AMD’s “security flaw disclosure” by CTS Labs under fire — appears to be a financially motivated move
AMD was hit with a surprising security flaw report by CTS-Labs, a security research firm based in Tel-Aviv, whereby a whopping 13 critical security vulnerabilities were discovered on AMD Ryzen and AMD EPYC CPUs. Now it wouldn’t be all that surprising to find flaws in any CPU, if it wasn’t for a few flaws in this report.
Firstly, the report only gave AMD and other parties 24 hours to respond, which is really short compared to the standard 90-day period. For the Spectre and Meltdown security flaws, the industry got 6 months to solve and develop workarounds to fix the issue. Secondly, CTS-Labs issued a disclaimer with the words:
…we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.
While that isn’t a dead give away, WCCFTech also found that a Viceroy Research published an obituary for AMD, claiming that the flaws will result in AMD becoming worthless on the stock market. This obituary was apparently out mere minutes after CTS-Labs published their AMD security issues report, which was also the company’s first ever whitepaper.
Later on, as other members of the industry got around to testing it, it was revealed that these flaws needed anything from administrator privileges to even needing a BIOS flash to expose these issues. This has led Linus Torvalds to call the Israeli company out, and the security research industry in general:
…if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem” – Linus Tovalds
CTS-Labs claims that the short period of time was given due to their opinion that AMD won’t be able to fix the flaws in the near future, needing months to a year for the chipmaker to come up with a solution to them.
If you are still interested to find out about CTS-Labs’ findings, check out the above video. Or head over to www.amdflaws.com. Yes, that’s an actual website, created by CTS-Labs to announce their findings. Never have I seen such practice, but hey, they would have to draw as much attention as possible to get people to stay away from AMD, eh?
Pokdepinion: While these flaws are most probably true, flashing a new BIOS isn’t something you can do easily. I think Ryzen users are still pretty safe at the moment.