Israeli Security Company Attacks AMD by Publishing Zero-Day Exploits

Last week, the Israeli security company CTS-Labs published a series of exploits against AMD chips. The publication came with the flashy website, detailed whitepaper, cool vulnerability names -- RYZENFALL, MASTERKEY, FALLOUT, and CHIMERA -- and logos we've come to expect from these sorts of things. What's new is that the company only gave AMD a day's notice, which breaks with every norm about responsible disclosure. CTS-Labs didn't release details of the exploits, only high-level descriptions of the vulnerabilities, but it is probably still enough for others to reproduce their results. This is incredibly irresponsible of the company.

Moreover, the vulnerabilities are kind of meh. Nicholas Weaver explains:

In order to use any of the four vulnerabilities, an attacker must already have almost complete control over the machine. For most purposes, if the attacker already has this access, we would generally say they've already won. But these days, modern computers at least attempt to protect against a rogue operating system by having separate secure subprocessors. CTS-Labs discovered the vulnerabilities when they looked at AMD's implementation of the secure subprocessor to see if an attacker, having already taken control of the host operating system, could bypass these last lines of defense.

In a "Clarification," CTS-Labs kind of agrees:

The vulnerabilities described in amdflaws.com could give an attacker that has already gained initial foothold into one or more computers in the enterprise a significant advantage against IT and security teams.

The only thing the attacker would need after the initial local compromise is local admin privileges and an affected machine. To clarify misunderstandings -- there is no need for physical access, no digital signatures, no additional vulnerability to reflash an unsigned BIOS. Buy a computer from the store, run the exploits as admin -- and they will work (on the affected models as described on the site).

The weirdest thing about this story is that CTS-Labs describes one of the vulnerabilities, Chimera, as a backdoor. Although it doesn't t come out and say that this was deliberately planted by someone, it does make the point that the chips were designed in Taiwan. This is an incredible accusation, and honestly needs more evidence before we can evaluate it.

The upshot of all of this is that CTS-Labs played this for maximum publicity: over-hyping its results and minimizing AMD's ability to respond. And it may have an ulterior motive:

But CTS's website touting AMD's flaws also contained a disclaimer that threw some shadows on the company's motives: "Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports," reads one line. WIRED asked in a follow-up email to CTS whether the company holds any financial positions designed to profit from the release of its AMD research specifically. CTS didn't respond.

We all need to demand better behavior from security researchers. I know that any publicity is good publicity, but I am pleased to see the stories critical of CTS-Labs outnumbering the stories praising it.

EDITED TO ADD (3/21): AMD responds:

AMD's response today agrees that all four bug families are real and are found in the various components identified by CTS. The company says that it is developing firmware updates for the three PSP flaws. These fixes, to be made available in "coming weeks," will be installed through system firmware updates. The firmware updates will also mitigate, in some unspecified way, the Chimera issue, with AMD saying that it's working with ASMedia, the third-party hardware company that developed Promontory for AMD, to develop suitable protections. In its report, CTS wrote that, while one CTS attack vector was a firmware bug (and hence in principle correctable), the other was a hardware flaw. If true, there may be no effective way of solving it.

Response here.

Posted on March 19, 2018 at 6:27 AM • 46 Comments

Comments

HermanMarch 19, 2018 6:50 AM

Hmm, what it looks like is that if a perp has super user access to a machine, then he can reprogram the BIOS with malicious code.

That is not an exploit. That is how the BIOS update process is supposed to work.

AlexMarch 19, 2018 7:07 AM

Maybe the headline ought to be tweaked a bit? It suggests that Israel's national security service did this, not a private company HQ'd in Israel.

RanizMarch 19, 2018 7:09 AM

Someone in the comments on the Anandtech interview linked to by David posted the idea that this was an attempt to torpedo AMDs stock price to profit from shorted stocks.

Reading through all the articles about it makes that seem quite plausible.

HyderMarch 19, 2018 8:14 AM

Lol, Israeli specialists and they do this? After reading the transcripts of the interview and a few other articles, this fits precisely with stock manipulation. Or at the very least to prevent further Intel sales lost due to Spect/Melt. Hopefully the 8300 model of Israeli specialists are better than the 8200...

