Security Solution Providers Are Skeptical Of CTS Labs' Claims Involving AMD Processors
Two high-profile security channel partners said insufficient replication details and untimely disclosure suggest that allegations of critical AMD processors vulnerabilities might not live up to the hype.
"There is simply an allegation of a problem with no information that would allow third parties to verify that the problem exists or what techniques would be required in order to exploit it," said Mike Lines, Optiv's vice president of strategy, risk and compliance. "You have no idea of the potential risk."
Israeli cybersecurity research firm CTS Labs said in a whitepaper and newly-created website Tuesday that four AMD processors have critical security vulnerabilities and manufacturer backdoors that put organizations at greater risk of cyberattacks. CTS notified AMD of the vulnerabilities less than 24 hours before going public, far below the 90 days typically adhered to under standard disclosure guidelines.
"I'm very skeptical," said Alton Kizziah, Kudelski Security's vice president of global managed services. "All of these things together – the marketing-focused website, the 24-hour disclosure to AMD, having the domain ready to go, and having white papers that don't tell us enough to actually do anything to protect ourselves."
Research published as part of January's Meltdown and Spectre disclosure contained information around exactly how organizations can be exploited and detailed instructions on how security researchers can reproduce the flaw. Kizziah initially thought he was missing something obvious in the CTS Labs whitepaper, so he had another architect take a look, who verified that no technical detail was provided.
"Even if there's a little bit of a hype cycle, there's usually enough detail so that you can figure out and research your exposure," Kizziah said. "This time, it's just hype."
Santa Clara, Calif.-based AMD released a statement Tuesday afternoon saying it was actively investigating and analyzing the CTS Labs findings.
"We find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings," AMD said in the statement. CTS Labs did not respond to requests for comment.
Researchers typically refrain from disclosing security vulnerabilities independently unless there's a disagreement with the vendor over how much progress has been made in mitigating the issue, Lines said.
Disclosing vulnerabilities without the vendor's consent has become increasingly rare, Kizziah said, since researchers don't want to ruin the chances at future employment by getting a reputation for disregarding industry standards or norms. Publicly disclosing a vulnerability creates far more work for everyone than teaming up with the vendor to mitigate the issue while it's still under wraps, Kizziah said.
"This is one way to generate a whole lot of interest from the media, from other security companies, and from other researchers," Kizziah said. "Everybody's buzzing about it. There's a lot of talk, but everybody's fairly skeptical."
The process of verifying the AMD security flaws itself would give Denver-based Optiv, No. 27 on the 2017 CRN Solution Provider 500, insight into the potential attack vectors as well as what might be required to take advantage of the vulnerabilities, Lines said. But these remain unknowns since the details of how the alleged flaws can be exploited have not yet been released, according to Lines.
"Before there's even any verification that the flaws are real, there's this sophisticated media splash with no real time for the company being impacted to respond," Lines said.
The flaws disclosed by CTS Labs, if validated, are serious but would appear to require a great deal of sophistication in order to exploit since they're predicated on having administrator-level access, according to Lines.
"From a security professional's perspective, if you've already got administrator access to the machine, you've already got the machine," Lines said. "The flaw does not allow you to do much more than maybe add persistence to the takeover of that device."
Reuters reported late Tuesday that CTS Labs had shared their findings with clients that pay the firm for proprietary research on computer hardware, though the company declined to say when they had provided them with data on the AMD vulnerabilities.
Short selling of AMD's stock - or bets that the company's stock price would fall - increased by about 15 million shares in the two business days prior to CTS's public disclosure, with overall short interest in AMD rising to the highest level seen since at least 2010, according to S3 Partners. Nonetheless, AMD's stock climbed $0.12 (1.04%) in $11.64 in trading Tuesday.
Trail of Bits said Tuesday afternoon that it had verified the findings from CTS, which paid the New York-based cybersecurity firm $16,000 to privately review the AMD vulnerabilities. A Trail of Bits analyst spent a week reviewing detailed technical reports from CTS along with code being used to launch attacks on computers running vulnerable AMD chips, the company's CEO told Reuters.
In the case of Meltdown and Spectre, though, the proof of concept code was released publicly so that independent third parties could verify that it was a real problem, Lines said. Optiv is currently waiting for more information from AMD – which CTS Labs said they had privately disclosed additional findings to – around whether the vulnerability is valid, and if so, how severe the issues could potentially be, he said.
"At this point, it's a bunch of allegations," Lines said. "Now, it's like, 'okay, prove it.'"