, Mildred and uncle Arthur playing solitaire?

    2. Chika

      The only question I'm asking is have these chip 'flaws' surpassed Y2K yet as the biggest non event in computing history?

      As one of a large number of people who worked pretty hard to make sure that everything worked reasonably well come 01/01/2000, I think that I can guess why you might have a few downvotes on this post.

  7. Anonymous Coward
    Facepalm

    Israeli security startup CTS-Labs

    Why not just make the firmware read-only with a hardware switch?

    "CTS-Labs, a security startup founded last year in Israel"

    CTS-Labs, a front for the Israeli security service, most probably.

    1. eldakka

      Re: Israeli security startup CTS-Labs

      > Why not just make the firmware read-only with a hardware switch?

      Many dumb users would find that too complicated.

      For many years the only way to flash BIOS was to boot from a floppy disk with a minimal OS (e.g. just DOS or QDOS or similar) and flash that way. But in the name of convienience many manufacturers have made it possible to flash from a multi-user, network-connected operating system using auto-updates.

      1. 9Rune5

        Re: Israeli security startup CTS-Labs

        For many years the only way to flash BIOS was to boot from a floppy disk with a minimal OS

        Sure, and at some point they stopped making floppy drives, which kinda forced everyone to use more convenient ways. Not to mention that very few laptops today could even fit a 3.5" drive inside even if we wanted to.

        And hey, it is not as if nobody were ever infected by leaving a diskette in the drive before restarting.

        In all fairness, compared to the 80s and 90s, I think we are better off now security wise.

        1. Teiwaz

          Re: Israeli security startup CTS-Labs

          Not to mention that very few laptops today could even fit a 3.5" drive inside even if we wanted to.

          Most laptops today could fit an SD card slot in, but often hard to to find one.

          I've a mobo with several different methods of updating the BIOS (including dedicated USB socket), all seem over-complex and flawed.

          Ended up going back to the old method, if with cut-down OS on a USB stick rather than an 8', 4.25 or 3.5' 'floppy'.

          1. Alistair
            Windows

            Re: Israeli security startup CTS-Labs

            @ Telwaz:

            I wanna see that 8 foot diameter floppy disk.

        2. eldakka
          Mushroom

          Re: Israeli security startup CTS-Labs

          Sigh.

          OK, you have just firmly put yourself into the "dumb users" category. Therefore let me spell it out a bit more clearly for you, rather than the generic shorthand "boot from floppy" which I believe most people would understand to mean "boot from external media, no matter what form that external media takes".

          For many years, the only way to flash BIOS was to boot into a single-user, non-multitasking OS that had minimal drivers loaded (no networking, no SCSI, no tape drives, no heavy-weight GPU drivers, and so on) and either explicitly invoke the 'flash' command (unless the boot media was specifically crafted for flashing BIOS, in which case it might automatically invoke the flash command). This method was orginally done via floppy disks (5 1/4" when I started, older people will remember 8" or even audio-tape-based drives). It could also be accomplished by other externally booted media, e.g. eSATA, USB, Zip drive, firewire, serial, or whatever method your specific hardware supported. Alternatively, you could have a boot-loader that oftered the choice of booting into such an O/S that (might have) had its own tiny dedicated partition.

          Or even, if using a UNIXy system where the OS itself supported many different boot modes, you could explicitly boot into single-user mode or, if it is/was actually a UNIX workstation of some manufacture, you would probably do it from the boot PROM or similar environment (for those of you not with a history of actual workstations, they had a UEFI-like system for decades, but it wasn't graphical, it was command-line based, so you could boot up into the 'UEFI' (on a SUN workstation STOP-A would dump you into it) and perform some hardware-based tasks like this).

          Or even in more modern windows, at least booting into 'safe' mode (without networking) would give you a semblance of doing something similar.

          The key takeaway, which I suspect most people (other than you) would have gotten was:

          For the convienience of the average user, manufacturers have sacrificed security and reliablity for user convienience. It is a bad idea to be able to flash a systems firmware from a connected, online, multi-user operating environment where someone sitting on the other side of the world could be flashing a compromised firmware onto a system unknown to the user who might actually be using the system at that time and not know this is going on.

          1. 9Rune5

            Re: Israeli security startup CTS-Labs

            What you are describing is security by obscurity.

            I really don't care. If you manage to get to root level on my box, then it is game over for me.

