(The story continues after the video, though the video below provides an option for those preferring the visual medium)
What is the Alleged Exploit?
There are four categories of exploit listed, named “Masterkey,” “Ryzenfall,” “Fallout,” and “Chimera.” Each has a section in the whitepaper explaining the concept of the vulnerability, a list of affected processors, potential consequences, and “mitigations,” although this last section is usually left empty. Three of the exploits require that “an attacker be able to run a program with local-machine elevated administrator privileges. Accessing the Secure Processor is done through a vendor supplied driver that is digitally signed,” while Masterkey “requires an attacker to be able to re-flash the BIOS with a specially crafted BIOS update.” This would theoretically be done remotely on a system that supports BIOS flashing from within the OS. One of the experts we contacted pointed out that, with local admin access or the ability to flash BIOS, an attacker would probably be able to install malware on any system, AMD or not. Intel is proportionally affected in this position.
The worst consequence listed is “persistent, virtually undetectable espionage” “surviving computer reboots and reinstallations of the operating system.” That’s part of Masterkey. The Ryzenfall and Fallout exploits allegedly could enable an attacker to break into System Management Mode using flaws in the AMD Secure OS and EPYC boot loader respectively. This could in turn be used to enable BIOS flashing for the Masterkey exploit, which seems to be the main focus of the paper. This is theoretical, as the paper opens with “to ensure public safety, all technical details that could be used to reproduce the vulnerabilities have been redacted from this document.” That means no proofs of concept or example code, other than a picture of an EPYC system whose BIOS screen has been modified to say “1337” in one corner.
Chimera is the final exploit, and has to do with AMD’s use of ASMedia chips. CTS claims that the ASMedia ICs in the AMD “Promontory” chipset “have sub-standard security and no mitigations against exploitation. They are plagued with security vulnerabilities in both firmware and hardware, allowing attackers to run arbitrary code inside the chip, or to re-flash the chip with persistent malware.” They claim to have successfully taken advantage of these vulnerabilities, but again, it requires local admin access and a signed driver.
How Was the Exploit Presented?
We’ll get to the company’s credentials in a moment, as those are suspect, but let’s start with the presentation of this vulnerability by CTS Labs.
Contrasting the Meltdown and Spectre whitepapers, the CTS Labs whitepaper on claimed AMD vulnerabilities is bereft of any example code, and is written with a tone that attacks companies, rather than addressing the technology that is allegedly flawed. This is the most concerning, as the writing is charged and appears emotionally motivated, rather than taking an approach of objectively outlining the exploits and detailing the technology.
A primary concern is the window of time provided to AMD: For Spectre and Meltdown, AMD, ARM, and Intel were provided minimally six months to build security patches prior to the public unveiling of exploits. This is in the best interest of the public. CTS Labs, meanwhile, purportedly unveiled its findings to press and analysts prior to reporting the alleged exploit to AMD. AMD was given 24 hours notice before the news embargo lift on the story, which is clearly not enough time to respond to such allegations.
For one example of aggressive writing, the report focuses on leveraging ad hominem attacks, including, from the first 3 pages of the report, the following quotes: ““The Ryzen chipset, a core system component that AMD outsourced to a Taiwanese chip manufacturer, ASMedia, is currently being shipped with exploitable manufacturer backdoors inside.”
Another quote: “We note with concern that AMD’s outsource partner, ASMedia, is a subsidiary of ASUSTeK Computer, a company that has recently been penalized by the Federal Trade Commission for neglecting security vulnerabilities and put under mandatory external security audits for the next 20 years.”
And another: “In our opinion, the basic nature of some of these vulnerabilities amounts to complete disregard of fundamental security principles. This raises concerning questions regarding security practices, auditing, and quality controls at AMD.”
Let’s do one more for good measure: “AMD’s latest generation Vega GPUs, which also have Secure Processor inside of them, are being integrated as deep-learning accelerators on self-driving cars.”
This is fear-mongering, plain and simple. It’s the old “self-driving cars will kill you” shtick, except applied to AMD’s Vega GPUs, which haven’t even been directly proven as being affected by this alleged exploit.
This is the language used to drive emotion, particularly in investors, and does not coincide with standard language used in a technical whitepaper. There is almost zero focus on technical exploits; again, the fact that the only functioning presentation of the code pertains to replacing a BIOS boot code with “1337” sort of says it all.
“You Are Advised That We May Have [...] An Economic Interest”
As for the CTS Labs website, the posted legal disclaimer has some boilerplate CYA language, but also has some questionable language: In one part, the disclaimer states, quote, “the report and all statements contained herein are opinions of CTS and are not statements of fact.” Another legal statement notes: “Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.”
Who Is CTS Labs?
