CTS Labs Speaks: Why It Blindsided AMD With Ryzenfall And Other Vulnerabilities

[Guest]

CTS Labs told AMD about the vulnerabilities 24 hours before they were revealed to the public. That's clearly not long enough for AMD to address the issues.

CTS Labs Speaks: Why It Blindsided AMD With Ryzenfall And Other Vulnerabilities : Read more

 

[Math Geek]

sounds to to me like this new CTS Labs needed a way to get their name on the map. so when the chance came they made as big of a splash as they could despite the norms that exist for this sort of thing.

they only have to do it this way once, now everyone knows who they are so mission accomplished. now they can follow the standards and enjoy the fact people actually know who they are now.

that is unless they just decide to be unethical and push things into the public eye faster than it should be.

 

[philipemaciel]

Fishy.

 

[plateLunch]

If it's any consolation to anyone, it doesn't look like the big stock traders are taking the CTS report very seriously. Outside of the short squeeze yesterday, price action looks pretty normal. My guess is Viceroy and the gang haven't gotten anywhere close to the reaction they wanted.

 

[Garrek99]

Ego and pride seem to be the motivating factors here.
What kind of reasoning is "well, they wouldn't be able to fix it in months so we are going to drop a bomb now".
It's stupid and irresponsible. Now everyone is going to be looking for ways to exploit the vulnerabilities and we all will stand to be victims of cyber attacks.
Thanks CTS!

 

[tm.arduino]

@Math Geek
Which name? "Flexigard", "Catenoid" or "CTS Labs"?
They had to change their name after being outed as the authors of the "CrowdScores" adware/virus.

https://imgur.com/a/2cV3k

 

[bjameson]

I think the author forgot that these are flaws rather than vulnerabilities. The attacker must already have admin access or signed digital certificated before being able to hack the server.

Like in the analogy provided everywhere, you gave the burglar your keys, then the burglar set-up a web cam inside your house. The burglar could have already taken everthing inside the house and run but CTS Labs focused on the burglar setting up the web cams to monitor what is going on inside the house.

 

[lucamanliodelisi]

I think the press should stop talking about this hoax. How can you claim something is a vulnerability when you have to physically be in contact with the machine in order to make it happen? Or even have to flash a custom BIOS? LOL guys, I am guilty as well of writing about it (but views are views) but let these clowns fall into oblivion: the place that they truly deserve. It was just a bad move in order to try and bank in with stock prices.

 

[redgarl]

Why is toms giving credibility to a firm with absolutely none whatsoever, true or not. These guys needs to be sued.

 

[danaj525]

The fact that Tom's hardware doesn't even reshearch this is pretty sad. First and foremost these flaws are the same flaws we've had since the 90s which you can find on Twitter by tech bits I believe. Oh and the fact that the guy you talked to is a CEO of a f-ing hedge fund company. So if any of you would like to give me your admin rights so I can have your system fill free to do so because that's what it take.

Shame on you Tom's hardware!

 

[abundantcores]

Toms Hardware: your conclusion, i quote.

"Altogether, it seems that AMD customers may be justified in worrying about these vulnerabilities. If CTS Labs' description of them is accurate, they are remotely exploitable flaws that could allow attackers to install persistent malware in the deepest recesses of a system. That puts consumers at risk, and it could also undermine businesses' secure networks simply because they rely on Ryzen or EPYC processors"

Are you crazy? did you even bother to look at how CTS Labs hacked into these system before you made that insane conclusion? they flashed a hacked BIOS onto the system to disable the CPU's security features, if you allow some one to flash a dodgy BIOS onto your PC then the fault is with you, not AMD, good grief what is wrong with you people? is this the quality of your journalism because its absolutely atrocious. this site is nothing more than a low brow click farm.

 

[turkey3_scratch]

Are you crazy? did you even bother to look at how CTS Labs hacked into these system before you made that insane conclusion? they flashed a hacked BIOS onto the system to disable the CPU's security features

Not according to the article.

The disclosure process itself also raised questions. Though we were told AMD, Trail of Bits, and others were given proofs of concept and instructions for how to exploit the vulnerabilities, that information was not released to the general public. Luk-Zilberman and Li On said that was because the flaws are "practical" and "fit well in the different scenarios and stages of a cyber attack." In other words, they don't want to enable those attacks by revealing too much. That, of course, creates a catch-22 of credibility, because with the details under wraps, most of us in the media (not to mention the curious public) can't examine and evaluate the findings and allegations for ourselves. And because CTS Labs is a new company with no track record to speak of, we can't simply give them the benefit of the doubt.

 

[JamesSneed]

There reasons for giving one day notice are just lame and frankly I believe they are lying. At least give AMD time have a response formulated which one would assume would take a couple weeks to evaluate each of the thirteen variants.

Also they acted like the freaking world was going to end when every one of these require elevated privileges so these are just secondary hacks on top of a primary hack. Sure if they turn out to be real AMD has some work to do but honestly its not going to be near as dramatic as they lead everyone to believe.

 

[toadhammer]

So, "[CTS] discussed the vulnerabilities with manufacturers and other security experts" before deciding to announce after merely 24 hours, but "told AMD about the vulnerabilities just 24 hours before they were revealed to the public."