            Besides: Ahem... If you manage to get to root... AFAIK you have kernel access. Which means you are free to install whatever device driver you like. Which in turn... Tadaa... you can flash whatever you can flash from a DOS boot device, be it your old trusty floppy or SD card.

      2. vtcodger Silver badge

        Re: Israeli security startup CTS-Labs

        If you find yourself frequently updating the firmware for obscure security chips, might not that be an indication that either 1) The code for those chips is not very high quality, and/or 2) The chips are doing way too many things and therefore have an overly large attack surface, and/or 3) The whole notion that computers are securable is nonsense and that we better start rethinking what we use them for and what we choose to do and not do digitally?

        The idea of an off/open by default switches or jumpers for "firmware" updates seems to me to make a lot of sense.

      3. Roland6 Silver badge
        Pint

        Re: Israeli security startup CTS-Labs

        >For many years the only way to flash BIOS was to boot from a floppy disk with a minimal OS

        And before that, the only way was to physically replace the BIOS EPROM.

        Youngsters! :)

    2. Anonymous Coward
      Anonymous Coward

      Re: Israeli security startup CTS-Labs

      CTS-Labs, a front for the Israeli security service, most probably.

      I'd long ago concluded that Israel itself was just a front for the Israeli security services.

    3. Alistair
      Windows

      Re: Israeli security startup CTS-Labs

      @ Walter Bishop:

      I have -- lessee -- 86 nodes in a Hadoop cluster.

      Exadata (Dev/qa) -> Full rack, 6 DB nodes and 11 Storage nodes

      Exa (Prod) two racks, 4/6 each

      32 Sas systems in a cluster,

      Wanna come up date *all* my firmware one Saturday night with switches?

      (And we aren't even looking at DRP yet, nor the 4,000 odd other systems in our various data centers..... And Cloudfront would shoot you)

  8. Anonymous Coward
    Anonymous Coward

    On a broader front it does give food for thought on how our processors are designed, trusted, and generally run. This issue is only likely to intensify with the increase in services a cpu is designed to supply.

    From my own perspective i'm old fashioned I like a RISC architecture CPU that just processes instructions(no microcode involved), that way I can trust it to do what its told.

    1. low_resolution_foxxes

      Yeah, sometimes it almost seems like processors are designed to have backdoors by the Americans that occasionally get leaked and cause a crisis....

    2. Nick Ryan Silver badge

      As a broad genalisation, good security must be place in from the start, attempting to retrofit security almost always fails.

      The "WinTel" platform started from a stand alone, single process, single privileged user platform to one that is now networked, has had multiple users and multiple concurrent applications added with security tacked on top almost as an afterthought. I don't really consider these failures malicious, more a symptom of how the platforms (processors, chipsets and operating systems) evolved and what they evolved from.

      1. Anonymous Coward
        Anonymous Coward

        I think you're mostly correct, but I'm to cynical to not expect our friendly neighbourhood spy agencies not to take advantage of their position to not request/force security issues on chip makers. I think what you've described just makes them doing so more easy.

  9. DeKrow

    Timeline

    - Intel's MELTDOWN and SPECTRE issues were disclosed in late January 2018.

    - amdflaws.com registered 22nd of Feb 2018

    - AMD informed of the issues 12th of March 2018

    - actual disclosure / news release 13th of March 2018

    Three things:

    This looks like an Intel-sponsored hit on AMD to 'level the playing field'

    The web domain was registered well in advance of any warning being given to AMD - because we're a security company, so fuck security we've got marketing to do: flashy website and high-production-value YouTube videos here we come!

    Just like hacking evolved from a hobby into serious criminal enterprise, security disclosure has turned from noble and responsible act (with some self-advertising for employment purposes) to blatant stock market manipulation.

    Other things:

    - The amdflaws.com domain was registered with a 2-year expiry (22/02/2018 - 22/02/2020)

    - The cts-labs.com domain was registered with a 1-year expiry (25/06/2017 - 25/06/2018)

    - Both were registered with GodAddy

    - Linus Torvalds gets more respectable the more outbursts I read about

    1. the Kris

      Re: Timeline

      Anyone registered www.intelflaws.com yet?

      1. Peter2 Silver badge

        Re: Timeline

        A domain squatter has. Unsurprisingly, it's priced in direct relation to the quantity and severity of flaws in Intel processors.

        1. Doctor Syntax Silver badge

          Re: Timeline

          A domain squatter has [registered intelflaws.com].

