CTS Labs Speaks: Why It Blindsided AMD With Ryzenfall And Other Vulnerabilities

[AeroWB]

This is whole CTS labs and AMD vulnerability thing has left me with a very sour taste in my mouth. That is not because of the flaws but because of how many big tech report sites, including Toms, put this information in their articles.

The whole way in how CTS labs presented this and the limited content given should have raised so many red flags that Toms should have done some research first and added their suspicions to the first news post. Now this second news post with the response from CTS labs is not making this any better.

While I think it's OK for Toms to post the CTS response Tom should again make clear that the response is still not even close to enough to make the suspicions any less.

The CTS reponse is again total crap and should raise more red flags:
CTS says they discussed with other security firms and that led them to believe that AMD could not fix these vulnerabilities in 90 days so they gave them 24 hours.
Wait what??? If anyone is able to give them an estimate it would be AMD not other security firms. Also there are 13 vulnerabilities, maybe AMD could have fixed a few in 90 days, that would still have helped. And come on, 24 hours for AMD, they can barely investigate the flaws in that time, let alone give a good response.

So no, the CTS response does not give them any more credibility and still makes them bad people with a double agenda. Their approach is just bad and stays bad.

So Toms, I hope you learn from this bad journalism, as this is below standard!

 

[monsta]

Last time AMD shamefully denied it had vulnerabilities in its chips like Intel and here we are now with AMD being called out and the fanbois are like this is fishy. About tine they got called out for it like this. No more excuses.

 

[redgarl]

Cannot wait until AMD release a patch about it and says it was nothing... so Toms and all the other worthless journalism talent get slam over incompetence. As a journalist, you are required to INVESTIGATE your stories.

Even my bank didn't release that info to me... THE INVESTOR in AMD... because they know it is highly litigible.

 

[redgarl]

@Monsta
You obviously didn't follow and analyze the story. It is a scam for shorting AMD stock, the most speculative stock on wallstreet right now.

 

[gunndykol]

All the conspiracy theorists are just that more than likely. I doubt this was done intentionally to try and hurt AMD. The more likely scenario is that this "new" company is just trying to make a name for itself and decided to get the information out there before another company could get the news out first. It's no different than normal news media being more concerned with being the first to air a story and not always being 100% accurate or considering the impact to the person or company they are reporting on.

It's definitely bad form and shame on CTS for not allowing AMD time to prepare a response or even validate their claims.

 

[Clamyboy74]

Load of crap

 

[imperium77]

I think this is just BS. Either they work for intel/nvidia or they are dropping the ball big time... This is because the vulnerabilites actually affect the ARM processor that is put into the die. This should be scaries part since we all have ARM processors in our phones. yet were told its and AMD problem and no word if this vulnerability also affects phones with ARM processors. Either bullshit or dropping the ball.

 

[imperium77]

Seems to me this is either BS or they are dropping the ball. It was said by them that it actually affects the ARM processor thats included in the AMD die. Yet they just say its an AMD problem. Also if this ARM processor is affected thenare the ones in our phones affected? NO word on that.. Just seems like a NVidia/Intel jive to me.

 

[abundantcores]

Are you crazy? did you even bother to look at how CTS Labs hacked into these system before you made that insane conclusion? they flashed a hacked BIOS onto the system to disable the CPU's security features

Not according to the article.

The disclosure process itself also raised questions. Though we were told AMD, Trail of Bits, and others were given proofs of concept and instructions for how to exploit the vulnerabilities, that information was not released to the general public. Luk-Zilberman and Li On said that was because the flaws are "practical" and "fit well in the different scenarios and stages of a cyber attack." In other words, they don't want to enable those attacks by revealing too much. That, of course, creates a catch-22 of credibility, because with the details under wraps, most of us in the media (not to mention the curious public) can't examine and evaluate the findings and allegations for ourselves. And because CTS Labs is a new company with no track record to speak of, we can't simply give them the benefit of the doubt.

As Steve15180 said below.

"They left out that Trail o Bits was paid $16,000 by CTS for their "time". At least according to Reuters. In addition, Viceroy Research, a stock short selling firm,
posted a 25 page report stating "AMD should be worth $0, and will file chapter 11"
because of this. And gee, it was put out almost at the same time as the CTS report.
I can put together a 25 page research paper in an hour or less. Well, maybe not."

Toms Hardware need to be careful here because this looks like it could end up in court and if toms keeps being selective with its reported truths and pushing the same narrative they may well find themselves having to answer some difficult questions..
Everyone but toms are of the mind that this is fraud.

 

[John Nemesh]

1. it IS a hitpiece, and I am sure that Intel or other chipmakers paid to have this produced.
2. to take advantage of these "vulnerabilities", admin access is required, so the machine is already compromised.
3. Smells like bullshit, looks like bullshit, tastes like bullshit...must be bullshit!

 

[damric]

Follow the money and it's easy to link Intel to these turds that appeared overnight.

