back to article OK, deep breath, relax... Let's have a sober look at these 'ere annoying AMD chip security flaws

CTS-Labs, a security startup founded last year in Israel, sent everyone scrambling and headlines flying today – by claiming it has identified "multiple critical security vulnerabilities and manufacturer backdoors in AMD’s latest Epyc, Ryzen, Ryzen Pro, and Ryzen Mobile processors." Tuesday's glitzy advisory disclosed no …

        1. nijam

          > Like many here I was deeply involved in fixing Y2K issues

          Whereas, like many others here, I was involved in wasting my time confirming that none of our software or IT equipment would be affected by the Y2K issues. (And just to make the point, I'll point out that it was repeatedly hyped as a "millennium bug", when it was merely a "century bug".)

      1. Anonymous Coward
        Anonymous Coward

        "I know of a group of people (using Windows 7) who have not updated for nearly a year now and they have had ZERO security issues with their computers.!"

        How do they know?

        Hey look I've house full of IoT stuff I bought of eBay for a fiver and I've never had security issues!

        Are they actually worth worrying about? Do they have corporate secrets on there? Are they Domain administrators on a 100,000 strong network? Are they running websites?

        Or is it just Dave, Mildred and uncle Arthur playing solitaire?

    1. Chika

      The only question I'm asking is have these chip 'flaws' surpassed Y2K yet as the biggest non event in computing history?

      As one of a large number of people who worked pretty hard to make sure that everything worked reasonably well come 01/01/2000, I think that I can guess why you might have a few downvotes on this post.

  1. Walter Bishop Silver badge
    Facepalm

    Israeli security startup CTS-Labs

    Why not just make the firmware read-only with a hardware switch?

    "CTS-Labs, a security startup founded last year in Israel"

    CTS-Labs, a front for the Israeli security service, most probably.

    1. eldakka Silver badge

      Re: Israeli security startup CTS-Labs

      > Why not just make the firmware read-only with a hardware switch?

      Many dumb users would find that too complicated.

      For many years the only way to flash BIOS was to boot from a floppy disk with a minimal OS (e.g. just DOS or QDOS or similar) and flash that way. But in the name of convienience many manufacturers have made it possible to flash from a multi-user, network-connected operating system using auto-updates.

      1. 9Rune5

        Re: Israeli security startup CTS-Labs

        For many years the only way to flash BIOS was to boot from a floppy disk with a minimal OS

        Sure, and at some point they stopped making floppy drives, which kinda forced everyone to use more convenient ways. Not to mention that very few laptops today could even fit a 3.5" drive inside even if we wanted to.

        And hey, it is not as if nobody were ever infected by leaving a diskette in the drive before restarting.

        In all fairness, compared to the 80s and 90s, I think we are better off now security wise.

        1. Teiwaz Silver badge

          Re: Israeli security startup CTS-Labs

          Not to mention that very few laptops today could even fit a 3.5" drive inside even if we wanted to.

          Most laptops today could fit an SD card slot in, but often hard to to find one.

          I've a mobo with several different methods of updating the BIOS (including dedicated USB socket), all seem over-complex and flawed.

          Ended up going back to the old method, if with cut-down OS on a USB stick rather than an 8', 4.25 or 3.5' 'floppy'.

          1. Alistair Silver badge
            Windows

            Re: Israeli security startup CTS-Labs

            @ Telwaz:

            I wanna see that 8 foot diameter floppy disk.

        2. eldakka Silver badge
          Mushroom

          Re: Israeli security startup CTS-Labs

          Sigh.

          OK, you have just firmly put yourself into the "dumb users" category. Therefore let me spell it out a bit more clearly for you, rather than the generic shorthand "boot from floppy" which I believe most people would understand to mean "boot from external media, no matter what form that external media takes".

