• Save 20% on ALL SFF Network merch, until Dec 31st! Use code SFF2024 at checkout. Click here!

CPU There's been an uncorrobrated "hardware security vulnerability" involving recent AMD processors

VegetableStu

VegetableStu

Shrink Ray Wielder
Original poster
Aug 18, 2016
1,949
2,619
Basically the guys who annouced it claim intrusion via BIOS hacking in general. Problem is, they only informed AMD 24 hours prior to public release, which is too little time to realistically make a workaround for, let alone breaking some very important computer security ethics (i.e. irresponsible)

I won't be linking the source for legitimacy reasons (completely bonkers reporting ethic, fishy web presence history, certain allegations of possible stock market fraud against someone related to the research team, highly specific text disclaimers, and more importantly no reliable second source confirming proof of vulnerability (is yhere even a working source code published?)), but keep an eye out on anandtech and responsible computer security teams like Google Project Zero (do suggest other outlets as well)

For reference: a demonstrable proof by a third party when Meltdown and Spectre came about

TL:DR: if you read Ryzenfall, second source for actuality.
 
Last edited:
  • Like
Reactions: owliwar and AleksandarK
Phuncz

Phuncz

Lord of the Boards
SFFn Staff
May 9, 2015
5,947
4,953
Dubious for sure, I'm sure the stock price will be the one that hurts the most and considering that one of the US media picked up this news minutes after going public by a difficult to track Isreali company that has been sitting on the URL for a year, I'm very skeptical this is anything but fake news.
 
  • Like
Reactions: Soul_Est, owliwar, AleksandarK and 2 others
AleksandarK

AleksandarK

/dev/null
May 14, 2017
703
774
Whatever this may be, i hope AMD sorts it out quickly and efficiently!
I just dont believe that they "just recived" the information, but they may know it for some time and they didnt make any solution.
Maybe they have a solution coming up soon.... who knows....
I guess that the best thing was to notice the shareholders first and notify them of this, than do an official statement for the press. This way, it is just rumors that may hurt AMD very badly and hurt its reputation in eyes of consumers and datacenter users.
 
confusis

confusis

John Morrison. Founder and Team Leader of SFF.N
SFF Network
SFF Workshop
SFFn Staff
Jun 19, 2015
4,325
7,425
sff.network
I'm calling business BS on this one. We're seeing what is in effect an attempt to tank share prices in preparation for a buyout. Whilst there may or may not be a security flaw here (I'm waiting on something more than a flimsy whitepaper on this one), this smells reeeeeal fishy.
 
  • Like
Reactions: Soul_Est, owliwar, Hifihedgehog and 1 other person
VegetableStu

VegetableStu

Shrink Ray Wielder
Original poster
Aug 18, 2016
1,949
2,619
so far Cymmetra got in touch with them and only gave word of assurance that the exploits are legit (not enough IMO)
(see twitter chain)

there's supposedly 3 being approached to confirm legitimacy

anandtech recieved an offer for communication via phone. I'll stick to that for now
 
Last edited:
confusis

confusis

John Morrison. Founder and Team Leader of SFF.N
SFF Network
SFF Workshop
SFFn Staff
Jun 19, 2015
4,325
7,425
sff.network
I think Gamer Nexus's quote here is important;

"In speaking with multiple security experts off-record, we have it on good authority that the proposed vulnerabilities are potentially legitimate; however, our present understanding is that these alleged vulnerabilities: (1) Are not unique to AMD, (2) may require root access to the host system, and (3) are blown way out of proportion, if legitimate at all."
 
  • Like
Reactions: owliwar, Hifihedgehog, TheHig and 3 others
jØrd

jØrd

S̳C̳S̳I̳ ̳f̳o̳r̳ ̳l̳i̳f̳e̳
sudocide.dev
SFFn Staff
Gold Supporter
LOSIAS
Jul 19, 2015
818
1,359
"potentially legitimate"
"our present understanding is"
"may require root access"
"if legitimate at all"

I mean to me the amount of couching there kind of reads to me like they dont know anything more than the rest of us do right now.
 
  • Like
Reactions: Soul_Est, VegetableStu and AleksandarK
jØrd

jØrd

S̳C̳S̳I̳ ̳f̳o̳r̳ ̳l̳i̳f̳e̳
sudocide.dev
SFFn Staff
Gold Supporter
LOSIAS
Jul 19, 2015
818
1,359
Unfortunately the shady way the was disclosed is going to muddy the waters for a while. Ars did a hit piece w/ some interesting tid bits in it here and there though

The four classes of vulnerabilities—dubbed Masterkey, Ryzenfall, Fallout, and Chimera—were described in a 20-page report headlined "Severe Security Advisory on AMD Processors." The advisory came with its own disclaimer that CTS—the Israeli research organization that published the report—"may have, either directly or indirectly, an economic interest in the performance" of the stock of AMD or other companies. It also discloses that its contents were all statements of opinion and "not statements of fact." Critics have said the disclaimers, which are highly unusual in security reports, are signs that the report is exaggerating the severity of the vulnerabilities in a blatant attempt to influence the stock price of AMD and possibly other companies. Critics also faulted the researchers for giving AMD just 24 hours to review the report before it went public and using a dedicated-website to bring attention to the flaws.
Click to expand...
 
  • Like
Reactions: Soul_Est and AleksandarK
VegetableStu

VegetableStu

Shrink Ray Wielder
Original poster
Aug 18, 2016
1,949
2,619
Ian Cutress of Anandtech has scheduled a phone interview with CTS. Here's to a level-headed article afterwards

also on Anandtech, their current understanding of the exploits suggest no physical presence from the attacker is required. although if I understand right "no physical access" could also mean user incompetence errors (i.e. running a shady exe in admin mode)
 
jmarin

jmarin

Airflow Optimizer
Mar 8, 2018
258
187
I just read that whole thing, don't think there's a second part, just that there were two things to really cover: are the threats real and who the eff is CTS. Still lots of red flags so the coming days will be interesting.
 
  • Like
Reactions: VegetableStu
Phuncz

Phuncz

Lord of the Boards
SFFn Staff
May 9, 2015
5,947
4,953
The interview shows more than a few contradictive, but key, points by CTS which leads me to conclude there are facts being lied about or withheld. This together with the whole Viceroy short-selling company being involved, giving AMD no notice or any chance to deal with this and solely focusing on how bad AMD is in all this, makes it hard for me to think this is anything but an agressive attack on AMD's share value and/or credibility.
 
  • Like
Reactions: VegetableStu
jmarin

jmarin

Airflow Optimizer
Mar 8, 2018
258
187
It seems that the client/customer that had CTS look into this (or CTS themselves) had an ulterior motive. These vulnerabilities seem to be real, but the actions of CTS in response to finding them is suspect at best.