On March 13th, 2018, CTS Labs announced that they have found no less than 13, yes, count them, 13 vulnerabilities in AMD’s (AMD) Ryzen and EPYC architectures. To back up this claim they have had their findings reviewed by not less than ONE, yes, just one, company, Trail of Bits. To further bolster their claim they have produced one, yes, just one, screenshot of one affected machine where the boot code in the bottom left coroner was replaced with the number “1337.” These findings caused Viceroy Research, another firm with a questionable reputation, to proclaim in a 25-page report on the matter that:
AMD must cease the sale of Ryzen and EPYC chips in the interest of public safety.
In this article we are going to look at the claimed vulnerabilities, discuss the level of threat these vulnerabilities pose to AMD’s customers, and then take a closer look at who’s behind CTS Labs.
A few months ago Google (NASDAQ:GOOG) (NASDAQ:GOOGL) researchers in conjunction with independent security researchers published the Meltdown and Spectre vulnerability research paper. That paper was a pleasure to read, though it was very tough to understand, it was peer reviewed, and came with discussion of methodology and proof of concepts. I wrote an article entitled “Intel And The Meltdown And Spectre Vulnerabilities Explained” discussing these vulnerabilities.
By contrast CTS’ white paper, which can be found on amdflaws.com, and yet inexplicably hosted by a blank website safefirmware.com, discusses no methodology at all, and for proof of concepts discussed therein offers just one screenshot of a server with a boot screen with “1337” (hacker slang for LEET which is phonetic shortening of ELITE) added to the bottom right hand corner, purportedly by CTS. Due to the lack of any discussion of methodology or technical details in the white paper it is impossible to verify the veracity of CTS’ claims. That said, let’s discuss them at face value anyway and see what the worst-case scenario could be.
CTS loudly claims that they have found no less than 13 vulnerabilities, but in actuality they discuss four vulnerabilities with several vectors for each. These are Ryzenfall, Fallout, Chimera and Masterkey. Because so little actual information is provided in the white paper I will simply quickly sum up these vulnerabilities here as best as I can.
(Screenshot from CTS’ white paper. This is the one and ONLY proof of their exploit in action. What you see above is the BEST evidence proffered by CTS.)
AMD’s EPYC and Ryzen processors come with a secondary secure processor on board, an ARM Cortex A5. This processor is used for various low-level security features of the CPU. The claimed Masterkey vulnerability would allow arbitrary code execution within the secure processor which would allow an attacker to disable the Secure Encrypted Virtualization feature or bypass the Firmware Trusted Platform Module.
However, in order to deploy this vulnerability the attacker would have to first get access to the computer, then gain root or administrator privileges, and then finally have the ability to flash (update) the BIOS on the computer. With that level of access it’s hard to imagine what an attacker would NOT be able to do on any modern computer system, whether from AMD, Intel (NASDAQ:INTC), or any other company.
Similarly Ryzenfall targets AMD’s Secure OS, the OS that’s running on the ARM Cortex A5 secure processor. It requires the attacker to have access to the system, administrator or root privileges, and a copy of a signed driver with the exploit code inside the driver.
According to CTS’ white paper:
“Although Secure OS runs inside the Secure Processors dedicated ARM Cortex A5 processor, it does make use of the computers main memory. When Secure OS starts, it allocates a portion of main memory for its own use and seals it off from the main processor. This area is called Fenced DRAM.”
The vulnerability allows access to this “Fenced DRAM” which is generally supposed to be inaccessible to kernel drivers and user programs. This is, in my opinion, a more serious vulnerability. Though actually executing this vulnerability in the wild would entail finding a friendly OEM willing to sign your malicious code and include it in their drivers, this is not entirely outside the scope of possibility.
That said, it is important to note that even the CTS’ white paper mentions that AMD has already included a BIOS option to disable the Secure OS feature, as it’s not necessary for regular server or desktop operation. Further, since the ONLY shred of proof was provided in the Masterkey section, it’s not entirely clear if it’s even real. To avoid repeating myself, the same goes for Fallout and Chimera.
Fallout uses the same attack vector of a signed driver as Ryzenfall, but on an EPYC processor by targeting the boot loader, with identical results, and identical dubiousness of the proof of concept.
Chimera is the most serious sounding “vulnerability.” It is described by CTS as:
“An array of hidden manufacturer backdoors inside AMD’s Promontory chipsets. These chipsets are an integral part of all Ryzen and Ryzen Pro workstations.”
CTS bases this bold supposition NOT on actual testing, or proof of concept, but on the fact that they claimed to have reviewed the code from AMD’s subcontractor, ASMedia, and AMD’s chipset code and found similarities between the two code bases. ASMedia reused some of their own code while fulfilling a contract for AMD. What a shock?
Further, CTS makes the claim that because ASUS, the parent company of ASMedia, has been fined by the FTC for having insecure routers, yes, not chipsets, but consumer grade routers, everything ASMedia does simply MUST be vulnerable. Yes, a subsidiary of ASUS with no relationship to their router division must necessarily be tainted by an FTC investigation into a completely unrelated product line to the chipset in question. You can read more about the ASUS FTC settlement here, and judge for yourself if there’s anything to CTS’ claims.
Even Dan Guido, the CEO of Trail of Bits, the one and only company hired by CTS to double check their findings, disputes the validity of Chimera in a tweet to reporters.
(Screen shot from twitter.com.)
