Skip to main content

CTS Labs' AnandTech Interview Raises More Questions About Its AMD Vulnerability Disclosure

Update, 3/18/18, 1:30pm PT: The original version of this article quoted Luk-Zilberman as directly contradicting himself when discussing CTS Labs' day-one disclosure practice. However, AnandTech misquoted him--which the site has now rectified. In fact, he stated that "I would not say that in every case that this is the better method." We have removed the reference in the copy below.

CTS Labs still has not responded directly to our email questions, but through AnandTech, it contested our note that "it clearly gave information to others beforehand," and specifically, our assertion that Viceroy Research had the information early. CTS Labs pointed us to this Motherboard article that quotes CTS Labs as stating that it did not give information to Viceroy Labs; it also quoted Viceroy's Fraser Perring confirming the lack of a financial relationship with CTS Labs. Curiously, Perring (per Motherboard) asserted that the information came from an anonymous tipster. However, given the detail and timing of Viceroy's attack on AMD stock, the whole thing looks like a coordinated assault; at the very least, it would seem that Viceroy knew when CTS Labs was going to publish its findings.

We have updated the copy below slightly to note that other entities received CTS Labs' information, not necessarily that CTS Labs handed over the information itself.

Original article, 3/16/18, 11:45am PT:

The saga of CTS Labs' revelation of 13 (potential) vulnerabilities in AMD's Ryzen and EPYC processors continues. Tom's Hardware managed to get the company on the phone shortly after its disclosure; our sister site, AnandTech, was later able to perform a more thorough phone interview with CTS Labs. AnandTech's Ian Cutress pulled in an outside expert, David Kantor (of Real World Tech), for the call with CTS Labs' Ido Li On (CEO) and Yaron Luk-Zilberman (CFO).

As you can read yourself from the transcription of the call, the interview perhaps raised more questions than it answered about CTS Labs itself--its methods, motivations, and ability to handle the disclosure of critical vulnerabilities--as well as the vulnerabilities it revealed.

As we explained in our previous reporting on CTS Labs' findings, most researchers give companies 90 days to address vulnerabilities before disclosing them to the public. Sometimes these grace periods are extended--Google ended up waiting 200 days to reveal Meltdown and Spectre after a series of delays--but 90 days is the standard. Yet CTS Labs gave AMD roughly 24 hours to examine its findings before they were made public.

There were also contradictions and oddities. For example, Luk-Zilberman said that CTS Labs would love to share vulnerability and exploit details with the likes of AnandTech but couldn't because of "Israel export laws," but Cutress' legal contact called that "BS." Cutress also asked CTS Labs if they thought those laws (specious they may be) prevented them from disclosing the vulnerabilities publicly, to which Luk-Zilberman bafflingly replied, "That is an interesting question, I haven’t even thought about that."

CEO On also said, upon being asked, that he couldn't remember if they had prebriefed media before they posted their announcement, which is a ludicrous thing to say. Further, although CTS Labs gave all of its findings to Trail of Bits for confirmation before its announcement, clearly others received information beforehand. That includes the shadowy Viceroy Research, which published a rambling, unhinged takedown of AMD's stock price.

Perhaps most alarmingly, given the severity of its allegations against AMD, CTS Labs seemed to stumble over, mischaracterize, or outright state incorrectly some key pieces of technological information throughout the interview.

None of the above inspires confidence in CTS Labs' ability to handle the disclosure of what it called 13 critical vulnerabilities in AMD products. Whether these problems result from the company's inexperience or from malice is debatable, but in either case (or both cases) it's quite alarming.

It's worth noting that since our own call with CTS Labs, the company has not responded to multiple emails from Tom's Hardware seeking more information about the vulnerabilities, nor did it answer the questions AnandTech emailed after its interview. The company did, however, update the AMDFlaws.com website with a new "clarification" about the vulnerabilities. That clarification wasn't present when the site launched; it took the place of a YouTube video explaining the vulnerabilities.