          How about intelflawsareworse.com?

          This could get really silly really fast.

  10. Carl D

    Well, at least I'm not alone

    https://doublepulsar.com/on-amd-flaws-from-cts-labs-f167ea00e4e8

    "You may have seen media reports about flaws in AMD chipsets. AMD are currently reviewing the report, as they were given less than a day notice of vulnerabilities that CTS Labs claim put lives at risk (via their website, AMDflaws.com). This is a highly unusual and reckless disclosure of security flaws."

    and...

    "I would encourage security researchers not to disclose vulnerabilities like this. If you have vulnerabilities that you truly think are serious and truly want to provide information so people can protect themselves, work to get them resolved and work with the cyber security community around mitigations.

    The only real public exploit here at the moment is a press exploit. This situation should not be happening."

    Yep, absolutely correct.

  11. TReko
    Thumb Up

    Excellent reporting, Register

    As usual, a well written and researched piece.

  12. Anonymous Coward
    Anonymous Coward

    ASMedia, owned by ASUSTeK

    "The advisory claims the backdoors were introduced, accidentally or otherwise, by Taiwanese chip manufacturer ASMedia, owned by ASUSTeK, which used its own insecure integrated circuits in AMD's Promontory chip, found in AMD's Ryzen and Ryzen Pro lines."

    Well, I guess THIS is why I was able to purchase a used ASUS motherboard for under $20.00 on eBay.

    The computer went to a 9 year old child so if any keyloggers are in place some miscreant is getting the passwords to RoBlox.

  13. Glad Im Done with IT

    Maybe this will backfire.

    If this is primarily a securities ploy to weaken AMD then this may backfire massively.

    This sound like a processor where the user gets full control of their hardware back. If you don't want to use the increasingly irrelevant windows 10 and are annoyed at lock down of the hardware you own, this sounds like maybe the last chance to get a CPU where you will have full control of the hardware you own.

    I was looking for an upgrade path to my aging hardware and now I want one of these CPUs because of these 'vulnerabilities'.

    1. whitepines

      Re: Maybe this will backfire.

      Please explain to me how you think you have full control? How is this different from jailbreaking, where you absolutely do not get full control, just some control over userspace?

      1. Glad Im Done with IT

        Re: Maybe this will backfire.

        At the moment these parts of your hardware ,PSP etc are black boxes which are not accessible to the end user. If these 'exploits' allows a root user to view, check and record the contents at least there is a level of certainty for the administrator that the hardware has not been compromised. Any changes in these black boxes could be logged, diffs made, and if unhappy potentially rolled back to a state that the end user is happy with.

        Security belongs to the owner of the hardware not the manufacturer.

    2. Dragonstongue

      Re: Maybe this will backfire.

      especially as AMD deals with NASDAQ who is in new york and in new york if you are "fined" for damages, the "win" is triple damages...I can see Intel doing this, because they would just keep paying the fines and not bother paying the full amount for years and years (just like they did with the what was it 2.5billion they had to pay AMD, they still have not to my knowledge...they just keep reinvesting, keep "taking a loss" and keep tying the court up so essentially never have to pay it)

      10 years or more screwing AMD by forcing vendors to NOT use AMD and use them with "sweetheart deals" likely the amount Intel "has to pay" is a very small drop in the mentioned bucket compared to the loss in revenue AMD suffered because of this since then and now (they still do this crap, but, have gotten crafty at it, and do it in countries that do not have any laws against them acting this way)

      1. Glad Im Done with IT

        Re: Maybe this will backfire.

        Ok looking at Nasdaq there was notable trading reported on Tuesday.

        "Especially high volume was seen for the $11.50 strike put option expiring March 16, 2018 , with 38,495 contracts trading so far today, representing approximately 3.8 million underlying shares of AMD. Below is a chart showing AMD's trailing twelve month trading history, with the $11.50 strike highlighted in orange:

        So if share price remains above $11.50 for two days then these dumpers have lost their premium. I suspect the markets have already taken note and no doubt will keep these options worthless.

        1. Bronek Kozicki

          Re: Maybe this will backfire.

          On put options: the current price is $11.35 , so put option at $11.50 is "in the money". However, the price has been climbing up, from the lowest point today $11.28, so those who bought these options when the shares were cheap will not make profit, unless the price falls again. It might, or it might not - if it does then it would be not on the "strength" of the security "discovery" discussed here.

