Earlier today, we covered news that a previously unknown security research firm, CTS-Labs, has accused AMD of 13 serious security flaws within its products. If these security flaws exist, it’s critically important AMD deal with them immediately. Nothing about their provenance or the process by which they were communicated to the press changes that. But we’d be remiss if we didn’t note the perplexing nature of how they were communicated. Security researchers are also raising the alarm regarding some highly suspicious disclosures and framing of the underlying issues.
With Spectre and Meltdown, an early disclosure spilled the beans about a week earlier than Intel, AMD, ARM, and Google had collectively planned. All of the companies in question had been aware of Spectre and Meltdown since June (meaning, for months) and had been working on fixes throughout that time. Google, in fact, had given the various hardware companies an extended deadline to get fixes ready before disclosing the existence of the bugs. That’s standard operating procedure in security disclosures; vendors are typically given at least a 90-day window to implement solutions. But in this case, AMD was notified a day ahead of the disclosure by an Israeli firm, CTS-Labs.
CTS-Labs has hired a PR firm to handle press inquiries and its website, AMDFlaws.com, doesn’t exactly follow typical disclosure methodology. In fact, the text of the site absolutely drips with scareism, with quotes like:
Under the section for “How long until a fix is available?” the site states:
If you want to know how long it’s going to take to fix a security flaw, you typically ask the company in question after telling them you’ve found one. This just isn’t how security researchers disclose product flaws. Compare the language above from Google’s own work on Meltdown and Spectre, where it details how the attacks work, links to actual, formal white papers that detail how these attacks work, and then goes into an in-depth breakdown of the attacks with code samples and examples.
CTS-Labs website and white paper completely lack this in-depth technical discussion, but the site is stuffed with pretty infographics and visual designs depicting which AMD products are affected by these issues. It’s exactly the kind of thing you might create if you were more interested in launching a PR blitz as opposed to a security notification.
AMD was given so little notice, it can’t even state if the attacks are valid or not. The company’s statement reads: “At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings.”
Good security firms don’t put users at risk by launching zero-day broadsides against companies when the security flaws in question could take months to resolve. Good security firms don’t engage in rampant scareism. Good security firms don’t use websites like “AMDFlaws” to communicate technical information, any more than they’d use “IntelSecuritySucks” to communicate security flaws related to Spectre, Meltdown, or the Intel Management Engine. Good security firms do not draw conclusions; they convey information and necessary context.
The reason good security firms don’t do these things is because good security firms are more concerned with finding and fixing problems than they are with publicity. When Embedi found recent flaws in the Intel Management Engine and F-Secure discovered problems within Intel’s Active Management Technology, they emphasized communicating the situation clearly and concisely (F-Secure’s blog post does have a touch of hyperbole, but doesn’t approach what CTS-Labs is doing here).
We aren’t the only site to notice. There’s a notification on CTS-Labs site that it may have a financial interest in the companies it investigates (shorting AMD stock is practically a pastime in financial circles). Other security researchers have absolutely trashed the manner in which the findings were communicated, the likely financial entanglements, and the way the brief has been communicated.
First read of the AMDFLAWS whitepaper (no real technical details given) is: “over-hyped beyond belief”.
This is a whitepaper worthy of an ICO.
And yes, that is meant to be an insult.
— Arrigo Triulzi (@cynicalsecurity) March 13, 2018
If these security flaws are real, AMD has a lot of work to do to fix them. It absolutely deserves criticism for failing to catch them in the first place, and there is at least one security researcher who has seen the code and believes the matter to be serious. But even if CTS-Labs findings are genuine, it has communicated them in a manner completely at odds with best practices in the security community. Its manner and method of communicating its findings have much more in common with a PR firm hired to do a hit job on a competitor or a company looking to make a financial killing by shorting stock than a reputable security firm interested in establishing a name for itself. Finding 13 major security flaws in a major microprocessor was guaranteed to make the news all on its own.
It’s entirely possible that CTS-Labs is a relatively new company comprised of researchers who decided to debut with a splash and sacrificed the best practices of security disclosures to do it. It’s also possible it isn’t. The company has done itself no favors with these shenanigans.
CTS-Labs has acknowledged to Reuters that it shares its research with companies that pay for the data and that it’s a firm with just six employees. Meanwhile, Viceroy Research, a short-seller firm, has published a 25-page “obituary” for AMD based on this data in which it declares AMD is worth $0.00 and believes no one should purchase AMD products on any basis, for any reason whatsoever. It also predicts AMD will be forced to file for bankruptcy on the basis of this “report.”
We stand by what we said regarding the flaws themselves — we’ll wait to hear from AMD on how that shakes out and what the risks are — but the actual reporting of the flaws appears to have been done in profound bad faith and with an eye towards enriching a very particular set of clients. denounces, in the strongest possible terms, this scheme’s apparent perversion of the security flaw disclosure process.