          For many years, the only way to flash BIOS was to boot into a single-user, non-multitasking OS that had minimal drivers loaded (no networking, no SCSI, no tape drives, no heavy-weight GPU drivers, and so on) and either explicitly invoke the 'flash' command (unless the boot media was specifically crafted for flashing BIOS, in which case it might automatically invoke the flash command). This method was orginally done via floppy disks (5 1/4" when I started, older people will remember 8" or even audio-tape-based drives). It could also be accomplished by other externally booted media, e.g. eSATA, USB, Zip drive, firewire, serial, or whatever method your specific hardware supported. Alternatively, you could have a boot-loader that oftered the choice of booting into such an O/S that (might have) had its own tiny dedicated partition.

          Or even, if using a UNIXy system where the OS itself supported many different boot modes, you could explicitly boot into single-user mode or, if it is/was actually a UNIX workstation of some manufacture, you would probably do it from the boot PROM or similar environment (for those of you not with a history of actual workstations, they had a UEFI-like system for decades, but it wasn't graphical, it was command-line based, so you could boot up into the 'UEFI' (on a SUN workstation STOP-A would dump you into it) and perform some hardware-based tasks like this).

          Or even in more modern windows, at least booting into 'safe' mode (without networking) would give you a semblance of doing something similar.

          The key takeaway, which I suspect most people (other than you) would have gotten was:

          For the convienience of the average user, manufacturers have sacrificed security and reliablity for user convienience. It is a bad idea to be able to flash a systems firmware from a connected, online, multi-user operating environment where someone sitting on the other side of the world could be flashing a compromised firmware onto a system unknown to the user who might actually be using the system at that time and not know this is going on.

          1. 9Rune5

            Re: Israeli security startup CTS-Labs

            What you are describing is security by obscurity.

            I really don't care. If you manage to get to root level on my box, then it is game over for me.

            Besides: Ahem... If you manage to get to root... AFAIK you have kernel access. Which means you are free to install whatever device driver you like. Which in turn... Tadaa... you can flash whatever you can flash from a DOS boot device, be it your old trusty floppy or SD card.

      2. vtcodger Silver badge

        Re: Israeli security startup CTS-Labs

        If you find yourself frequently updating the firmware for obscure security chips, might not that be an indication that either 1) The code for those chips is not very high quality, and/or 2) The chips are doing way too many things and therefore have an overly large attack surface, and/or 3) The whole notion that computers are securable is nonsense and that we better start rethinking what we use them for and what we choose to do and not do digitally?

        The idea of an off/open by default switches or jumpers for "firmware" updates seems to me to make a lot of sense.

      3. Roland6 Silver badge
        Pint

        Re: Israeli security startup CTS-Labs

        >For many years the only way to flash BIOS was to boot from a floppy disk with a minimal OS

        And before that, the only way was to physically replace the BIOS EPROM.

        Youngsters! :)

    2. Anonymous Coward
      Anonymous Coward

      Re: Israeli security startup CTS-Labs

      CTS-Labs, a front for the Israeli security service, most probably.

      I'd long ago concluded that Israel itself was just a front for the Israeli security services.

    3. Alistair Silver badge
      Windows

      Re: Israeli security startup CTS-Labs

      @ Walter Bishop:

      I have -- lessee -- 86 nodes in a Hadoop cluster.

      Exadata (Dev/qa) -> Full rack, 6 DB nodes and 11 Storage nodes

      Exa (Prod) two racks, 4/6 each

      32 Sas systems in a cluster,

      Wanna come up date *all* my firmware one Saturday night with switches?

      (And we aren't even looking at DRP yet, nor the 4,000 odd other systems in our various data centers..... And Cloudfront would shoot you)

  2. Anonymous Coward
    Anonymous Coward

    On a broader front it does give food for thought on how our processors are designed, trusted, and generally run. This issue is only likely to intensify with the increase in services a cpu is designed to supply.

    From my own perspective i'm old fashioned I like a RISC architecture CPU that just processes instructions(no microcode involved), that way I can trust it to do what its told.

    1. low_resolution_foxxes

      Yeah, sometimes it almost seems like processors are designed to have backdoors by the Americans that occasionally get leaked and cause a crisis....

