CTS-Labs, the company that publicized 13 flaws in AMD chips, has defended the brief time it gave AMD before disclosing the bugs and says it validated its claims with a well-known security firm.
AMD is still investigating claims in a report it was handed shortly before CTS-Labs published the AMDflaws.com website on Tuesday.
CTS-Labs’ disclosure has attracted criticism from cybersecurity experts, both because it went public with the flaws so soon after informing AMD and that it may profit directly or indirectly by short-selling AMD stock.
The site publicizes vulnerabilities in AMD’s Secure Processor, an ARM-based processor inside the main CPU that is responsible for processing sensitive data, and backdoors in a chipset from ASMedia, a subsidiary of Asus.
The reports detail bugs in AMD chips and their impact but don’t include proof-of-concept code.
The Israel-based security research company has defended the way it disclosed he flaws. It also says it hired US security firm Trail of Bits to vet its exploit code before releasing the report and told affected third-parties before publishing, including Microsoft, Dell and HP.
“We have been able to identify critical flaws in processors that could put millions of consumers at risk. We have verified our results carefully both internally and with a third-party validator, Trail of Bits,” Yaron Luk, co-founder of CTS-Labs told CSO Australia in an emailed statement.
“We delivered a full technical description and proof of concept of the vulnerabilities to AMD, Microsoft, Dell, HP, Symantec and other security companies. Disclosing full technical details would put users at risk. We are looking forward to AMD’s response to our findings.”
Dan Guido, founder of Trail of Bits, said on Twitter that the AMD “bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works.”
As some researchers have pointed out, all 13 flaws require administrative privileges to exploit, however in the case of one set of flaws that CTS-Labs called Masterkey, the impact of a bug that allows unauthorized BIOS updates is severe.
In a a letter posted on the AMDflaws site defending its disclosure, Ilia Luk-Zilberman, CTO of CTS-Labs, said its research into AMD chips was sparked by the discovery of multiple backdoors in ASMedia chips a year ago that would give an attacker full control over the chip.
He says CTS-Labs broadened its research into AMD chips after discovering the chip maker outsourced its chipset to ASMedia and found its exploit code for ASMedia chipsets worked on a PC with AMD’s Ryzen CPUs.
“To be honest, we were a bit shocked by it, how they have not removed the backdoors when integrating ASMedia IP into their chipset is beyond me,” wrote Luk-Zilberman.
“It took time to set-up the working environment to start communication with the AMD Secure Processor, but after reaching a full working setup and understanding of the architecture – we started finding vulnerabilities. One, and another and another. And not complex, crazy logical bugs, but basic mistakes – like screwing up the digital signatures mechanism.”
AMD said in a new blog post that it found it "unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings".
Luk-Zilberman defended his company's disclosure as an alternative to the "coordinated disclosure" approach endorsed by Microsoft, "full disclosure" advocated by some, and Google's fixed but sometimes flexible 90-day disclosure period.
"I think that a better way, would be to notify the public on day 0 that there are vulnerabilities and what the impact [is]. To notify the public and the vendor together. And not to disclose the actual technical details ever unless it’s already fixed. To put the full public pressure on the vendor from the get go, but to never put customers at risk."