Mar 13, 2018

AMD chip flaw disclosure report met with industry skepticism

A screen capture of the website. Joe Uchill / Axios

An upstart cybersecurity research group and trading firm claimed Tuesday that security flaws in AMD computer processors "could potentially put lives at risk." But many in the security community say the widely covered report was dangerously overhyped in an attempt to drive down AMD's stock price.

Why it matters: CTS-Labs and Viceroy Research ultimately did not move the market — AMD finished up for the day. But the media bought into the chaos, at least a little, which could have disastrous effects to security-concerned owners of AMD products.

The intrigue: CTS posted a slick website devoted to the AMD flaws they discovered, complete with video interviews and charts and images ready for the media to use — a marketing effort that started at least three weeks ago when the "" web domain was registered. Yet they only gave AMD 24 hours to patch the issues before going public.

  • The industry standard is to give at least 90 days for a company to demonstrate it is working on a patch before going public.

What they're saying: Viceroy Research claims the vulnerabilities should be enough to bankrupt AMD. In its report, it wrote "We believe AMD is worth $0.00 and will have no choice but to file for Chapter 11 (Bankruptcy) in order to effectively deal with the repercussions of recent discoveries."

  • In its own report, CTS ends with a disclaimer acknowledging it may be betting against AMD's stock price. "[W]e may have, directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."

What independent researchers are saying: Many researchers note that the white paper released by CTS provides no technical detail, making it impossible to evaluate the claims. But the suite of four potential attacks described by CTS are, at a minimum, already covered by one layer of computer security. All of them essentially require the computer to have already been hacked before they can be used to inflict more damage. In short, it can make bad worse, but not create the bad.

  • "It feels like they may have some valid security research and they’ve come up with a case study how not to disclose it," said researcher Kevin Beaumont. "It feels like a press exploit on top of vulnerability research."
  • Rapid7 Research Director Tod Beardsley emailed that one of the vulnerabilities appears to simply be that the user might intentionally install malware onto a component known as the BIOS. "In the end, an 'unauthorized BIOS update' is, itself, an attack that is usually mitigated by normal operating system, firmware, and physical controls," he wrote via email.
  • Even the outside expert used by CTL-Labs — Dan Guido, CEO of Trail of Bits —
    was skeptical about the marketing push behind the flaws, tweeting "Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works."

Go deeper

Scoop: Census Bureau is paying Chinese state media to reach Americans

Illustration: Sarah Grillo/Axios

The 2020 Census Paid Media Campaign, which sends U.S. taxpayer dollars to community media outlets to run ads about the upcoming census, is including a Chinese state-run broadcaster as one of its media vendors.

Why it matters: After China's yearslong campaign to co-opt independent Chinese-language media in the U.S., Washington is now paying Beijing-linked media outlets in order to reach Chinese Americans.

Go deeperArrow43 mins ago - World

Live updates: Coronavirus spreads to Latin America

Data: The Center for Systems Science and Engineering at Johns Hopkins, the CDC, and China's Health Ministry. Note: China numbers are for the mainland only and U.S. numbers include repatriated citizens.

Brazil confirmed the first novel coronavirus case in Latin America Wednesday — a 61-year-old that tested positive after returning from a visit to northern Italy, the epicenter of Europe's outbreak.

The big picture: COVID-19 has killed more than 2,700 people and infected over 81,000 others. By Wednesday morning, South Korea had the most cases outside China, with 1,261 infections. Europe's biggest outbreak is in Italy, where 374 cases have been confirmed.

Go deeperArrowUpdated 2 hours ago - Health

GOP congressman accuses California pension official of working for China

Illustration: Rebecca Zisser/Axios

The latest season of Red Scare has come to Sacramento.

Driving the news: Rep. Jim Banks (R-Ind.) has repeatedly accused Ben Meng, chief investment officer of the California Public Employees' Retirement System (CalPERS), of tacitly working on behalf of the Chinese government. Banks also says that, were it up to him, Meng would be fired — and has questioned the patriotism of California Gov. Gavin Newsom for not at least investigating Meng.

Go deeperArrow2 hours ago - World