Everything Surrounding These New AMD Security Allegations Reeks of a Hit Job

Everything Surrounding These New AMD Security Allegations Reeks of a Hit Job

Earlier today, we covered news that a previously unknown security research firm, CTS-Labs, has accused AMD of 13 serious security flaws within its products. If these security flaws exist, it’s critically important AMD deal with them immediately. Nothing about their provenance or the process by which they were communicated to the press changes that. But we’d be remiss if we didn’t note the perplexing nature of how they were communicated. Security researchers are also raising the alarm regarding some highly suspicious disclosures and framing of the underlying issues.

With Spectre and Meltdown, an early disclosure spilled the beans about a week earlier than Intel, AMD, ARM, and Google had collectively planned. All of the companies in question had been aware of Spectre and Meltdown since June (meaning, for months) and had been working on fixes throughout that time. Google, in fact, had given the various hardware companies an extended deadline to get fixes ready before disclosing the existence of the bugs. That’s standard operating procedure in security disclosures; vendors are typically given at least a 90-day window to implement solutions. But in this case, AMD was notified a day ahead of the disclosure by an Israeli firm, CTS-Labs.

CTS-Labs has hired a PR firm to handle press inquiries and its website, AMDFlaws.com, doesn’t exactly follow typical disclosure methodology. In fact, the text of the site absolutely drips with scareism, with quotes like:

Spectre affects every Intel CPU manufactured for over two decades, yet Google managed to avoid this kind of hyperbolic claptrap when it disclosed both it and Meltdown.
Spectre affects every Intel CPU manufactured for over two decades, yet Google managed to avoid this kind of hyperbolic claptrap when it disclosed both it and Meltdown.

Under the section for “How long until a fix is available?” the site states:

It’s hard to estimate a time to resolution when you haven’t even spoken to the company yet.
It’s hard to estimate a time to resolution when you haven’t even spoken to the company yet.

If you want to know how long it’s going to take to fix a security flaw, you typically ask the company in question after telling them you’ve found one. This just isn’t how security researchers disclose product flaws. Compare the language above from Google’s own work on Meltdown and Spectre, where it details how the attacks work, links to actual, formal white papers that detail how these attacks work, and then goes into an in-depth breakdown of the attacks with code samples and examples.

CTS-Labs website and white paper completely lack this in-depth technical discussion, but the site is stuffed with pretty infographics and visual designs depicting which AMD products are affected by these issues. It’s exactly the kind of thing you might create if you were more interested in launching a PR blitz as opposed to a security notification.

AMD was given so little notice, it can’t even state if the attacks are valid or not. The company’s statement reads: “At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings.”

Good security firms don’t put users at risk by launching zero-day broadsides against companies when the security flaws in question could take months to resolve. Good security firms don’t engage in rampant scareism. Good security firms don’t use websites like “AMDFlaws” to communicate technical information, any more than they’d use “IntelSecuritySucks” to communicate security flaws related to Spectre, Meltdown, or the Intel Management Engine. Good security firms do not draw conclusions; they convey information and necessary context.

The reason good security firms don’t do these things is because good security firms are more concerned with finding and fixing problems than they are with publicity. When Embedi found recent flaws in the Intel Management Engine and F-Secure discovered problems within Intel’s Active Management Technology, they emphasized communicating the situation clearly and concisely (F-Secure’s blog post does have a touch of hyperbole, but doesn’t approach what CTS-Labs is doing here).

We aren’t the only site to notice. There’s a notification on CTS-Labs site that it may have a financial interest in the companies it investigates (shorting AMD stock is practically a pastime in financial circles). Other security researchers have absolutely trashed the manner in which the findings were communicated, the likely financial entanglements, and the way the brief has been communicated.

First read of the AMDFLAWS whitepaper (no real technical details given) is: “over-hyped beyond belief”.

This is a whitepaper worthy of an ICO.

And yes, that is meant to be an insult.

— Arrigo Triulzi (@cynicalsecurity) March 13, 2018

If these security flaws are real, AMD has a lot of work to do to fix them. It absolutely deserves criticism for failing to catch them in the first place, and there is at least one security researcher who has seen the code and believes the matter to be serious. But even if CTS-Labs findings are genuine, it has communicated them in a manner completely at odds with best practices in the security community. Its manner and method of communicating its findings have much more in common with a PR firm hired to do a hit job on a competitor or a company looking to make a financial killing by shorting stock than a reputable security firm interested in establishing a name for itself. Finding 13 major security flaws in a major microprocessor was guaranteed to make the news all on its own.

It’s entirely possible that CTS-Labs is a relatively new company comprised of researchers who decided to debut with a splash and sacrificed the best practices of security disclosures to do it. It’s also possible it isn’t. The company has done itself no favors with these shenanigans.


CTS-Labs has acknowledged to Reuters that it shares its research with companies that pay for the data and that it’s a firm with just six employees. Meanwhile, Viceroy Research, a short-seller firm, has published a 25-page “obituary” for AMD based on this data in which it declares AMD is worth $0.00 and believes no one should purchase AMD products on any basis, for any reason whatsoever. It also predicts AMD will be forced to file for bankruptcy on the basis of this “report.”

We stand by what we said regarding the flaws themselves — we’ll wait to hear from AMD on how that shakes out and what the risks are — but the actual reporting of the flaws appears to have been done in profound bad faith and with an eye towards enriching a very particular set of clients. denounces, in the strongest possible terms, this scheme’s apparent perversion of the security flaw disclosure process.

Continue reading

New macOS Security Bug Unlocks App Store With Any Password

Apple's macOS High Sierra has a flaw in the latest version that allows admin users to bypass a locked app store by entering any password they like.

Researchers Found Another Major Security Flaw in Intel CPUs

Security researchers have found another flaw in Intel CPUs — this time related to Intel Active Management Technology. Once again, this flaw can be leveraged to take complete control of a system, regardless of any security measures the user might employ.

Lawmakers Urge AT&T to Cut Ties with Huawei, Citing National Security Concerns

It's been several years since the last dust-up, but US lawmakers and regulators are still sounding the alarm about any cooperation with Huawei.

Most Android Security Scares Are Bullshit

Many of the Android malware stories we see making the rounds end up amounting to nothing because of the way the platform operates these days. While Android malware is definitely out there, you usually don't need to panic.