CTS Labs defends its public disclosure of AMD vulnerabilities

CTS Labs has received scrutiny this week for its decision to publicize the flaws it claims to have located in AMD's chipsets and Secure Processor architecture rather than pursue the traditional responsible vulnerability disclosure model. Security researchers typically contact the manufacturer of the vulnerable technology and give the company or companies 30-90 days to create and distribute fixes. In a public letter, CTS Labs' CTO Ilia Luk-Zilberman describes how he takes issue with the traditional model, and how the group of researchers decided the best course of action was to make the public immediately aware of the alleged flaws but withhold the technical details.

Luk-Zilberman says his group was researching security problems with ASMedia's ASM1042, ASM1142, and ASM1143 USB 3.0 and USB 3.1 controller chips when AMD announced that it would work closely with Asmedia on chipsets for its AM4 platform. CTS Labs then turned its attention to AMD's chipsets and Secure Processor, and according to Luk-Zilberman, the group discovered new vulnerabilities about "once a week."

The author then describes CTS' motivations to publish its findings immediately rather than providing ASMedia and AMD several weeks to work on fixing the problems. His primary argument is that public disclosure forces the vendor to begin work on mitigating the flaws immediately. Luk-Zilberman concludes the letter by saying that his group could have provided its proof-of-concept code to more than one party (in this case, Dan Guido from Trail of Bits) before making its claims public.

Joel Hruska at ExtremeTech took issue with Luk-Zilberman's methods, noting that many Intel motherboards and standalone cards produced over the last six years have been host to the same ASMedia USB controllers that CTS Labs claims to have exploited. Hruska points out that the researchers didn't publish an Intel-specific advisory about those parts. Furthermore, he notes that CTS chose to create a website called amdflaws.com and not asmediaflaws.com or intelflaws.com, even though motherboards for both chipmaker's CPUs could share some of the same security issues.

In our view, the responsible-disclosure model isn't perfect, but it's been shown time and again that it offers end-users the highest-possible level of protection from security flaws discovered after products are already in the field. CTS Labs' methods may hasten AMD's efforts to correct problems, but could result in public exploits before the company is able to create and distribute an effective fix. The appearance of coordination between CTS Labs and suspected short-seller Viceroy Researcher also casts suspicion on the group's motives and methods.

Comments closed
    • kuttan
    • 2 years ago

    “CTS executives told Reuters that they had shared their
    findings with some clients who pay the firm for proprietary research on
    vulnerabilities in computer hardware. They declined to identify their
    clients or say when they had provided them with data on the
    vulnerability.

    โ€œI canโ€™t really talk about my clients,โ€
    said Yaron Luk-Zilberman, chief financial officer at the firm that was
    founded in January 2017.”
    [url<]https://www.reuters.com/art...[/url<] [b<]Any people with a brain knows who the client was :P[/b<]

    • ronch
    • 2 years ago

    No matter what they say the fact remains that they’re very unethical, very unprofessional and very very suspicious. Oh, they’re especially shady too. No, this isn’t about public concern because if it was about public concern they would’ve kept their mouth shut while AMD fixes the issues and hoped for ‘security through obscurity’ while the fixes are being worked on. Sorry, Crash The Stock, there’s nothing morally wrong about the old method. There’s nothing morally wrong about how chips sometimes have security flaws in them because these things really happen. However, there’s something seriously morally wrong about how you went about this. You can’t fool us. That’s just a big no-no in the industry. For all we know, the hackers are now scrambling to hack Ryzen machines because they now know about this because you can’t keep your trap shut.

    • wownwow
    • 2 years ago

    Before defending it, have a business address and business land lines!

    No address, no land line, 4 con men “SOMEWHERE in Israel” set up after June 2017 (after Intel’s “Meltdown inside”), …, but just a website ($4.95/month) and a mobile number +1-585-233-0321!

    From CTS (Cheap Technical Scammers?):

    “The report and all statements contained herein are opinions of CTS and are NOT STATEMENTS OF FACT.”

    “you are advised that we may have, either directly or indirectly, AN ECONOMIC INTEREST in the performance of THE SECURITIES OF THE COMPANIES whose products are the subject of our reports.”

    From the person who reviewed their findings for $16K:

    “For the attacks to work, an attacker must first obtain administrator access to a targeted network, Guido said.”

    For the car thief to steal the car, the car thief must first obtain the car key and access to the car, CommonSense said. What a car thief!

    The 4 nobody con men “SOMEWHERE in Israel” got the publicity and economic interest, and one person got $16K.

    The mission of having media generate the FUD has been accomplished!

      • ronch
      • 2 years ago

      Yep. These guys are a bunch of thugs.

