This site may earn affiliate commissions from the links on this folio. Terms of use.

AMD-Zen-Feature

Earlier this week, bombshell news surfaced of thirteen supposedly disquisitional security flaws in AMD processors. While at least some of the flaws appear to exist real based on independent confirmation from security researchers, the manner and nature of the disclosure lifted a number of eyebrows. A simultaneously released report from a firm trying to brusque AMD's stock fabricated the entire thing expect particularly shady, particularly since the firm in question, Viceroy Research, carried out a nearly identical attack on a German company just a calendar week ago. In that case, Viceroy took a big short position on the German company ProSieben, and then accused information technology of questionable bookkeeping practices. Now, CTS Labs has published a letter from its ain CTO, Ilia Luk Zilberman, offer an explanation for its own behavior.

The letter can be divided into two broad sections: Claims near how CTS Labs began and progressed through its investigation of the relevant security flaws, and Zilberman'due south own views on the disclosure process.

In the first office of the alphabetic character, Zilberman claims that his business firm began researching Asmedia devices — the ASM1042, ASM1142, ASM1143 chips, specifically — and that this served as a jumping off point for an overarching investigation into AMD'due south overall security practices. On the surface, this makes sense. It's the kind of inquiry that's familiar to anyone who'southward always worked in QA or attempted to reproduce and narrate unexpected behavior. Only scratch the surface and Zilberman's framing starts to autumn apart.

Cover Your Asmedia

It's absolutely fair to characterize and examination the flaws in AMD'south chipsets. But as CTS Labs' white paper makes clear, the aforementioned Asmedia fries that make up AMD's Promontory chipset for Ryzen CPUs have been shipping on motherboards, including hundreds of Intel motherboards models, for at least the by six years.

Asmedia-Controllers

The Asmedia ASM1042 and ASM1142 were and are widely used on Intel motherboards, but CTS Labs neglects to mention that fact in its white paper or alphabetic character.

Zilberman tacitly acknowledges this when he writes:

[W]e accept started researching ASMedia chips about a year ago. After researching for some fourth dimension, we have institute manufacturer backdoors inside the chip which requite you full control over the fries (ASM1042, ASM1142, ASM1143). We wanted to become public with the findings, merely then saw that AMD have outsourced their chipset to ASMedia. So we decided to check the state of AMD, nosotros bought a Ryzen computer, and whimsically ran our exploit PoC, and it merely worked out of the box.

By its own statements, CTS Labs tested and adult a proof of concept exploit for Asmedia controllers before it was aware these controllers were incorporated into Ryzen chipsets. Where, so, is the website AsmediaFlaws.com? Where'southward the notification to tell Intel motherboard customers that the fries on their motherboards can be similarly backdoored and abused? This isn't a theoretical; I'chiliad writing this article from an Ivy Bridge-Due east system powered by an Asus X79-Palatial motherboard with an Asmedia 1042 controller. In its white newspaper, CTS Labs describes the offending Asmedia controllers as follows:

In our assessment, these controllers, which are commonly found on motherboards fabricated past Taiwanese OEMs, have sub-standard security and no mitigations against exploitation. They are plagued with security vulnerabilities in both firmware and hardware, allowing attackers to run capricious code within the scrap, or to reflash the chip with persistent malware.

If CTS Labs has accurately characterized these flaws, the problems in Asmedia controllers affect millions of Intel motherboards worldwide going dorsum 6 years. In the early days of USB 3.0, before Intel added its own native chipset support, Asmedia was one of the most common third-party providers. Fries like the ASM1142 are still used on Intel motherboards today. When nosotros looked at Newegg, nearly every USB 3.0 PCI Express card we spot-checked used an Asmedia solution — typically the ASM1042 or ASM1142.

If these Asmedia flaws are common to Intel, AMD, and standalone cards, Intel users and expansion bill of fare users admittedly should've been notified. If they're unique to AMD users, CTS Labs needed to explain why. It has not. Over again, when security researchers describe flaws, they typically draw them beyond the unabridged set of hardware on which they are known to occur. Failing that, they at to the lowest degree admit the use of these broken solutions in other contexts. CTS Labs did neither.

Disclosure Policies

Zilberman's defends giving AMD barely a twenty-four hour period to respond to the issues CTS Labs establish by arguing it's amend to disclose the broad strokes of the vulnerability immediately and with no alert because the publicity forces the vendor to bargain with the trouble immediately. This has been a point of general contention in the security industry for years. While working with vendors for a given period of time is the industry norm, the idea that security researchers should publish immediately and damn the consequences is not unique to CTS Labs. There's also a balance to strike between disclosing more technical details of an set on when vendor solutions are either in-place or will arrive imminently (under the cooperation model), versus describing an effect only in the vaguest terms when yous drib information technology on the market place without warning (which is what CTS Labs did).

Where Zilberman errs is when he blames the entirety of the response to CTS Labs' disclosures on the company's conclusion not to provide technical proof of its findings. He writes that his company has been "paying that price of disbelief in the past 24h."

Except that's non what actually happened. Few reputable publications have questioned the existence of the flaws themselves, particularly when Dan Guido of TrailofBits declared that he'd validated and confirmed that all 13 exist.

While nosotros're still waiting for AMD or another third party to release more than details, it's clear in that location's a existent problem here. But the question raised past CTS Labs behavior isn't whether in that location are flaws in AMD's chipsets or Ryzen CPUs. It'south a question of whether those flaws were fairly or accurately characterized given the company'southward scaremongering, and a further question of whether the disclosure was targeted and timed every bit part of a scheme to harm AMD's stock toll, as opposed to a straightforward, good-faith security disclosure.

On these problems, Zilberman is silent.

There'south nothing illegal nigh paying a security firm to inquiry a product or the manner in which CTS Labs disclosed its findings. But just considering something isn't illegal doesn't make information technology a good idea — and nosotros can think of few ideas worse than short sellers and security firms teaming upwardly to weaponize disclosures. Zilberman'south letter of the alphabet may have been intended to clear the air, only information technology but raises more questions about the nature of the company's findings and its framing of its work.