We should also note that AMD has not yet released an official statement about these vulnerabilities, except to say that it's "actively investigating and analyzing" CTS Labs' report and that it finds it "unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings." The whole situation, and the characters at the center of it, are indeed, unusual.

  • Ninjawithagun
    No matter what, CTS Labs is in big legal trouble. They had better be prepared for a huge legal suit soon...
    Reply
  • legokangpalla
    20799922 said:
    There goes 20% of AMD's CPU performance.

    I find it highly suspicious that you made an account to just say that huh? I mean there is no way someone would hire you to smear AMD right?
    "Oh look, it turns out AMD was just as vulnerable as Intel." When it's nowhere near the level of spectre/meltdown.
    Reply
  • sfcampbell
    In countless ways the research behind this study could have fostered comprehensive research and remediation of potentially grave security concerns... if CTS and Viceroy hadn't completely botched it in favor of scaremongering, maliciousness, and greed.

    It's their own fault that this accusation is so thoroughly unbelievable! Between ASMedia and CPU microarchitecture there may actually be legitimate risks; but now because of these money-grubbing morons, it's a punchline.

    Linus said it best: "They look like clowns."
    Reply
  • cryoburner
    20800484 said:
    I find it highly suspicious that you made an account to just say that huh? I mean there is no way someone would hire you to smear AMD right?
    "Oh look, it turns out AMD was just as vulnerable as Intel." When it's nowhere near the level of spectre/meltdown.
    But do you also find it highly suspicious that just 6 minutes after a certain other poster in this thread downvoted your post, another account also downvoted it, who appears to have never posted on this site before, let alone anywhere else on the Internet? <_<
    Reply
  • trigger11121987
    CTS labs are just attention seeking trolls.....
    most of their stated exploits requires the hacker to be PHYSICALLY beside their target....

    they might as well take the PC and leave...
    Reply
  • legokangpalla
    20800821 said:
    20800484 said:
    I find it highly suspicious that you made an account to just say that huh? I mean there is no way someone would hire you to smear AMD right?
    "Oh look, it turns out AMD was just as vulnerable as Intel." When it's nowhere near the level of spectre/meltdown.
    But do you also find it highly suspicious that just 6 minutes after a certain other poster in this thread downvoted your post, another account also downvoted it, who appears to have never posted on this site before, let alone anywhere else on the Internet? <_<
    Wait, you can check who is down voting your post?
    Reply
  • gparmar76
    This was a stock manipulation hit job...funny that Intel is heavily invested in Israel as well...this was also strategically done right before the launch of Zen+ which is going to take the performance crown and price crown away from Intel.
    Reply
  • incognibro
    I skimmed through Viceroy's "report". It includes a disclaimer where it says that the authors have invested in relevant stocks and will have monetary gains from a drop of the AMD stock price. I guess it works in that you can't uncover them as biased if they uncover themselves first...
    Reply
  • cryoburner
    20801523 said:
    Wait, you can check who is down voting your post?
    Yep, but if you are reading the comments under a news article, you have to click the "Comment from the forums" link at the top of the discussion to display the comments from within the forum. From there, you'll see the most recent status update listed at the bottom of each post that has one, containing things like when edits were made, or when users upvoted or downvoted a post, and by clicking the message, it should pop up the full list. There are no links to account profiles though, so if a sockpuppet account were used to manipulate votes, there is no easy way for a regular member to check when that account was made, or if it ever made any posts. Being a relatively high-traffic site, Tom's Hardware tends to get indexed by search engines rather quickly though, so a web search will likely direct you to a post made by the account, should any exist.

    I imagine that members of the moderation team likely have additional tools for detecting and comparing accounts used for potential abuse though. I just noticed that the posts and votes in question have all since disappeared from this thread, so a moderator may have been on to it, and now our conversation just looks off-topic. : P
    Reply
  • billhperry67
    Still looks like BS to me. For someone to get to my computer to flash the bios or inject malicious code, they would need to get past the pugs, the wife, and me. The pugs? I know not a big threat, but they do bark and may lick you to death.
    Reply