      • Usacomp2k3
      • 2 years ago

      It’s more like the car thief who takes the car to get the garage door opener.

        • derFunkenstein
        • 2 years ago

        You’re saying my leaf blower and air compressor are in danger?

    • Rza79
    • 2 years ago

    Apparently to exploit these bugs, you need physical and root access to the system. Also a hacked BIOS needs to be flashed on the computer.

    So how can you even be hacked in real life? I would imagine that it would basically require a team like the ‘mission impossible’-team to get the job done.

      • chuckula
      • 2 years ago

      Physical access is not required but root access generally is.

        • Rza79
        • 2 years ago

        How would you do a BIOS update on a consumer motherboard without physical access to the machine? Not only that, you need to know which motherboard beforehand.

      • jihadjoe
      • 2 years ago

      Something like Spectre to penetrate the system and get root, then put the CTS stuff to work to make that root persistent.

    • blastdoor
    • 2 years ago

    People who make a living off of security vulnerabilities in a way that protects the vulnerable might rightly be called nice things like “guardians” or “protectors” or maybe even “heroes.”

    But people who make a living off of security vulnerabilities in a way that *harms* the vulnerable are rightly called something else — “criminals.”

    • derFunkenstein
    • 2 years ago

    [quote<] His primary argument is that public disclosure forces the vendor to begin work on mitigating the flaws immediately.[/quote<] Yes, because Intel, Google, et. al were totally ignoring Meltdown and Spectre after it was reported to them but prior to the public announcement. What a crock.

    • rechicero
    • 2 years ago

    As I said in last news, they keep extending this narrative. They really need the stock to fall… and they’ll keep trying until they sold them or they reach the deadline for the short selling.

    • JosiahBradley
    • 2 years ago

    Can we please stop treating this company as legitimate and giving them their 15 minutes of fame? This is disgrace all around. STOP SPREADING FAKE NEWS.

      • w76
      • 2 years ago

      It’s not fake news, the flaws are probably real. Over-hyped? Yeah, probably, but not fake.

        • utmode
        • 2 years ago

        It is fake news :
        [url<]http://www.guru3d.com/news-story/amd-security-vulnerability-%E2%80%93-the-day-after-seems-financially-motivated.html[/url<]

          • chuckula
          • 2 years ago

          That just says the motivations behind CTS are suspect, which is true.
          But it’s not concrete proof (yet) that the bugs don’t exist. It’s truly fake if the alleged bugs were just hoaxes to get media attention and make money.

          • thedosbox
          • 2 years ago

          FFS, the motivations behind *how* these were disclosed are a separate issue from whether they are *real* vulnerabilities.

          Nobody sane is claiming they are fake vulnerabilities, and neither does that article.

      • Klimax
      • 2 years ago

      Do you have evidence that those flaws don’t exist? If not, how can you then claim it is fake news?

    • leor
    • 2 years ago

    I have a few AMD stock shares, looking at their charts this week, doesn’t look like this had any impact that can’t be explained by normal market fluctuation.

      • cynan
      • 2 years ago

      Hard to say, but in general, I’d have to agree. Not least of which because the day this came to light (March 13) AMD shares had a modest 3.5% positive spike while related chip companies did not. Perhaps there has been a more subtle negative long-term impact, however. Time will tell.

        • flptrnkng
        • 2 years ago

        The release of this security exploit was to be the trigger for some short covering (at much lower prices).

        It’s not surprising if there was some modest buy pressure when all hell didn’t break loose.

      • Klimax
      • 2 years ago

      Maybe shareholders are waiting for confirmation of flaws before jumping. (Sane thing to do)

    • Chrispy_
    • 2 years ago

    Their reasoning for going public rather than selling the discoveries to AMD smells fishier than a two-week old beached shark carcass. Everything complex has vulnerabilities but there are good ways and bad ways to deal with them.

    I’m with Ludi on this; They’re either acting in their own self-interests for exposure or to short-sell AMD stock, and like Joel Hruska, it seems their goal is specifically to hurt AMD despite the issue not being AMD-exclusive.

    • ludi
    • 2 years ago

    Dig deeper, CTS.

    Seems clear enough they either wanted to make a name for their new firm by announcing the exploits before anyone else did, or were playing into the game of a short seller and needed a bombshell that (they thought) would distract everyone from staring to closely at the Potemkin village they had just erected to support it.

    Either way, not very professional, nor respectful of the broader security community.

      • DragonDaddyBear
      • 2 years ago

      Totally agree. The worst part is the users of AMD hardware are the ones who would potentially suffer from the exploitation of the vulnerabilities before AMD could develop a proper fix.

