Today we have news of a new set of security vulnerabilities that allegedly impact AMD EPYC and Ryzen CPUs. Every single silicon CPU has had some bug or vulnerability so frankly, this is of little surprise. As security research teams scramble to find these bugs, standard industry practice is that 90 days are given to vendors to mitigate the risks so that millions of compute nodes are not compromised immediately. Even sharing what the issues are can give enough detail to lead to issues in the field. These vulnerabilities were disclosed 24 hours after being brought to AMD, and the whole setup looks beyond bizarre.
About the AMD EPYC and Ryzen Vulnerabilities
Here is the video posted about the vulnerabilities via AMDFlaws.com and YouTube.
Essentially, these vulnerabilities allow unauthorized parties to launch persistent attacks on the machine. They may very well be real, but as we are about to see, CTS/CTS-Labs/CTSLabs is unwilling to state, as a fact that they are real.
Why this Looks Bizarre
There are quite a few items here that look truly strange. As we watched the Interview videos, as an example, the production quality was good, including the VP of R&D at 1:44 giving an interview in a data center. As you can see, that is a green screen background. Anyone in the industry knows that if you give an interview in the data center, you are going to hear cooling systems like fans or you are not really in a data center. Many production crews know this, and when catering to technical crowds, they take this fact into account. Here is the interview video:
What gets even stranger is the last few seconds of the logo screen:
The company on the AMDFlaws site purports to be “CTS-Labs”, not “CTSlabs”, note the “-L”:
As someone who has a JD, MBA, and is involved with publishing, the next step, was to look at the full disclaimer. This is usually the legal portion drafted by attorneys who care about things like entity names:
Where to begin. First, normally when you abbreviate a legal name, you would put CTS-Labs (“CTS”) before just using CTS throughout the document. That was a must-do when I passed legal research and writing my first semester in law school. We now have three potential entity names “CTS” from the “Legal Disclaimer”, “CTS-Labs” from the “company’s” website and AMDFlaws.com, and “CTSlabs” from the video. If you are reasonably careful, it is difficult to miss three times including in your legal disclosure document.
Anyone that puts “professional advice” and “investment advice” first is usually part of the investment community or a company that has to deal with SEC regulation. This is most likely drafted by someone who has seen these terms a lot but did not get trained in legal writing (see the paragraph above.)
The third paragraph gets scary. “The report and all statements contained herein are opinions of CTS and are not statements of fact.” [Emphasis added.] Essentially, CTS does not believe what it reported is fact. We do not know about CTS-Labs or CTSlabs view on whether they think it is a fact. Beyond that, “all information” was “obtained from public sources.” That is a little strange. It looks a far cry from a professional disclosure.
We took the next step to look up CTS-Labs’ website and saw something shocking before immediately closing. It is not even hosted on HTTPS. Everyone may have opinions about how secure HTTPS is, but if you cannot setup a HTTPS website for your security research firm, we are not sure how “[w]e work with hardware manufacturers to design, implement, and deploy high-security solutions…” can be accurate. You would think that step 1 in demonstrating you can design, implement, and deploy high-security solutions
In summary, whatever entity this is, got the information ostensibly from public sources research done by others, which contradicts what they seem to be saying in the video. They are also saying that their statements that there is a vulnerability are not statements of fact.
We reached out to AMD as this seems extremely strange. Here is the response we received from AMD:
At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings.
In context here for those who have not worked at a big corporation, every large company takes some time to assemble resources. If your security policy is looking to react within 90 days, having under 24 hours usually will not provide time to even get the right people together to start validating the claim. With Spectre and Meltdown, it took Google coming to Intel and other large players and a coordinated effort over months to address the issue, and there are still bits not finished.
If you are tallying the bizarre, we have:
- An alleged security firm that cannot secure its domain with HTTPS that
- Is not sure what its legal entity name is
- Whose methods relied upon public information stated that
- The vulnerabilities they are talking about are not factual and
- Were disclosed publicly in 24 hours instead of the standard 90 days
Then the question of who could be behind this comes into play. The production quality on video seems to be decent and there is a good amount of content. I have gotten several pings, and I frankly would be shocked if this was Intel. It would not be how I would expect them to compete and the legal disclaimer is too sloppy to be Intel.
While we do not know exactly who this is, best guess, the SEC will be looking into groups of short sellers as it seems like a higher-dollar scare tactic akin to a pump and dump on a Bitcoin/ alt-coin forum rather than an actual security vulnerability disclosure.
There may, indeed, be a set of vulnerabilities with AMD EPYC and Ryzen. In fact, in all likelihood, there are undiscovered bugs and vulnerabilities as we see in any chip design from any modern vendor.
The key takeaway here is likely something that a partner at a large consulting firm taught me when I was just out of school trying to get him to look at the substance of a slide I made:
“If your presentation looks sloppy, people will look at you like you are sloppy and disregard anything you have done.”
For the sake of the computer hardware and security industry, we need to ensure that if this is a legitimate disclosure, that it is indeed put through a proper disclosure process.