CTS Labs defends its public disclosure of AMD vulnerabilities
CTS Labs has received scrutiny this week for its decision to publicize the flaws it claims to have located in AMD's chipsets and Secure Processor architecture rather than pursue the traditional responsible vulnerability disclosure model. Security researchers typically contact the manufacturer of the vulnerable technology and give the company or companies 30-90 days to create and distribute fixes. In a public letter, CTS Labs' CTO Ilia Luk-Zilberman describes how he takes issue with the traditional model, and how the group of researchers decided the best course of action was to make the public immediately aware of the alleged flaws but withhold the technical details.
Luk-Zilberman says his group was researching security problems with ASMedia's ASM1042, ASM1142, and ASM1143 USB 3.0 and USB 3.1 controller chips when AMD announced that it would work closely with Asmedia on chipsets for its AM4 platform. CTS Labs then turned its attention to AMD's chipsets and Secure Processor, and according to Luk-Zilberman, the group discovered new vulnerabilities about "once a week."
The author then describes CTS' motivations to publish its findings immediately rather than providing ASMedia and AMD several weeks to work on fixing the problems. His primary argument is that public disclosure forces the vendor to begin work on mitigating the flaws immediately. Luk-Zilberman concludes the letter by saying that his group could have provided its proof-of-concept code to more than one party (in this case, Dan Guido from Trail of Bits) before making its claims public.
Joel Hruska at ExtremeTech took issue with Luk-Zilberman's methods, noting that many Intel motherboards and standalone cards produced over the last six years have been host to the same ASMedia USB controllers that CTS Labs claims to have exploited. Hruska points out that the researchers didn't publish an Intel-specific advisory about those parts. Furthermore, he notes that CTS chose to create a website called amdflaws.com and not asmediaflaws.com or intelflaws.com, even though motherboards for both chipmaker's CPUs could share some of the same security issues.
In our view, the responsible-disclosure model isn't perfect, but it's been shown time and again that it offers end-users the highest-possible level of protection from security flaws discovered after products are already in the field. CTS Labs' methods may hasten AMD's efforts to correct problems, but could result in public exploits before the company is able to create and distribute an effective fix. The appearance of coordination between CTS Labs and suspected short-seller Viceroy Researcher also casts suspicion on the group's motives and methods.