Researchers often reveal new vulnerabilities with flashy websites, clever branding, and a concerted effort to make sure the problems are covered by media outlets (like this one). The newly announced flaws in AMD's Ryzen and EPYC processors are no exception to this rule--in fact, their revelation was even more focused on garnering attention from the public than many other disclosures. It was just missing one thing: time for AMD to respond.
90 Days Vs. 1 Day
We spoke with CTS Labs, the Israel-based company that says it discovered flaws in AMD's Ryzen and EPYC processors to ask why it conducted its disclosure in such a dramatically unorthodox--and many would say unfair--manner.
When researchers discover vulnerabilities in products, they typically give companies 90 days to respond before disclosing their findings to the public. Some flaws are deemed so dangerous that companies are given even longer to respond--Google afforded Intel and AMD some 200 days to fix Meltdown and Spectre before revealing them to the world at large, for example, and other disclosures have been coordinated between victim and researcher.
But CTS Labs offered AMD no such courtesy. It told AMD about the vulnerabilities just 24 hours before they were revealed to the public. That's clearly not long enough for AMD to address the issues, or even possibly for it to notice CTS Labs' message, considering how many bug reports the company receives on a daily basis.
CTS Labs told us that it bucked the industry-standard 90-day response time because, after it discussed the vulnerabilities with manufacturers and other security experts, it came to believe that AMD wouldn't be able to fix the problems for "many, many months, or even a year." Instead of waiting a full year to reveal these vulnerabilities, CTS Labs decided to inform the public of its discovery.
That isn't to say that CTS Labs revealed the problems without checking their veracity. The company told us that it consulted with other security experts and manufacturers about the issue, provided them with proofs of concept and tutorials for exploiting the vulnerabilities, and waited for their responses before preparing the flaws for public disclosure. Trail of Bits CEO Dan Guido confirmed that his company backed up the findings, for example.
To What End And For What Purpose?
Yet it's important to note that the circumstances surrounding the vulnerabilities' disclosure, and the fact that this is a new company, have raised questions about CTS Labs' intentions. It feels like a hit job on AMD, aimed at torpedoing its stock price. That may be unfair to CTS Labs, but optics and decorum are important to perception, and perception is reality for many.
Yaron Luk-Zilberman and Ido Li On, the company's CFO and CEO, respectively, told us they founded CTS Labs in January 2017 to investigate the security of hardware products. These vulnerabilities are their first major discovery.
The disclosure process itself also raised questions. Though we were told AMD, Trail of Bits, and others were given proofs of concept and instructions for how to exploit the vulnerabilities, that information was not released to the general public. Luk-Zilberman and Li On said that was because the flaws are "practical" and "fit well in the different scenarios and stages of a cyber attack." In other words, they don't want to enable those attacks by revealing too much. That, of course, creates a catch-22 of credibility, because with the details under wraps, most of us in the media (not to mention the curious public) can't examine and evaluate the findings and allegations for ourselves. And because CTS Labs is a new company with no track record to speak of, we can't simply give them the benefit of the doubt.
None of that stopped CTS Labs from putting together a dedicated website for the vulnerabilities, shooting videos explaining them, or briefing (a few) members of the media before discussing the flaws with AMD. In fact, Luk-Zilberman and Li On told us that they have yet to hear from AMD despite all the attention their disclosure has garnered from enthusiasts and journalists. (We asked AMD if this is true; we'll update if the company responds to that question.)
CTS Labs' CTO, Ilia Luk-Zilberman, has now posted a letter on the AMDflaws site that says much of what he told us. It's a somewhat curious screed in which he expounds on his distaste for the 90-day response window and his views on why it's not helpful. Partly, he said that he thinks alerting everyone at once (that is, consumers, media, and companies) puts public pressure on the companies to fix the vulnerabilities (it certainly does), and that by doing so without disclosing the actual technical details, no one is actually at risk. But that creates obvious problems, such as causing widespread FUD, and it invites backlash upon the security researchers, all of which he alluded to in the letter. The salient passage reads in part:
This model has a huge problem; how can you convince the public you are telling the truth without the technical details. And we have been paying that price of disbelief in the past 24h. The solution we came up with is a third party validation, like the one we did with Dan from trailofbits. In retrospect, we would have done this with 5 third party validators to remove any doubts. A lesson for next time.
Altogether, it seems that AMD customers may be justified in worrying about these vulnerabilities. If CTS Labs' description of them is accurate, they are remotely exploitable flaws that could allow attackers to install persistent malware in the deepest recesses of a system. That puts consumers at risk, and it could also undermine businesses' secure networks simply because they rely on Ryzen or EPYC processors.
But that brings us back to the curious fact that AMD had little time to respond to these allegations. Even if you take CTS Labs' stated reasoning for ignoring the industry standard 90-day windows at face value, it doesn't seem to make much sense. Because CTS Labs won't release more detailed information about the vulnerabilities to the public--a wise choice, technically, if they are indeed actually easy to exploit--we won't have concrete confirmation of their existence until AMD has had a chance to examine the problem. If CTS Labs did provide all the research it has to AMD, that shouldn't take long. We expect to learn more about the issue over the coming days--and to witness its potential aftermath over the coming weeks, months, and years.