    2. Nick Ryan Silver badge

      As a broad genalisation, good security must be place in from the start, attempting to retrofit security almost always fails.

      The "WinTel" platform started from a stand alone, single process, single privileged user platform to one that is now networked, has had multiple users and multiple concurrent applications added with security tacked on top almost as an afterthought. I don't really consider these failures malicious, more a symptom of how the platforms (processors, chipsets and operating systems) evolved and what they evolved from.

      1. Anonymous Coward
        Anonymous Coward

        I think you're mostly correct, but I'm to cynical to not expect our friendly neighbourhood spy agencies not to take advantage of their position to not request/force security issues on chip makers. I think what you've described just makes them doing so more easy.

  3. DeKrow

    Timeline

    - Intel's MELTDOWN and SPECTRE issues were disclosed in late January 2018.

    - amdflaws.com registered 22nd of Feb 2018

    - AMD informed of the issues 12th of March 2018

    - actual disclosure / news release 13th of March 2018

    Three things:

    This looks like an Intel-sponsored hit on AMD to 'level the playing field'

    The web domain was registered well in advance of any warning being given to AMD - because we're a security company, so fuck security we've got marketing to do: flashy website and high-production-value YouTube videos here we come!

    Just like hacking evolved from a hobby into serious criminal enterprise, security disclosure has turned from noble and responsible act (with some self-advertising for employment purposes) to blatant stock market manipulation.

    Other things:

    - The amdflaws.com domain was registered with a 2-year expiry (22/02/2018 - 22/02/2020)

    - The cts-labs.com domain was registered with a 1-year expiry (25/06/2017 - 25/06/2018)

    - Both were registered with GodAddy

    - Linus Torvalds gets more respectable the more outbursts I read about

    1. the Kris

      Re: Timeline

      Anyone registered www.intelflaws.com yet?

      1. Peter2 Silver badge

        Re: Timeline

        A domain squatter has. Unsurprisingly, it's priced in direct relation to the quantity and severity of flaws in Intel processors.

        1. Doctor Syntax Silver badge

          Re: Timeline

          A domain squatter has [registered intelflaws.com].

          How about intelflawsareworse.com?

          This could get really silly really fast.

  4. Carl D

    Well, at least I'm not alone

    https://doublepulsar.com/on-amd-flaws-from-cts-labs-f167ea00e4e8

    "You may have seen media reports about flaws in AMD chipsets. AMD are currently reviewing the report, as they were given less than a day notice of vulnerabilities that CTS Labs claim put lives at risk (via their website, AMDflaws.com). This is a highly unusual and reckless disclosure of security flaws."

    and...

    "I would encourage security researchers not to disclose vulnerabilities like this. If you have vulnerabilities that you truly think are serious and truly want to provide information so people can protect themselves, work to get them resolved and work with the cyber security community around mitigations.

    The only real public exploit here at the moment is a press exploit. This situation should not be happening."

    Yep, absolutely correct.

  5. TReko
    Thumb Up

    Excellent reporting, Register

    As usual, a well written and researched piece.

  6. Anonymous Coward
    Anonymous Coward

    ASMedia, owned by ASUSTeK

    "The advisory claims the backdoors were introduced, accidentally or otherwise, by Taiwanese chip manufacturer ASMedia, owned by ASUSTeK, which used its own insecure integrated circuits in AMD's Promontory chip, found in AMD's Ryzen and Ryzen Pro lines."

    Well, I guess THIS is why I was able to purchase a used ASUS motherboard for under $20.00 on eBay.

    The computer went to a 9 year old child so if any keyloggers are in place some miscreant is getting the passwords to RoBlox.

  7. Glad Im Done with IT

    Maybe this will backfire.

    If this is primarily a securities ploy to weaken AMD then this may backfire massively.

    This sound like a processor where the user gets full control of their hardware back. If you don't want to use the increasingly irrelevant windows 10 and are annoyed at lock down of the hardware you own, this sounds like maybe the last chance to get a CPU where you will have full control of the hardware you own.