TimHMarch 19, 2018 8:59 AM

One byproduct of this is that it becomes clear that even the largest corporations can be damaged by this type of security revelation. Hopefully products will be designed better, but perhaps instead there will be laws passed to hammer those that disclose...

blablablagingerMarch 19, 2018 9:00 AM

"Short and distort" is a type of securities fraud in which Internet investors short sell a stock and then spread negative rumors about the company in an attempt to drive down stock prices.

HiTechHiTouchMarch 19, 2018 9:08 AM

@Bruce Please update the title per @Alex.

@Hyder Agreed. Stock Manipulation EXACTLY.

HristoMarch 19, 2018 9:43 AM

@Raniz they seem to not even hide it: https://motherboard.vice.com/en_us/article/bj5wy4/amd-flaws-viceroy-short-selling-stock-market

The whole story seems just like a quickly set up and unethical publicity stunt. All videos feature stock backgrounds and the company logo is just a slight modification of a stock logo. Also, the vulnerability website listed initially a young PR agency in the contact section, which is no longer the case.

A fishy element is the fact that the controversial Viceroy Research was "anonymously tipped", compiled and published a long "obituary" for AMD, and immediately shorted on AMD stocks.

Sok PuppetteMarch 19, 2018 9:45 AM

What's new is that the company only gave AMD a day's notice, which breaks with every norm about responsible disclosure.

Those were and are stupid norms. The idea that the vendor should always get advance notice, regardless of the nature of the bug or the actual impact of various forms of disclosure, has never made sense and should go away.

CTS Labs didn't release details of the exploits, only high-level descriptions of the vulnerabilities, but it is probably still enough for others to reproduce their results. This is incredibly irresponsible of the company.

Had AMD been given more notice, is or was there any chance that AMD could have actually mitigated these hardware problems in fielded machines? Could AMD have done so in a way that was faster and more effective than informed users changing the security measures around those machines?

If not, then there's zero reason to give AMD one minute more notice than anybody else gets. All that would do would be to increase the probability of AMD leaking it to people who'd exploit it before everybody who had to protect against it heard about it. While letting more people unknowingly buy and install faulty hardware.

In this case, it looks at first glance as though the main use of the bugs is to let you open up the anti-security super privileged modes and coprocessors that vendors keep throwing into systems... "malware concealment engines", I like to call them. So widespread "exploitation" is probably a net win anyway.

markMarch 19, 2018 11:44 AM

A thought: given how they played it for maximum publicity... one has to wonder if their execs were shorting AMD.

echoMarch 19, 2018 12:02 PM

Thank you for your skilful and level headed commentary, Bruce. The only thing missing is a professional analysis of the allegations of stock manipualtion for financial gain.

One thing which caught my eye among online comments on other sites covering this issue and some of the amateur security articles on sites not normally associated with producing security realted articles is that ordinary people with no specific security expertise or focus on security issues made a reasonable job of presenting this story and there seemed to be a willing market for this.

Dudu MimranMarch 19, 2018 12:19 PM

Hi Bruce,

I couldn’t agree more about the irresponsible handling of the disclosure and seemingly shady motives though I am not into the details. One thing that bothers me is your post title which starts at “Israeli Security Attacks ...” - the company which reported that is indeed Israeli but they are far from being representatives of the israeli security industry as they represent only themselves. Your title spills the blame of their faulty actions towards innocent others which their main fault is being Israelis or belong to the Israeli security industry.

Thanks,
Dudu

Douglas CoulterMarch 19, 2018 12:46 PM

An article on ZH mentioned a huge number of "puts" (synthetic shorts with leverage) had been bought the day before the announcement. This is almost certainly an attempt to profit from bad news - even if that is essentially fake.
A commenter also pointed out that most of those had expired worthless, as AMD didn't tank enough to put them in the money. Heh. Muddy Waters, these jerks ain't.

If you have root...the rest is mostly meaningless. You could likely flash the onboard disk drive electronics or anything else. Not AMD-specific.

Those who think it takes state level resources to do things like that are deluded in the belief that because they couldn't do it themselves, no one could without extraordinary support. This is called vanity. My outfit RE'd stuff all the time, it's often easy. Bunnie Huang, for example...there are plenty of people who can do that. Pretty much anyone who writes firmware as a job has the knowledge and tools. That's not a lot as a %, but it's a lot as a #.