  14. Richard 12 Silver badge

    It rather involved being on the other side of this airtight hatchway

    So if you can get physical access, you can reflash the firmware.

    Yes, of course you can. You can do that on practically any hardware that has programmable non-volatile memory.

    Assuming everything they claim is true, the TPM flaw is the only one of consequence - being able to extract the key by any means is very bad, reflashing firmware should wipe the keys.

    As for the rest - exactly how does one update a BIOS/UEFI/chipset/GPU-BIOS/insert-device-here without the ability to install said firmware?

    All Intel chips and chipsets have near-identical "flaws". The only true mitigation is ROM - and good luck updating that when there is a real problem.

    1. Paul Shirley

      Re: It rather involved being on the other side of this airtight hatchway

      While being able to install unsigned firmware has it's uses, on a device with supposed security features it's always a fault. Hacking clocks on a gpu is a different from the potential to expose keys on a CPU.

    2. Solmyr ibn Wali Barad

      Re: The only true mitigation is ROM

      Yes, please, bring back those UV-eraseable EPROM chips. With 25V programming voltage.

      Not only do they look cool, quartz windows and all that, but using those will probably teach them script kiddies a bit of real work.

      /my coat has a box of 2708's in its pocketses, thank you/

    3. RAMChYLD

      Re: It rather involved being on the other side of this airtight hatchway

      "reflashing firmware should wipe the keys."

      Wouldn't doing that render, at very least, lost of access to DRMed files (assuming the BSAss, MPAssA and RIAssA mandates that the OS stores decryption keys for the DRMed media you bought off Google Play/iTunes/Windows Store on the TPM if one is available) and at worst, lost of the content of the entire hard drive (assuming the user encrypted the entire drive and the key is stored on the TPM)?

      I think leaving the TPM untouched is more for the convenience of the user. Who has the time to go through reformatting an entire PC and deal with data loss just because the firmware was updated?

      Although, imo, the world would be a better place without TPM. The only thing TPM does is it gives big corporations even more control over your own PC and what you have installed.

  15. Anonymous Coward
    Anonymous Coward

    Pot and Kettle

    re

    The biz apparently gave AMD only one day of advance notice it was going public, an amount of time that precludes addressing the flaws prior to publication and deviates from security industry norms of responsible disclosure.

    Curious, how much advance warning did the register give Intel?

    1. Glad Im Done with IT

      Re: Pot and Kettle

      The reg reported on facts already in the public domain, Linux kernel sources, and did a bit of putting two and two together.

    2. Anonymous Coward
      Anonymous Coward

      Re: Pot and Kettle

      Plus Intel had known about the flaw for six months by the time the Register reported on it. If you can point to an incident where the Register independently discovered a CPU flaw and gave 24 hours notice before publishing an article, please feel free to educate us. Idiot.

    3. Major N

      Re: Pot and Kettle

      Intel et al had been aware of the problem for at least six months at that point, so your attempted snark is both unwarranted and off target.

      1. Doctor Syntax Silver badge

        Re: Pot and Kettle

        "your attempted snark is both unwarranted"

        Don't be too sure. I think we can work out who might have warranted it.

    4. Anonymous Coward
      Anonymous Coward

      Re: Pot and Kettle

      An integer answer would have sufficed.

      Nice to see the un-educated like to down vote a question without realizing the true purpose.

      1. Doctor Syntax Silver badge

        Re: Pot and Kettle

        "Nice to see the un-educated like to down vote a question without realizing the true purpose."

        Have you stopped beating your wife? A yes or no will suffice.

  16. Dodgy Geezer Silver badge

    At what point...

    ..."At what point will security people admit they have an attention-whoring problem?"...

    "At what point will people admit they have an attention-whoring problem?"

    There. Fixed that for you.....

    1. nematoad

      Re: At what point...

      Ah, but how much damage could the security people do as against the "ordinary" citizen?

      A lot in my opinion, and I reckon Linus has this right in calling out this "look at me, aren't I clever?" attempt.

  17. Anonymous Coward
    Anonymous Coward

    How much did this report cost Intel?

    I wouldn't believe any of the claims until we hear from AMD that a claimed security issue actually exists. We saw in prior reports that AMD's CPU architecture did not suffer from the security violations baked into Intel branded chippies. It would not surprise me one bit to have Intel spend millions to get some unknown entity to make claims that are untrue to confuse consumers and make it appear that all CPUs suffer from the security issues Intel intentionally created in all of their CPUs by violating command execution protocol.