    I was looking for an upgrade path to my aging hardware and now I want one of these CPUs because of these 'vulnerabilities'.

    1. whitepines Silver badge

      Re: Maybe this will backfire.

      Please explain to me how you think you have full control? How is this different from jailbreaking, where you absolutely do not get full control, just some control over userspace?

      1. Glad Im Done with IT

        Re: Maybe this will backfire.

        At the moment these parts of your hardware ,PSP etc are black boxes which are not accessible to the end user. If these 'exploits' allows a root user to view, check and record the contents at least there is a level of certainty for the administrator that the hardware has not been compromised. Any changes in these black boxes could be logged, diffs made, and if unhappy potentially rolled back to a state that the end user is happy with.

        Security belongs to the owner of the hardware not the manufacturer.

    2. Dragonstongue

      Re: Maybe this will backfire.

      especially as AMD deals with NASDAQ who is in new york and in new york if you are "fined" for damages, the "win" is triple damages...I can see Intel doing this, because they would just keep paying the fines and not bother paying the full amount for years and years (just like they did with the what was it 2.5billion they had to pay AMD, they still have not to my knowledge...they just keep reinvesting, keep "taking a loss" and keep tying the court up so essentially never have to pay it)

      10 years or more screwing AMD by forcing vendors to NOT use AMD and use them with "sweetheart deals" likely the amount Intel "has to pay" is a very small drop in the mentioned bucket compared to the loss in revenue AMD suffered because of this since then and now (they still do this crap, but, have gotten crafty at it, and do it in countries that do not have any laws against them acting this way)

      1. Glad Im Done with IT

        Re: Maybe this will backfire.

        Ok looking at Nasdaq there was notable trading reported on Tuesday.

        "Especially high volume was seen for the $11.50 strike put option expiring March 16, 2018 , with 38,495 contracts trading so far today, representing approximately 3.8 million underlying shares of AMD. Below is a chart showing AMD's trailing twelve month trading history, with the $11.50 strike highlighted in orange:

        So if share price remains above $11.50 for two days then these dumpers have lost their premium. I suspect the markets have already taken note and no doubt will keep these options worthless.

        1. Bronek Kozicki Silver badge

          Re: Maybe this will backfire.

          On put options: the current price is $11.35 , so put option at $11.50 is "in the money". However, the price has been climbing up, from the lowest point today $11.28, so those who bought these options when the shares were cheap will not make profit, unless the price falls again. It might, or it might not - if it does then it would be not on the "strength" of the security "discovery" discussed here.

  8. Richard 12 Silver badge

    It rather involved being on the other side of this airtight hatchway

    So if you can get physical access, you can reflash the firmware.

    Yes, of course you can. You can do that on practically any hardware that has programmable non-volatile memory.

    Assuming everything they claim is true, the TPM flaw is the only one of consequence - being able to extract the key by any means is very bad, reflashing firmware should wipe the keys.

    As for the rest - exactly how does one update a BIOS/UEFI/chipset/GPU-BIOS/insert-device-here without the ability to install said firmware?

    All Intel chips and chipsets have near-identical "flaws". The only true mitigation is ROM - and good luck updating that when there is a real problem.

    1. Paul Shirley

      Re: It rather involved being on the other side of this airtight hatchway

      While being able to install unsigned firmware has it's uses, on a device with supposed security features it's always a fault. Hacking clocks on a gpu is a different from the potential to expose keys on a CPU.

    2. Solmyr ibn Wali Barad

      Re: The only true mitigation is ROM

      Yes, please, bring back those UV-eraseable EPROM chips. With 25V programming voltage.

      Not only do they look cool, quartz windows and all that, but using those will probably teach them script kiddies a bit of real work.

      /my coat has a box of 2708's in its pocketses, thank you/

    3. RAMChYLD

      Re: It rather involved being on the other side of this airtight hatchway

      "reflashing firmware should wipe the keys."