We’ve contacted security experts we’ve worked with on Meltdown and Spectre stories, and have requested scrutiny over the CTS Labs reports. Although some have stated off-record that there may be some legitimacy to the exploit, none yet have heard of CTS Labs. AMD’s own statement insinuates similar unfamiliarity with CTS Labs, where the company says:
“We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings.” - AMD
Unreachable PR Company
When we first saw the press release, we reached-out to the listed Bevel PR phone number and publicly listed contact, Jessica Schaefer, to learn more about the CTS Labs research company. We won’t show it on screen, but looking through personal social media pages, we were able to find that Bevel PR appears to have been founded in 2017, and that it is staffed primarily or entirely by one individual. The Bevel PR phone number went straight to a full inbox and we were unable to get into contact. We have also reached-out to Schaefer through other contact media. We’ve never heard of Bevel PR before, but their webpage indicates that they have some experience working with ICOs and hedge funds. This pointed us in the next direction.
Startup Security Company
CTS Labs is a new company: The CTS-labs.com domain name was registered on June 25, 2017, around when the Meltdown exploits were privately revealed to Intel. AMDFlaws.com, the domain that lists the exploit whitepaper, was registered on February 22, 2018. Both are GoDaddy domains. There is an IntelFlaws website, but we contacted the owner and there is no affiliation. The owner is an individual and was bewildered by our cold call, and we’d readily take their word on lack of affiliation.
Potential Involvement with Financial Groups
CTS Labs lists one Yaron Luk-Zilberman as the Chief Financial Officer. We found SEC documents containing information on Yaron Luk-Zilberman and noted that he supposedly has affiliation with NineWells Capital Management, LLC, a hedge-fund and investment management firm. Luk-Zilberman is listed as in a management position at the company. We attempted to call the phone numbers listed for Luk-Zilberman on official government documents, but found that the numbers were disconnected or invalid.
Misleading, Green Screen Offices
The CTS Labs YouTube account was registered three days ago, at time of writing, and presently has disabled comments on videos. The default is enabled, so they were likely manually toggled off. Video backgrounds are stock footage -- something we can demonstrate -- and are available from Shutterstock for download. These videos were not shot in real offices; well, not offices that are owned by CTS Labs.
As for the logo, it appears that CTS Labs is using a modified version of a Shutterstock Electronic Shield logo design that we found.
The company looks suspect. It’s possible that this is a new security firm that just grabbed some stock assets because they didn’t have anything better, but this is all information to consider when determining the motive of the publication.
The Ravings of a Lunatic
On that note, we must also look to Viceroy Research: Viceroy was the first group to report in great detail on the alleged AMD vulnerability, and managed to publish a 25-page PDF almost immediately upon the disclosure of the supposed exploits. We believe this was pre-written. The PDF is entitled “AMD - The Obituary,” and seems motivated to inflict fear and cause damage. Some quotes state, for instance, “Just one Ryzen chip could danger an entire enterprise network,” or “AMD’s flawed chips are components in defense products.” One last quote that you’ll like: “We believe AMD is worth $0.00, and will have no choice but to file for Chapter 11 Bankruptcy in order to effectively deal with the repercussions of recent discoveries.”
At best, this is fear-mongering, but at worst, as Viceroy themselves have directly implied, there could be financial motivation.
“Assume We Have a Position on the Stock”
Viceroy joined BusinessDay for an interview in 2017. When asked by the magazine what Viceroy is, the group responded: “We’re an independent research group based in the US. Our focus is to research entities that we find have signs of accounting irregularities and potential fraud.” When asked why, the group stated: “We take a financial position in our research, and our readers should assume we have a position on the stock.”
The group also remains anonymous.
If we assume that Viceroy has a position on AMD’s stock, as they’ve instructed us to do, we would assume it’s a short position -- and AMD’s recent uptrend would impact that negatively. We aren’t making any leaps, here: Viceroy themselves state to assume a financial position on stocks. Literally.
The ravings of the Viceroy paper really look like that of a deranged lunatic -- like something you’d find smeared on the walls in a back alley. The language is histrionic and hyperbolic. It’s a joke.
In speaking with multiple security experts off-record, we have it on good authority that the proposed vulnerabilities are potentially legitimate; however, our present understanding is that these alleged vulnerabilities: (1) Are not unique to AMD, (2) may require root access to the host system, and (3) are blown way out of proportion, if legitimate at all.
Viceroy’s peculiar involvement in all of this is the most vexing, particularly when going on-record in an interview to demand an assumption of financial involvement. Had this been presented as a demonstration of technology and its limitations or flaws, that’d be one thing, but this was presented as a hit piece on AMD by both CTS Labs and Viceroy. Any researchers with their names publicly attached to this fracas should be ashamed.
Finally, because we’ve seen the conspiracy theories, we have asked Intel if the company has any comment on this whole thing. Intel responded to GamersNexus with a statement:
"Intel had no involvement in the CTS Labs security advisory." - Intel statement to GamersNexus
It would seem far more likely, we think, that individual investment groups had something to gain. Be sure to follow us for additional news. Our video coverage is forthcoming.
Host, Editorial: Steve Burke
Editorial: Patrick Lathan
Video: Andrew Coleman