  18. Michael H.F. Wilkinson Silver badge

    I smell something fishy,

    and I’m not talking about the contents of Baldrick’s apple crumble

    To quote Captain Blackadder

  19. Anonymous Coward
    Anonymous Coward

    why does it have to be Intel? They have a lot to loose if caught. It is probably a scam artist 'investor' looking to make a quick buck.

    1. Mr Humbug

      Seems more likely that it's a bunch of 20-somethings who started a company last year, stumbled across something clever and have spent the last three weeks (since 22nd February) putting together a self-promotion campaign to get the most press coverage possible without considering things such as responsible disclosure.

      The TPM issue (if as described) does seem concerning. I'm sure I can't be alone in using the combination of TPM plus Bitlocker to keeps the data on PCs secure with minimum inconvenience to the user. I guess AMD-based machines are going to need a BIOS boot password now.

  20. Solarflare

    Anybody look at their disclaimer?

    https://amdflaws.com/disclaimer.html

    "The report and all statements contained herein are opinions of CTS and are not statements of fact. To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable. Our opinions are held in good faith, and we have based them upon publicly available facts and evidence collected and analyzed, which we set out in our research report to support our opinions. We conducted research and analysis based on public information in a manner that any person could have done if they had been interested in doing so. You can publicly access any piece of evidence cited in this report or that we relied on to write this report. Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports. Any other organizations named in this website have not confirmed the accuracy or determined the adequacy of its contents. "

    Yeah, doesn't sound shady at all...

    1. Voidstorm
      Pirate

      Re: Anybody look at their disclaimer?

      "... not statements of fact" -- so, they're lies, then ? <.<

      I agree, this stinks like a barrel of sardines.

  21. GrumpenKraut
    Mushroom

    Amateur hour

    still a certain German news outlet (*cough* heise.de *cough*) totally fell for it. They are receiving a nice roasting in their comment section, though. ---->

  22. Zippy's Sausage Factory

    Sounds like the lab are trying to make a name for themselves. Although rehashing old vulns and putting fancy names on them doesn't sound like a sensible way to do that...

    1. GrumpenKraut
      Pint

      it's not just the fancy names. Example: "Exploiting MASTERKEY requires an attacker to be able to re-flash the BIOS ...". Hello? If an attacker is in a position to flash the BIOS on any machine whatsoever, that's well and truly game over.

      Security ALERT: An attacker can compromise AMD-based computer if in the position to take a pee on the mainboard. We need a name for that: PIDDLE-NADO-APOCALYPSE. Yeah, that's fitting.

      Sorry, not beer ------>

  23. JakeMS

    If these issues exist..

    They should absolutely be taken seriously and, if possible, fixes released.

    However, giving AMD only 24 hours notice is just irresponsibile.

    Yes, try to find them, yes report them to AMD but for the love of computers give them a chance to at least investigate it. 24 hours is no time at all, at best you could check a few chipsets in a day, but no way would you have time to fix them all in 24 hours.

    Bear in mind, fixes would have to be tested also prior to release (to check for brickage, we're talking cpus and chipsets here, a bad update is a bricked machine).

    In my opinion the security team handled this poorly, even Google Security Team gives you a week!

    1. Peter2 Silver badge

      Re: If these issues exist..

      That's because it's either:-

      1) a deliberate attempt to manipulate the AMD share price to make a profit via shorting AMD's shares

      or;

      2) a hit peice from a certain well known company which has recently been discovered to have both a shockingly wide variety of severely dangerous remotely exploitable security flaws in it's products and a well known historical track record for having a predeliction towards illegal dirty tricks being ultimately responsible, and using a share price scheme as semi plausible cover for trying to prevent to competition from exploiting their shortcomings.

  24. Doctor Syntax Silver badge

    If they're on the level they have just given potential clients notice of why not to deal with them. Or maybe the initial investment was running out and they had to whip up some publicity PDQ.

  25. Anonymous Coward
    Facepalm

    Roll up folks! The security circus is back in town!

    1. Witty names? Check.

    2. Individual logos? Check.

    3. Special domain name? Check.

    4. Lashings of self-aggrandizing hyperbole? Check.

    5. Lack of useful detail? Check.

  26. iron Silver badge

    This whole thing stinks to the heavens and I'm not talking about AMD's security. A company I've never heard of, a report that was published without responsible disclosure, no POC code, no CVE numbers, the vendor given 24h notice yet a random security researcher (who I've also never heard of) was supposedly given a week with the report and POC code... Meanwhile some investment company is citing it and calling for people to sell AMD stock? My local fishmonger smells less fishy.