Clive RobinsonMarch 19, 2018 2:52 PM

@ TimH,

Hopefully products will be designed better, but perhaps instead there will be laws passed to hammer those that disclose...

I hope for the former, but dread the latter.

Punitive legislation for disclosure is likely to be so broadly scoped that even saying who you work for could get you locked up.

Also the effect the latter would have on any research is almost guaranteed to make us considerably less secure...

The idea of "Responsible disclosure" we came to the last time people started talking about disclosure legislation was a close call and we only just dodged a bullet. Some organisations still reach for a lawyer first then PR, marketing and one or two others before even talking to an engineer... We want to stop that becoming the norm. The fact that whatever else this Israeli organisation might or might not have done or tried to do, they have certainly dragged a festering claw into the wound from last time...

65535March 19, 2018 3:01 PM

I have to throw cold water on Nicholas Weaver’s down playing of the physical access to machines when dealing with the enormous power of the NSA. Just look at the Ant catalog and Tailored Access Operations.

[Techdirt]

“Cisco Shipping Hardware To Bogus Addresses To Throw Off NSA Intercept-And-Implant Efforts”

“Cisco became an inadvertent (and very unwilling) co-star in the NSA Antics: Snowden Edition when its logo was splashed across the web by a leaked document detailing the agency's interception of outbound US networking hardware in order to insert surveillance backdoors. It moved quickly to mitigate the damage, sending a letter to the President asking him and his administration to institute some safeguards and limitations to protect US tech companies from the NSA's backdoor plans. To date, there has been no direct response. So, Cisco has decided to handle the problem itself…Cisco will ship boxes to vacant addresses in a bid to foil the NSA, security chief John Stewart says…The dead drop shipments help to foil a Snowden-revealed operation whereby the NSA would intercept networking kit and install backdoors before boxen [networking machines/boxes – ed] reached customers…”- Techdirt

https://www.techdirt.com/articles/20150320/08335930383/cisco-shipping-hardware-to-bogus-addresses-to-throw-off-nsa-intercept-and-implant-efforts.shtml

Think about the supply and human travel chain and the powers of the government to search and implant spyware on machines. The USPS, Fedex, UPS, any courier service under Five eyes laws could easily intercept your computer and implant spyware. The there is the board search rules, and all international airports and so on.

Next, is the huge and mostly Chinese supply building sector which could easily be manipulated by the NSA and others to implant spyware at the factory. The NSA/CIA/FBI with their ability to search your home while you are away and other tricks must be considered.

The stinking deals with Geek Cloud or Geek squad and other repair service is another opportunity. Huge data centers could easily have a NSA/FBI/LEO mole implant spyware are critical machines. Telephone SS7 centers could be penetrated with moles and exploited and on and on.

The physical access exposure Weaver points to could be quite large as is the chip problem. I would not dismiss it as trivial.

Until we gain control over the NSA/CIA/FBI and the dangerous collect it all mentality of the NSA and point them toward our real state level actors we must be cautious.

I will say a forensic accounting including securities experts should be done also to insure researchers concentrate on security holes without a stock market scam behind the research.

Pleas excuse all the misakes. I am still suffering a bit.

Clive RobinsonMarch 19, 2018 3:09 PM

@ Bruce,

This is an incredible accusation, and honestly needs more evidence before we can evaluate it.

I think it needs a lot more than just "evidence" in the way we unfortunatly see too much of these days.

It needs what some would call "extrodinary evidence" these days. . That is something a judge of criminal law would actually regard as "evidence" not "hearsay" or "unsupported opinion".

That is we should be setting the bar a lot higher than we have been. Because even though something might be factual and/or truthful, it does not of necessity make it "evidence".

GuestMarch 19, 2018 3:25 PM

Those were and are stupid norms. The idea that the vendor should always get advance notice, regardless of the nature of the bug or the actual impact of various forms of disclosure, has never made sense and should go away.

Norms are supported by many people. That's why they're norms. Can you supply links to arguments against these norms that have taken place over years of being debated, or are you appealing to an illusory popularity? If you would ride a mandate of the people into acknowledged significance, you must show that history is on your side.