Which to me reads as either they really didn't discuss it with anybody prior to a day ago, or they discussed it in some detail with anybody ("manufacturers") other than AMD.

Yeah, no. Either scenario screams that this is clearly someone who has no real interest in working with the product owner to get anything fixed. So they have an axe to grind, a buck to make, or want some fame.

 

[steve15180]

They left out that Trail o Bits was paid $16,000 by CTS for their "time". At least according to Reuters. In addition, Viceroy Research, a stock short selling firm,
posted a 25 page report stating "AMD should be worth $0, and will file chapter 11"
because of this. And gee, it was put out almost at the same time as the CTS report.
I can put together a 25 page research paper in an hour or less. Well, maybe not.

 

[moejj]

What is CTS's relationship with Intel?

 

[techy1966]

Yep the timing of this just seems all to well timed being that AMD is about to release refreshed Ryzen+ CPU in 3-4 weeks from now. Also the companies tactics are being called out because of the way they did the whole thing. Their web site is provided by Go Daddy. Their video of their Offices is some pictured taken off of the internet and then green screened to make it look like they are a huge company hell even their Logo is stolen from someone else's logo and they slithtly changed it to suit their own needs if you want proof just go to youtube and watch GN's video on this topic it will open eye's for sure. There are just way to many red flags to take this as nothing more than a direct attack on AMD and nothing more.

To exploit these claimed flaws you have to have admin/root access to the host system. As other security experts have already pointed out if a hacker gets that on any system whether it is AMD or Intel or even ARM for that matter it is already way to late and your system could become toast. So with that said yep that right these same exploits could happen on either AMD or Intel or any other system that has been hacked for root access not just AMD alone but that part of it they seem to like to leave out of the information packet. Speaking of that information packet it is written to be very vague as in they seem to not actually know what the heck they are talking about and are trying to use scare tactics and raise a huge stink. I am not sure if they are trying to make a name for them selves or someone paid them to attack AMD directly I am not sure yet. All I do know is my next CPU will be AMD Ryzen I know my system will be just as secure as it would be on Intel platform probably even more so. Then again no system is really secure anyway when you expose it to the internet whether it be AMD or Intel or even Android or IOS they all can be hacked and fall to whatever the hackers decide to do to it you just got to hope for the best and continue living life and not worry about the little things like this.

 

[dkulprit]

More than fishy. The company they partnered with has a financial stake in this, and the "vulnerabilities" that they are talking about all require elevated access with local admin, and access to the PC. These exact same "vulnerabilities" could be taken advantage of on an Intel machine. You have to upload a new bios. So unless someone has physical access to your machine with elevated user credentials or you give them access it won't do anything. They're using ad hominem attacks against the company, not the technology through the entire article. This is a blatant attempt at trying to influence the stock market and nothing else. I think the FTC needs to investigate.

Disclosure: I'm an Intel guy through and through, only ever built one AMD machine for myself, but I do like healthy competition and the new Ryzen chips are nice. AMD finally comes through and this happens. Luckily most tech media has seem right through this, but non-tech hasn't.

 

[Giroro]

CTS claims they talked to manufacturers. Which manufacturers? Because it clearly wasn't AMD.

 

[jonathanray.williams]

You're welcome. https://youtu.be/ZZ7H1WTqaeo

 

[bridge]

Based on the last two days, it seems like they could be a front for Intel.
-They were founded the same time the Specter/Meltdown flaws were announced to Intel (mid 17).
-They used outside sources to verify flaws (won't mention who).
-They released no technical details on the flaws (as if they don't actually know what the details are).
-Their press release was more like propaganda.
-They announced 13 vulnerabilities at once (they weren't all discovered at once so it was seems like they thought 13 at once would do maximum damage).
-They're six unknown guys out of the country (not Google researchers etc).

So, six guys from another country formed a company to investigate CPU vulnerabilities the same month Intel/Industry people were alerted about Spectra (not publicly) and these six people worked with outside resources to verify their own work supposedly, (Intel has a huge Israel presence btw) and then you know the rest. Just saying...

 

[valeman2012]

CTS Labs release security flaws to public less than 24 hours, instead letting have some time to verfiy these "Claimed" 13 Security Flaws, CTS Lab has put many computer users and companies in danger cause of their negligence.

Trail of Bits CEO Dan Guido on twitter, security researchers repeatedly ask them show proof, however,. no even 1 bit was given.

and those idiots users who made repeated comments that Intel is part of this. Impossible, There no way AMD will beat Intel financially or in stocks for 100 years.

Mainly I am looking at CTS Labs illegal activity on making money.

 

[DrakeFS]

"Like in the analogy provided everywhere, you gave the burglar your keys, then the burglar set-up a web cam inside your house. The burglar could have already taken everthing inside the house and run but CTS Labs focused on the burglar setting up the web cams to monitor what is going on inside the house."

Depending on where the vulnerability lies, it could be more akin to a state actor setting up webcams in your house right before you move in. It has not been made clear to me that the CPU itself is compromised or if the Motherboard has to be compromised to get around the CPU's security blackbox.

 

[lothear]

Its a libelous nothing burger to damage AMD rep.
how a group of 6 randos can get so much free publicity is ridiculous.

 

[valeman2012]

SSL (HTTPS) protection on their site, what is this?