    1. GrumpenKraut
      Boffin

      You forgot videos in fake(ed) labs.

      About the 24h notice: if they made that any more, then AMD would surely came back with a big fat "Are you guys kidding?". And that would go against the obvious intention of this PR stunt.

  27. johnnyblaze

    Sensationalist headlines. Nothing to see here. Move along. I wonder if the CTS Labs 'research' was funded by Intel? It was very AMD focussed. Keep buying those Ryzens and EPYC's - they're great CPU's.

  28. potatohead

    What can be patched

    That there are flaws in the processor is not that surprising - it's a new design, and this stuff is hard if not impossible to reason about.

    The interesting question is whether AMD are able to patch these systems to resolve the flaws.

    Another explanation for the lack of disclosure delay would be that CTS-Labs are well aware that these problems are easy to fix, and hence they would have a non-story if they delayed publication.

  29. jms222

    Found this explanation

    https://www.reddit.com/r/Amd/comments/846gpm/how_cts_labs_created_their_offices_out_of_thin_air/

    speaks for itself.

    1. mutin

      Re: FoFake company, fake claims?und this explanation

      By the link that is ALL fake. Will see what AMD will find. While Israel does not permit extradition of its citizens, AMD still can sue guys. Let's get some popcorn and patiently wait for the dust settles.

  30. GrumpenKraut
    Devil

    CTS-Labs is "Catenoid Security" which was formally Flexagrid Systems Inc

    ...A company that produced the Computer Hijacking "CrowdCores"

    See here (link to anandtech.com forum).

    Hope they get their balls pinched.

  31. Bronek Kozicki

    grumble grumble ...

    When people find that your products suffer from meltdown, do you:

    1) focus on fixing the problem, or

    2) put large spectacles, wig and fake moustaches, point at a rodent passing nearby competitor's factory, and shout "oh look, squirrel!"

    Credit to Torvalds for naming these guys for what they are.

  32. jfm

    Viceroy Research? The one who shorted Capitec Bank in South Africa and then claimed Capitec's financial statements were false and they were a loan shark heading for insolvency? And then when the Reserve Bank and the national Treasury said they had no concerns about Capitec, doubled down and said they'd both accepted the supposedly false accounts at face value, and would discover Viceroy was right and put Capitec into receivership if only they did a proper audit? That Viceroy Research?

  33. regregular

    Also worth of note:

    The company Viceroy Research has just recently been implicated in attempted stock market manipulation by german stock market / banking authority BAFIN (similar to US SEC).

    https://translate.google.com/translate?hl=en&sl=de&tl=en&u=https%3A%2F%2Fwww.handelsblatt.com%2Funternehmen%2Fit-medien%2Ffinanzmarkzaufsicht-bafin-nimmt-pro-sieben-kritiker-viceroy-ins-visier%2F21061952.html

    This is very dodgy.

  34. Anonymous Coward
    Terminator

    Free hole just by electronics

    Server, PC, Laptop and Mobile Phone are all a metaphor for 'a hole'

    want A Hole, then just utilise electronics/

  35. Anonymous Coward
    Anonymous Coward

    Secure Proccessor, it locks you down not out

    AMD: "Secure Processor, it locks you down not out (like all the others) - Well not true you are all locked out."

    Pththththththththt !

    If you want a Secure Processor, Bios or Hard Drive allow the user to check-sum the device (even old md5 & sha1 together) and save in an non-battery-backed manner on a chip (aka in 80's music electronics).

    Otherwise just means to lock out users.

  36. Destroy All Monsters Silver badge

    I see

    There is a market niche for the taking out of bottom feeders that is sadly not being actively exploited.

  37. Milton

    Clumsily obvious

    I tend to agree with those who point out that "flaws" which can only exploited if the machine is already compromised at root level are much less significant than those which can burrow in under the radar and obtain that kind of access.

    It's a bit like worrying about mission protocols when the captain of the aircraft carrier is already a foreign agent: you lost the game long before having to worry about how many planes to keep on CAP. Your job is to employ good, loyal captains. Your job is also to worry about important threats, like (say) a new sea-skimming missile that your radar can't detect, which makes the question of mission protocols important if the captain hasn't been compromised.