Had AMD been given more notice, is or was there any chance that AMD could have actually mitigated these hardware problems in fielded machines? Could AMD have done so in a way that was faster and more effective than informed users changing the security measures around those machines?

eropple (over at HackerNews) demolished the idea that most end-users are "informed". (HackerNews' prime advocate for your model of disclosure, tptacek, called out "the power switch" as an end-user mitigation, but only claimed that other mitigations were available; he never named any.)

As to whether there was any chance of the vendor mitigating their own bugs? The norms that have prevailed thus far are to give them that chance when we don't know the answer; your position is that we have to abandon those norms because we don't know the answer. But you haven't given us any reason to accept your new norms - you've only re-asked the question and insinuated that the status quo must adopt your position until the previously unanswerable questions can be answered. Why should the accepted arguments for Responsible Disclosure be replaced with a straw-man you find more convenient to knock down?

All that would do would be to increase the probability of AMD leaking it to people who'd exploit it before everybody who had to protect against it heard about it.

Are you arguing here that AMD, once notified that backdoors in its hardware were known to someone who would publish the backdoor and the date AMD was notified about it, would try to sell the backdoor in their own product to those who could exploit it before anyone else patched their product for them?

That's an . . . interesting . . . variation on the idea that those who knew the exploit would try to cash out before security closed the casino.

echoMarch 19, 2018 3:46 PM

@Clive

I would like to clarify what I believe is a conlfation fo terms you made.

"Hearsay" is admissible in UK criminal and civil cases. Hearsay can often form an important part of a pattern of evidence. This is wholly different to conviction merely on the word of one person or a rumour.

Anecdotal testimony is also admissible, as is opinion given by a "none expert" person a court evalates as having knowledge and skill within a specific problem area. Well formed beliefs based upon reasonable and coherent sources of information also has legal standing. (This is a different thing from a random knee-jerk opinion formed for convience.)

On the subject of a lawful decision a decision must be "considered in the round" with adequate expertise and evidence. Sometimes this may require due diligience (i.e. further research). Anything else runs the risk of being "irrational". Proving a decision is irrational can be especially difficult when it appears to be tohrough and persuasive when it is based on an item used as a "pretext". Pretexts may include but not be limited by "the public interest" or "best use of resources".

I note what I guess to be the use of probabilities by the UK foreign secretary when alleging "likely" is somehow missing when discussing the likelihood of human rights abuses by his own department which, of course, is "lawful and proportionate in persuit of a legitimate aim" yawn yawn.

As for the "Thailand allegation" a discussion on the certainty of ignorance is beyond the scope of this topic.

GrauhutMarch 19, 2018 3:46 PM

@Herman "That is how the BIOS update process is supposed to work."

A badly designed overly "user friendly" process, but yes, you are right.

And the chimera "backdoor" could be a JTAG class debugging interface.


Fun facts:

Intel's melting spectres were designed in...

http://www.jpost.com/Business-and-Innovation/Tech/Intel-launches-next-gen-processors-developed-and-designed-in-Israel-477358


AMD is owned by...

http://www.itp.net/588163-abu-dhabi-takes-sole-ownership-of-globalfoundries


Smells a little like hedging of local interests in a competitive global industrial arena. :)

albertMarch 19, 2018 4:33 PM

@Bruce,

"...I know that any publicity is good publicity...", This is only true in Hollywood:) This episode didn't help AMD or CTS.

But I agree, there are good reasons for reasonable withholding of security vulnerabilities.

. .. . .. --- ....

DavidMarch 19, 2018 4:47 PM

From their disclaimer: “ The only thing that the attacker would need is local admin privileges and an affected machine.”

This is equivalent to “I found a novel way to steal all your money. All I need is your online bank account’s username and password.”

Clive RobinsonMarch 19, 2018 5:03 PM

@ 65535,

Pleas excuse all the misakes. I am still suffering a bit.

I hope it is just some mild but annoying winter malady that will soon pass.

The question of implants brings us back to that of mitigation.

Or more correctly how simple does key parts of the logic have to be to get round Kurt Gödel's issue of a logic not being able to truthfully describe it's self.

I need to have a good sit down and have a long think on how to mittigate the "insider attack". If it can be done then further extensions of the simplifed state machine might render the implants passive not active, which would be a necessary step in preventing implants altogether.

justinacolmenaMarch 19, 2018 5:10 PM

What's new is that the company only gave AMD a day's notice, which breaks with every norm about responsible disclosure.