Further, ExtremeTech published an article where they show that the same ASMedia chips accused of housing backdoors by CTS also are widely used on any ASUS motherboards with Intel chips. So, why is this categorized as an AMD flaw when it widely affects, if real, both AMD and Intel?
Summary of the Vulnerabilities
While some of these vulnerabilities might be real, all of them require an extraordinary level of access to the system. We have consulted our internal technology experts, and we contacted Ilia Luk-Zilberman, the CTO of CTS Labs, to inquire if any of the detailed vulnerabilities could be used from within a virtualized container (VPS). Our own experts believe that NONE of the above mentioned vulnerabilities can be exploited from a VPS. Mr. Zilberman did not respond to our inquiry. This is important because if these vulnerabilities are not exploitable from within a VPS, they should not be a significant concern for large-scale cloud providers.
If Fallout and Ryzenfall are indeed real, hopefully AMD will patch them quickly, as those threaten AMD’s Secure Encrypted Virtualization system. Chimera just looks like nonsense, unless further proof is provided, and Masterkey requires a BIOS flash. If you can flash the BIOS all bets are off, on ALL systems, from ALL CPU vendors.
CTS Labs and Viceroy Research
So now that we talked about the message, let’s shoot the messenger. In this case two of them, CTS Labs and Viceroy Research.
CTS Labs’ approach became immediately suspicious because of the manner and timing of their disclosure. Rather than giving AMD a standard 90-day advance notice adopted by Google, Cisco (NASDAQ:CSCO) and others, or the 200-day-plus notice Google gave Intel, AMD, and others before disclosing Meltdown and Spectre, CTS gave AMD less than a day advance notice.
So, what is CTS Labs? Well, that’s the problem, not much is known about them. We know a few things. For instance we know that the domain for their main website was registered in June 2017, less than a year ago.
(Screenshot of whois command output in terminal taken by Zynath Capital.)
We also know that even though they are “security researchers” they are inexplicably incompetent enough to not turn on HTTPS on their own website. We also know that all of the video footage of the two guys running CTS Labs was faked with green screen.
(Screenshot from Reddit thread by Type-21.)
Finally we know that most of the technical information on their website was directly copied and pasted from “Hardware Threat Landscape and Good Practice Guide.”
(Screenshot of cts-labs.com and Hardware Threat Landscape and Good Practice Guide open side by side with identical text highlighted, by Zynath Capital.)
I can keep going, but by now it should be evident that CTS Labs generally does not inspire trust. So instead I’ll just finish this with a quote from Linus Torvalds, the creator of the Linux Kernel, on the subject of the CTS Labs report:
I refuse to link to that garbage. But yes, it looks more like stock manipulation than a security advisory to me.
Now that we talked about CTS Labs a little, let’s look at Viceroy Research, the most vocal investment company that immediately proclaimed AMD is as good as bankrupt after CTS Labs’ report came out. There’s no stated connection between CTS Labs and Viceroy Research, but the timing of the disclosure by CTS and the report published by Viceroy raises some questions.
Almost immediately after the publication of the CTS report, the independent Viceroy Research analysts managed to read, understand, verify, write, proofread, style, and publish, with graphics and all, a completely independent 25-page report on AMD, proclaiming that AMD is as good as bankrupt. Yes, they managed to do all of that high-quality, completely independent work immediately after the CTS report came out. Either they are some of the best analysts in the world with a telepathic connection with their word processor, or perhaps they have had advance copy of the CTS white paper. You be the judge.
UPDATE: John Perring from Viceroy Research confirmed that he received a copy of the report via an anonymous source before it was widely published.
We have attempted to contact Jessica Schaefer from Bevel PR, the listed PR firm on the vulnerability disclosure website, only to be greeted by a full voicemail inbox. We attempted to contact both Bevel PR and CTS Labs by email and inquire about the relationship between CTS and Viceroy, and provided them with ample time to respond. They did not respond to our inquiry.
So, let’s look at Viceroy Research. According to MoneyWeb Viceroy Research is headed by a 44-year-old British citizen and ex-social worker, John Fraser Perring, in conjunction with two 23-year-old Australian citizens, Gabriel Bernarde and Aidan Lau. I wonder which of these guys is so fast at typing. Viceroy Research was the group responsible for the uncovering of the Steinhoff accounting scandal, about which you can read more here.
After successfully taking down Steinhoff, they tried to manufacture controversy around Capitec Bank, a fast-growing South African bank. This time it didn’t work out so well. The Capitec stock price dropped shortly and quickly recovered when the South African reserve bank made a statement that Capitec’s business is sound. Just a week ago Viceroy attempted to do the same thing with a German company called ProSieben, also with mixed success, and in alleged breach of German securities laws, according to BaFin (similar to the SEC).
Now, it appears they are going after AMD, though it looks to be another unsuccessful attack.
After the announcement of this news, AMD stock generally traded sideways with slight downward movement not uncommon for AMD in general. Hopefully this article showed you that CTS’ report is largely nonsense and a fabrication with perhaps a small kernel of truth hidden somewhere in the middle. If the vulnerabilities are confirmed by AMD they are likely to be easily fixed by software patches. If you are long AMD, stay long. If you are looking for an entry point, this might be a good opportunity to use this fake news to your advantage. AMD is a company with a bright future if it continues to execute well and we see them hitting $20 per share by the end of 2018.
Disclosure: I am/we are long AMD.
I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.