Update, 3/18/18, 1:30pm PT: The original version of this article quoted Luk-Zilberman as directly contradicting himself when discussing CTS Labs' day-one disclosure practice. However, AnandTech misquoted him--which the site has now rectified. In fact, he stated that "I would not say that in every case that this is the better method." We have removed the reference in the copy below.
CTS Labs still has not responded directly to our email questions, but through AnandTech, it contested our note that "it clearly gave information to others beforehand," and specifically, our assertion that Viceroy Research had the information early. CTS Labs pointed us to this Motherboard article that quotes CTS Labs as stating that it did not give information to Viceroy Labs; it also quoted Viceroy's Fraser Perring confirming the lack of a financial relationship with CTS Labs. Curiously, Perring (per Motherboard) asserted that the information came from an anonymous tipster. However, given the detail and timing of Viceroy's attack on AMD stock, the whole thing looks like a coordinated assault; at the very least, it would seem that Viceroy knew when CTS Labs was going to publish its findings.
We have updated the copy below slightly to note that other entities received CTS Labs' information, not necessarily that CTS Labs handed over the information itself.
Original article, 3/16/18, 11:45am PT:
The saga of CTS Labs' revelation of 13 (potential) vulnerabilities in AMD's Ryzen and EPYC processors continues. Tom's Hardware managed to get the company on the phone shortly after its disclosure; our sister site, AnandTech, was later able to perform a more thorough phone interview with CTS Labs. AnandTech's Ian Cutress pulled in an outside expert, David Kantor (of Real World Tech), for the call with CTS Labs' Ido Li On (CEO) and Yaron Luk-Zilberman (CFO).
As you can read yourself from the transcription of the call, the interview perhaps raised more questions than it answered about CTS Labs itself--its methods, motivations, and ability to handle the disclosure of critical vulnerabilities--as well as the vulnerabilities it revealed.
As we explained in our previous reporting on CTS Labs' findings, most researchers give companies 90 days to address vulnerabilities before disclosing them to the public. Sometimes these grace periods are extended--Google ended up waiting 200 days to reveal Meltdown and Spectre after a series of delays--but 90 days is the standard. Yet CTS Labs gave AMD roughly 24 hours to examine its findings before they were made public.
There were also contradictions and oddities. For example, Luk-Zilberman said that CTS Labs would love to share vulnerability and exploit details with the likes of AnandTech but couldn't because of "Israel export laws," but Cutress' legal contact called that "BS." Cutress also asked CTS Labs if they thought those laws (specious they may be) prevented them from disclosing the vulnerabilities publicly, to which Luk-Zilberman bafflingly replied, "That is an interesting question, I haven’t even thought about that."
CEO On also said, upon being asked, that he couldn't remember if they had prebriefed media before they posted their announcement, which is a ludicrous thing to say. Further, although CTS Labs gave all of its findings to Trail of Bits for confirmation before its announcement, clearly others received information beforehand. That includes the shadowy Viceroy Research, which published a rambling, unhinged takedown of AMD's stock price.
Perhaps most alarmingly, given the severity of its allegations against AMD, CTS Labs seemed to stumble over, mischaracterize, or outright state incorrectly some key pieces of technological information throughout the interview.
None of the above inspires confidence in CTS Labs' ability to handle the disclosure of what it called 13 critical vulnerabilities in AMD products. Whether these problems result from the company's inexperience or from malice is debatable, but in either case (or both cases) it's quite alarming.
It's worth noting that since our own call with CTS Labs, the company has not responded to multiple emails from Tom's Hardware seeking more information about the vulnerabilities, nor did it answer the questions AnandTech emailed after its interview. The company did, however, update the AMDFlaws.com website with a new "clarification" about the vulnerabilities. That clarification wasn't present when the site launched; it took the place of a YouTube video explaining the vulnerabilities.
We should also note that AMD has not yet released an official statement about these vulnerabilities, except to say that it's "actively investigating and analyzing" CTS Labs' report and that it finds it "unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings." The whole situation, and the characters at the center of it, are indeed, unusual.