    And yes, this whole thing stinks like a week-old haddock, and per my title, I suggest it is clumsily obvious, to the point of witlessness. I won't trouble to detail the points made so well by others, regarding timing, attempted anonymity, suspicious abruptness with which this latest crew apparated: it all simply stinks of an unsubtle, heavy-cack-handed and slimy attempt to smear AMD.

    As to who is really behind it, well, the same folks who are always responsible when corporations do dishonest, dishonourable things which strangely benefit it to the tune of billions: "A small group of junior employees gone rogue who acted beyond their authority and completely without the knowledge of senior management."

    They do get around, those guys.

    1. Anonymous Coward
      Anonymous Coward

      Re: Clumsily obvious

      @ Milton

      Great response and I expect you've hit the nail on the head :)

    2. Robert Carnegie Silver badge

      Re: Clumsily obvious

      One flaw in your argument: the claimed AMD flaws are such that if you metaphorically detect that the aircraft carrier captain is a foreign agent and you replace him with a good one, the bad captain may have still ineradicably compromised the aircraft carrier itself. That's to say: the bad operating system has infected the Secure Processor and/or the motherboard firmware. It looks like a real risk.

  38. mutin

    Good Pirates???

    That is a shame!!! Not AMD, because bugs are bugs and there is a process to fix. For the company expense. What CTS-Labs did was "good piracy" and my suggestion is to do what normal people do with ANY pirate - hang them! They are not about security, they are about money and getting it in the most dirty way. In InfoSec world of terms. I would suggest NOT to deal with the company, otherwise one day your own hands will get dirty as well. Or they trade you for yet another money.

    But, they are not only greedy but also stupid! They expected AMD stocks react on their "news". Well, the case of Meltdown etc. shows that the reaction is minimal if at all. Investors use different criteria. and judge by different information.

    Frankly, I've been in InfoSec since 2003 and do not remember such misconduct of vulnerability announcement. May be they need PR themselves? But that is not about Information Security. That works in Hollywood.

  39. tygrus.au

    Is the priority stock price manipulation

    The secretive behaviour of those behind the disclosure and websites is very suspicious. It could be an exercise to find a few bugs and exploit them for stock price manipulation or pay-back.

  40. rav

    CTS ADMITS EVERYTHING IS BULLSHYTE ALL OPINION AND ZERO FACTS.

    From CTS

    "The report and all statements contained herein are opinions of CTS and are not statements of fact."

    And this......

    "Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."

    Excerpted from below...

    "Legal Disclaimer

    CTS is a research organization. This website is intended for general information and educational purposes. This website does not offer the reader any recommendations or professional advice. The opinions expressed in this report are not investment advice nor should they be construed as investment advice or any recommendation of any kind.

    It summarizes security vulnerabilities, but purposefully does not provide a complete description of such vulnerabilities to protect users, such that a person with malicious intent could not actually exploit the vulnerabilities and try to cause harm to any user of the products described herein. Do not attempt to exploit or otherwise take advantage of the security vulnerabilities described in the website.

    The report and all statements contained herein are opinions of CTS and are not statements of fact. To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable. Our opinions are held in good faith, and we have based them upon publicly available facts and evidence collected and analyzed, which we set out in our research report to support our opinions. We conducted research and analysis based on public information in a manner that any person could have done if they had been interested in doing so. You can publicly access any piece of evidence cited in this report or that we relied on to write this report. Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports. Any other organizations named in this website have not confirmed the accuracy or determined the adequacy of its contents.

    You may republish this website in whole or in part as long as CTS is clearly and visibly credited and appropriately cited, and as long as you do not edit content.

    Although we strive for accuracy and completeness to support our opinions, and we have a good-faith belief in everything we write, all such information is presented "as is," without warranty of any kind– whether express or implied – and CTS does not accept responsibility for errors or omissions. CTS reserves the right to change the contents of this website and the restrictions on its use, with or without notice, and CTS reserves the right to refrain from updating this website even as it becomes outdated or inaccurate."

    https://amdflaws.com/discla...

    CTS is telling the world it is ALL bullshyte and they have a financial stake in AMD.

    Yet the on-line media is writing about nothing else.

  41. Lord_Beavis
    Trollface

    Old Tech

    Glad I'm hanging on to these 6502 and Z80 CPU's...

  42. William Higinbotham

    Look for those undocumented opcodes:-)

    http://www.rcollins.org/secrets/IntelSecrets.html

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like