      • gerryg
      • 2 years ago

      Oh, they made a name for themselves alright. I hope they don’t last very long after this.

      • w76
      • 2 years ago

      Right, I don’t buy the Viceroy Research conspiracy theory (AMD has plenty of groups that think it’s overvalued) for several reasons. I think Occams Razor is, if you look at their staff, that this was young guys trying to get their name out there a bit and, lacking seasoned judgment, made a rash move.

      Hopefully they learn and everyone moves on with their life.

        • rechicero
        • 2 years ago

        Remember Viceroy published a whole paper about AMD called “The Obituary” using this issues, like 2 hours after being made public. Use the Razor: What’s simpler? that Viceroy read the news, decided to short sell AMD, prepared the doc, lent shares, sold them and published the paper in 2-3 hours… Or that they had previous knowledge? And if there are any doubts, remember de Legal Disclaimer of CTS about possible positions in AMD stock…

          • derFunkenstein
          • 2 years ago

          Exactly. They’re in on this together. No way are the two not related.

      • NovusBogus
      • 2 years ago

      If I had the time and desire to do freelance vulnerability research, I’d be taking door number two. Deliciously evil, but much less authoritarian-minded than simply selling it to an intelligence agency.

    • thedosbox
    • 2 years ago

    Not to dispute the validity of the vulnerabilities, but the way this was disclosed looks sketchier and sketchier by the day.

    [quote<] many Intel motherboards ... produced over the last six years have been host to the same ASMedia USB controllers [/quote<] I believe that was true until Intel's chipsets integrated USB3 support - this was around the Ivy Bridge era? TR's overview of the Z77 chipset highlights it as a feature.

      • DancinJack
      • 2 years ago

      It’s still the case because boardmakers tack on ASMedia chips to add USB ports all the time. Heck, I have one on my top-tier ASUS Z170 board.

        • chuckula
        • 2 years ago

        While the ASMedia USB controllers might very well have flaws, a third-party USB controller that’s only connected to the rest of the system via PCIe lanes from the southbridge is going to be much less likely to let you hijack the system firmware or a secure coprocessor vs. having ASMedia build the entire Southbridge.

        Calling this an “Intel Bug” like Extremetech did is also disingenuous since Intel has nothing to do with the hardware, but calling it an ASMedia bug (that AMD licensed) is closer to the truth.

          • Klyith
          • 2 years ago

          > vs. having ASMedia build the entire Southbridge.

          which is connected to the CPU via 4 standard PCIe lanes, exactly like the other controllers?

          Call it a “southbridge” if you want but there’s no evidence it has any extra privileges security-wise than any other hardware in the system. It’s a fancy USB & SATA controller & PCIe splitter.

        • thedosbox
        • 2 years ago

        Ah, you’re right. My Asrock Z270 doesn’t have one, but I see a lot of Asus and Gigabyte boards do.

      • psuedonymous
      • 2 years ago

      It’s true Intel have had (very good, far better than the ASMedia or Renesas et al. offerings) USB3 controllers built into the PCH for many generations now.

      However, motherboard manufacturers persist in using LESS than are available from the PCH and instead slapping on a crappy 3rd party host controller for [b<]no good goddamn reason whatsoever[/b<]. I don't even mean boards that add a non-Alpine-Ridge USB 3.1 Gen 2 controller, but boards that actually [i<]leave disconnected[/i<] perfectly good USB 3 ports from the PCh in favour of dodgy and issue-prone 3rd party controllers. This has been a massive pain in the arse for VR, where minimisation of latency is paramount, and where a shitty USB 3 controllers can cause huge latency spikes (due in part to massive buffers added to make the peak sequential copy bandwidth look really good on the spec sheet, and in part to execrable drivers), [i<]even when not using them[/i<] because they hang the USB stack if they ever have a device connected to them doing anything whatsoever while the controller and driver twiddle their digital thumbs for vital milliseconds before deciding to do nothing. [quote<]U MAD?[/quote<] YES I INDEED MAD.

        • bthylafh
        • 2 years ago

        u mad?

      • Takeshi7
      • 2 years ago

      My Z97 motherboard has an ASMedia USB 3.0 controller.

        • MOSFET
        • 2 years ago

        and that ASMedia controller has probably met all your USB expectations. (just adding to U Mad Bro)

      • Bauxite
      • 2 years ago

      These are also 3.1 controllers. Even Z370 doesn’t have those natively.

      Anything with thunderbolt 3 has “intel usb drivers” and it is good, but those are actually texas instrument controllers ๐Ÿ˜‰

Pin It on Pinterest

Share This