"Breaks with every norm?" What? The CEO took off his jacket at a tea party or something like that? You can argue all you want about norms and responsibility, but in the final analysis, disclosure is disclosure.

Disclose first to a mega-corporation, and give them 30 days' notice? And you presume that said mega-corporation will not send goons to ransack your home and office and destroy your whole company in the name of "national security" and what-not? I mean, how "responsible" are you supposed to be?

"I sleep with the crown jewels under my pillow, and I believe in the tooth fairy."

echoMarch 19, 2018 5:49 PM

I'm happy with well reasoned norms and standards (i.e. a stable system) which has been arrived at by sensible discussion. I'm not happy with dogma but nor am I happy with cavalier.

@albert

I am not persuaded by analysis of the AMD security issues that anything about this required an "emergency" disclosure.

ClipperMarch 19, 2018 6:17 PM

I read that these exploits may allow to port coreboot and libreboot to AMD machines.

Clive RobinsonMarch 20, 2018 1:02 AM

@ echo,

"Hearsay" is admissible in UK criminal and civil cases. Hearsay can often form an important part of a pattern of evidence.

The use of hearsay in a criminal court used to be very minimal. However one Anthony Blair and side kick Charles Falconer despite having legal training before they went into public office decided that the precedent of a thousand years of world quality jurisprudence was insufficient to stop them tearing it up and throwing it out the door... In essence their view point was the inverse of "It's better that ten guilty men go free, than one innocent man looses his liberty". They would rather have the innocent incarcerated rather than let one guilty person walk free (which is a great view point if you are going to have private prisons, the kick back potential into party coffers is immense).

One of the more disasterous aspects was the change in gateway protocols where people were put in the position of having to try to defend themselves against any "statement"[2] given by others as implication of bad character. In effect such statments were subject to very loose procedural rules. So what might be used to assess character thus motivation are subject to very much lesser rules than other statments relating to a case, which as most juries run by emotion not logic is a very dangerous thing. Further the testing of a person giving such statments was effectively ruled out unlike a person giving statments relating to the case. Whilst not quite "anything goes" the prosecution at various trials tried to use it as a back door around the more rigorous rules of case related statments.

Thus what is "Hearsay" well the word it's self gives an informal indication as to the fact it is not something you have first hand knowledge of pertaining to the facts of a case under consideration. Thus it is something you "hear" and then "say" in testimony that is to be presented to the court.

More formally "Hearsay" in criminal proceedings[3] is (from section 114 (1) Criminal Justice Act (CJA) 2003),

    A statement not made in oral evidence in the proceedings that is evidence of any matter stated
.

As a general case the rules for what constitute hearsay are to be found in PACE and the CJA. More specifically there are checklists in sections 114(2) and 116 of the Criminal Justice Act 2003 which may assist a court when considering the potential for unfairness...

But, as has been noted by ruling, there should be greater flexibility than oral evidence presented at trial. Which is another loop hole that can and has been used against a defendent. A sort of carry over of the "death bed confession before god" that comes from when Theocracy was the greater part of the process.

So the first thing that has to happen is decide what is actually a statment...

As I've mentioned in the past judges just love their paper and in essence that is what a statment is about. A statement is defined as "any representation of fact or opinion made by a person by whatever means"; and it includes a representation made in a sketch, photo fit or other pictorial form. Thus in times past a piece of paper a judge can hold, read and shuffle up with all the other pieces of paper. However Courts have gone "multi-media" these days for a whole manner of reasons, but the prime one was Anthony Blair's "Number 10 think tank" that amongst other things brought you the Iraq war via the "Dodgy Dossier" and the "NHS Spine" debacle which is still the "NHS Net" and all that is bad about it... In essence multi-media gives rise to kickback opportunities from ICT consultants and supprise supprise the "Entertainment Industry"...

Thus in whatever form statments are about,

1, Matter(s) stated.
2, Implied assertions.

Implied assertions are at best messy and are best avoided as it comes down to the debate about knowledge and belief.

However from (CJA section 115) we have this little jem,

A "matter stated" is one where the purpose or one of the purposes of the person making the statement appears to have been to cause another person to believe the matter or to cause another person to act or a machine to operate on the basis that the matter is as stated.