 

[homice]

pretty sure this is pure bs. All the other comments are pretty spot on - either the latest act of corporate espionage by Intel or stock manipulation. 1 day notice, 1 "independent" 3rd party verification, the company came into existence well after Ryzen was obviously successful, and they even named a one of the exploits "Ryzenfall." If you can't see through that on-the-nose reference, you no think good

 

[Jimichan]

Check out Gamers Nexus for a fuller take on this hit piece by CTS. It requires physical access to the machine as well as administrative privileges. There also seems to be some profit motive on the part of CTS. Read their disclaimer.

 

[dogofwars]

They may have done that to make sure one of AMD's CEO does not pull an Intel on us and prevent AMD's CEO to get rid of their shares.

 

[valeman2012]

Check out Gamers Nexus for a fuller take on this hit piece by CTS. It requires physical access to the machine as well as administrative privileges. There also seems to be some profit motive on the part of CTS. Read their disclaimer.

Security Researchers repeated asked them to release their proof on concepts, but they kept refusing. Moving forwards that these 13 flaws are bogus Mostly doing some illegal activity from CTS-Lab...just look at their site certificates and site protection.

They must be collecting some sort of data for going to their sites.


those idiots users who made repeated comments that Intel is part of this. Not possible, There no way AMD will beat Intel financially or in stocks for 100 years.

 

[samjung87kr]

The fact that Toms publishes this garbage from a no name security firm is sad indeed. Poor journalistic garbage. I expect higher standards from you Tom.

 

[alextheblue]

I'm a bit shocked Tom's is giving these a-clowns so much airtime, and yet I haven't seen a peep on any of the Intel-like MDF GPP revelations.

 

[alextheblue]

I'm a bit shocked Tom's is giving these a-clowns so much airtime, and yet I haven't seen a peep on any of the Intel-like MDF GPP revelations.

 

[wownwow]

Why media is spending time on a:

No address, no land line, 4 persons in Isral set up after June 2017 (after Intel's "Meltdown inside"), ..., but just a website ($4.95/month) and a mobile number +1-585-233-0321!

The 4 nobodies somewhere in Israel manipulated media and got the publicity and economic interest.

 

[originalblackplague]

The only thing that's unfair is that they get away with screwing over the entire planets consumers and then get a 90 day warning which they often exceed in attempting to patch their broken ass product. Everybody knows they're on the NSA payroll putting flaws into everything. It's about time they start getting called on their shit with no warning

 

[pawinda8]

Strange! Intel chips are designed in Israel and CTS is in Israel. Sounds like a way to promote Intel and sink AMD.

 

[King_V]

I dunno - it seems exceptionally fishy to me. On the other hand, I think the speculation that Intel and/or Nvidia are behind this is also suspect.

Is somebody hoping to manipulate stock prices with this? I'd guess that the answer is yes, even if it's done in a sloppy way. Do I think it's really Intel or Nvidia? I'm highly doubtful. It seems like they have too much dominance in their respective markets to be all that concerned with this.

Likewise, could it be nothing more than just a brash attempt for some new company to get their name out? Possible - but again, highly sloppy, unless they're going for the "it doesn't matter if they're talking good about us or bad, as long as they're talking about us" sort of publicity.

 

[sfcampbell]

You've got to be kidding me -- They "bucked the industry-standard 90-day response time" because Ryzen 2 releases in one month!! Who says they've only just now concluded the release package this week, rather than secretly holding it back "just the right moment"?

Brand new company? First discovery? 13 vulnerabilities? This is a deliberate malicious hack-job strategically executed to tank the Zen+ release.

TH, you're smart enough to figure this out!!!

 

[cryoburner]

We spoke with CTS Labs...

Did you ask them about why they filmed their video in front of a green screen, then edited it to insert stock photography as backgrounds to make them look like they were in actual computer labs, instead of simply filming the video in their labs? Or do they not actually have any labs, or even an office for that matter?

The company told us that it consulted with other security experts and manufacturers about the issue, provided them with proofs of concept and tutorials for exploiting the vulnerabilities, and waited for their responses before preparing the flaws for public disclosure.

How very convenient. It's a good thing that they provided all these random "security experts" with tools to exploit the flaws well in advance. And since AMD were only sent a notice the day before the public announcement, it's curious how they weren't among the "manufacturers" who they consulted with about it. I'm guessing they also took the opportunity to contact certain stock traders to provide them with notice of their surprise announcement in exchange for a "small consultation fee" as well.

Seeing as this company was just formed recently, doesn't seem to have an actual place of business, and released news about this supposed exploit in such an unconventional manner, it seems likely that the entire reason the company was formed was to release this information as a sort of targeted attack against AMD, either for stock manipulation or other purposes. The hardware flaw might potentially be real, and may or may not be of actual concern, but there's definitely something extremely shifty going on with these "researchers".

 

[greywolfalpha]

Accidental double post