Originally Seen: Cyberscoop by Zaid Shoorbajee
A small cybersecurity company and research group is publicly reporting major, Meltdown-style vulnerabilities in chips made by AMD, yet the disclosure itself has sent security researchers into a frenzy about possible ulterior motives.
CTS Labs, an Israeli cybersecurity company that purportedly focuses on hardware, launched a website and released a white paper on Tuesday describing 13 security flaws in AMD’s EPYC, Ryzen, Ryzen Pro and Ryzen processors. The chips are used in laptops, mobile devices and servers.
The vulnerabilities reportedly include backdoors that would allow attackers to inject malicious code onto AMD’s chips. Such malware could allow attackers to take complete control of AMD processors, steal network credentials, install malware and read and write on protected memory areas, among other risks.
CTS Labs released the vulnerability information on a public website, amdflaws.com, saying it released the findings for the sake of public awareness.
“In particular, we urge the community to pay closer attention to the security of AMD devices before allowing them on mission-critical systems that could potentially put lives at risk,” the website reads.
The company says it has sent technical information to companies, including AMD, in order for patches to be developed. That technical information is not available on the public website.
AMD has addressed the claims on its investor relations page, saying that it is investigating the findings. The chip maker also took umbrage with CTS Labs for not giving proper notice before the research was published.
“This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings,” AMD says.
CNET, which first reported on the bugs, wrote that CTS Labs gave AMD less than 24 hours of notice before they published their findings. Security researchers typically give a company 90 days to coordinate and patch flaws before they publicly disclosing their findings. That was the plan with Meltdown and Spectre — security flaws in Intel’s processors revealed earlier this year — but information about the flaws was leaked shortly before planned publication.
Up until Tuesday morning, little was known about CTS Labs. The company does not appear to have a social media presence. A glitzy video CTS posted alongside its report features interviews with CTS Labs representatives in front of stock photos of office space and data centers.
The company’s website states it was founded by Ido Li On and Yaron Luk-Zilberman in 2017. Li On’s LinkedIn page lists him as formerly serving in Israel’s Unit 8200, an Israeli intelligence agency equivalent to the NSA. Luk-Zilberman LinkedIn page lists him as being the managing director of NineWells Capital Partners, a hedge fund based out of New York. However, SEC documents currently list him as NineWells Capital’s president.
Additionally, a legal disclaimer on CTS’s disclosure website states the company might have a financial interest in the companies mentioned in its report. In its report, CTS discusses AMD hardware made by ASMedia, a subsidiary of Taiwanese technology company ASUS.
The disclaimer reads:
“Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports. Any other organizations named in this website have not confirmed the accuracy or determined the adequacy of its contents.”
The disclaimer also warns against using CTS Labs’ report as investment advice and classifies all of its findings as “opinions.”
Fraser Perring, a researcher with Viceroy, told CyberScoop that Viceroy received an advanced email with CTS Labs’ research from an anonymous source.
CTS Labs did not respond to request for comment.
Some third-party security researchers say they’ve confirmed the AMD flaws are legitimate. But that hasn’t stopped some in the community to point out oddities in CTS Labs’ approach.
“The fact that CTS Labs gave AMD less than 24 hours notice before public disclosure is extremely unusual in our industry and suggests an underlying motive,” said Jake Williams, president of Rendition Infosec. “It seems likely that the notice to AMD was done for legal reasons, thinking that some pre-disclosure notification (no matter how short) would offer some legal top cover.”
Udi Yavo, CTO of enSilo, told CyberScoop that the flaws need to go under further scrutiny.
“Based on the publicly available information, we believe that these claims have real legitimacy and certainly merit further analysis by the cybersecurity community and the vendor. However, we believe such publications should be followed by responsible disclosure procedures,” Yavo said.
Dan Guido, CEO of Trail of Bits, tweeted that his company has seen CTS Labs’ proof-of-concept and that the vulnerabilities are legitimate.
Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works.
— Dan Guido (@dguido) March 13, 2018
AMD said in an emailed statement that it is working validate the findings.
“At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings,” the company said.
Update: This article has been updated to clarify the information surrounding Yaron Luk-Zilberman’s ties to NineWells Capital.
Chris Bing and Greg Otto contributed to this report.