      Wouldn't doing that render, at very least, lost of access to DRMed files (assuming the BSAss, MPAssA and RIAssA mandates that the OS stores decryption keys for the DRMed media you bought off Google Play/iTunes/Windows Store on the TPM if one is available) and at worst, lost of the content of the entire hard drive (assuming the user encrypted the entire drive and the key is stored on the TPM)?

      I think leaving the TPM untouched is more for the convenience of the user. Who has the time to go through reformatting an entire PC and deal with data loss just because the firmware was updated?

      Although, imo, the world would be a better place without TPM. The only thing TPM does is it gives big corporations even more control over your own PC and what you have installed.

  9. Anonymous Coward
    Anonymous Coward

    Pot and Kettle

    re

    The biz apparently gave AMD only one day of advance notice it was going public, an amount of time that precludes addressing the flaws prior to publication and deviates from security industry norms of responsible disclosure.

    Curious, how much advance warning did the register give Intel?

    1. Glad Im Done with IT

      Re: Pot and Kettle

      The reg reported on facts already in the public domain, Linux kernel sources, and did a bit of putting two and two together.

    2. DougS Silver badge

      Re: Pot and Kettle

      Plus Intel had known about the flaw for six months by the time the Register reported on it. If you can point to an incident where the Register independently discovered a CPU flaw and gave 24 hours notice before publishing an article, please feel free to educate us. Idiot.

    3. Major N

      Re: Pot and Kettle

      Intel et al had been aware of the problem for at least six months at that point, so your attempted snark is both unwarranted and off target.

      1. Doctor Syntax Silver badge

        Re: Pot and Kettle

        "your attempted snark is both unwarranted"

        Don't be too sure. I think we can work out who might have warranted it.

    4. Anonymous Coward
      Anonymous Coward

      Re: Pot and Kettle

      An integer answer would have sufficed.

      Nice to see the un-educated like to down vote a question without realizing the true purpose.

      1. Doctor Syntax Silver badge

        Re: Pot and Kettle

        "Nice to see the un-educated like to down vote a question without realizing the true purpose."

        Have you stopped beating your wife? A yes or no will suffice.

  10. Dodgy Geezer Silver badge

    At what point...

    ..."At what point will security people admit they have an attention-whoring problem?"...

    "At what point will people admit they have an attention-whoring problem?"

    There. Fixed that for you.....

    1. nematoad Silver badge

      Re: At what point...

      Ah, but how much damage could the security people do as against the "ordinary" citizen?

      A lot in my opinion, and I reckon Linus has this right in calling out this "look at me, aren't I clever?" attempt.

  11. Anonymous Coward
    Anonymous Coward

    How much did this report cost Intel?

    I wouldn't believe any of the claims until we hear from AMD that a claimed security issue actually exists. We saw in prior reports that AMD's CPU architecture did not suffer from the security violations baked into Intel branded chippies. It would not surprise me one bit to have Intel spend millions to get some unknown entity to make claims that are untrue to confuse consumers and make it appear that all CPUs suffer from the security issues Intel intentionally created in all of their CPUs by violating command execution protocol.

  12. Michael H.F. Wilkinson Silver badge

    I smell something fishy,

    and I’m not talking about the contents of Baldrick’s apple crumble

    To quote Captain Blackadder

  13. Anonymous Coward
    Anonymous Coward

    why does it have to be Intel? They have a lot to loose if caught. It is probably a scam artist 'investor' looking to make a quick buck.

    1. Mr Humbug

      Seems more likely that it's a bunch of 20-somethings who started a company last year, stumbled across something clever and have spent the last three weeks (since 22nd February) putting together a self-promotion campaign to get the most press coverage possible without considering things such as responsible disclosure.

      The TPM issue (if as described) does seem concerning. I'm sure I can't be alone in using the combination of TPM plus Bitlocker to keeps the data on PCs secure with minimum inconvenience to the user. I guess AMD-based machines are going to need a BIOS boot password now.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019