Yes you did read "or a machine to operate"... If it makes intuative sense to you let me know... One thing is certain is it's not getting a "Crystal mark".

That said CJA focuses on "matter stated" which is facts or porported facts made in the statment which it seeks to prove for the case it is relevant to. Which means that an identical statment might be hearsay for one case thus excluded and not for another..

Thus whether the CJA hearsay rule can be guided by the following method. However just to make thinhs difficult a piece of paper may contain rather more than one statment of a matter it seeks to prove, thus the parts are grouped as a communication. So,

Firstly identify what the "matter" or relevant fact in question is that the statment within the communication might seek to prove.

Secondly ask whether there actually is a statement of that matter in the communication.

If no, then no question of hearsay arises, regardless of any other matters that might be within the communication.

If yes, it should be asked as to whether the statment was one of the purposes the maker of the communication intended the recipient, should believe that specific matter or act upon the matter as if true? If yes, it is hearsay. If no, it is not.

Confused? Well most people are by this point... You need to remember it is "Hearsay Evidence" we are talking about thus the emphasis is on "Evidence" that is the communication what ever it is may not have been made as a "witness statment" but as part of the case under consideration. Thus the communication might be between two defendents prior to or as part of the commisioning of the crime the case is about.

Which brings us to the point about whether the Hersay Evidence is admissable for consideration by the jury or not. This is addressed in CJA Section 114(1) 'a' through 'd'.

Section 114(1)(d) is the one about "discretion" that is if the court is satisfied that it is in the "interests of justice" for it to be admissible - then it is...

In essence then hearsay evidence is not only what you can argue it to be in any given case, it's admissability likewise.

Thus appaling injustice can happen in the UK due to discretion and argument within the court. Which is not what the laws of evidence were realy all about prior to CJA and the meddling in a thousand years of jurisprudence.

[1] Blair and Falconer were childhood friends and the pair later shared a London flat in the early days of their legal careers. What they got upto at that time can only be guessed, but evidence of later behaviours suggest it was probably not good.

[2] Any person may make a "statment" at any time in many ways that can be used as evidence, and they only need sign off on it being true to the best of their knowledge if it is a witness statment. But even then it does not make the statement true, factual or even evidence. That has to be determined by proceadure, which unfortunatly can be quite discretionary.

[3] Informally there are three bodies of law within the UK civil, criminal and financial. However there are only civil and criminal cases and financial law is more correctly the provinence of Chartered Accountants, to who a judge in a civil or criminal case should show deference to as they would do to other legal experts outside of the judges area of expertise. More formally Criminal proceedings (section 134 Criminal Justice Act 2003) means,

    Criminal proceedings in relation to which the strict rules of evidence apply

And usually then includes a list of the types of cases it covers, not all of which are obvious. However the converse appears to be comming a reality of "anything goes" in civil cases. Where the proceadure appears to be "He who stacks it the most high is victorious"... Unfortunatly discretion in the "interests of justice" covers all maner of sins, that are becoming broader in scope thus lowering the burden of proof for the prosecution and causing the defendent to have to fight to prove their innocence. Thus the burden of proof falls on the defendant thus has created "an inequality of arms".

65535March 20, 2018 2:42 AM

@ Clive Robinson

Thank you for your kindness. I was injured on an important extremity. Some important wood was shattered. I will have to see how well it heals and hope surgery is not needed. Thanks.

justinacolmenaMarch 20, 2018 4:41 PM

@echo

I'm happy with well reasoned norms and standards (i.e. a stable system) which has been arrived at by sensible discussion.

This is the kind of thing we hear ad nauseam from the Democratic side of the gun control debate, but you are deluded, because the system is not as stable as you think it is, and the discussion is not as sensible as you think it is.

I'm not happy with dogma ...

Oh. Your hair can't be too short ...

... but nor am I happy with cavalier.

... or too long.

No. I am sorry. It is not a slider for a one-dimensional parameter which you can adjust in a dialog box somewhere. These things simply do not work that way.

RealFakeNewsMarch 20, 2018 11:21 PM

From the link posted further up: https://www.anandtech.com/show/12536/our-interesting-call-with-cts-labs

Maybe you can do that and those registers are very often than not very well documented even within the company itself. I know about this stuff, and everything that I am doing is our own estimates, it may be incorrect, we don’t really know or understand

Anyone else find this comment by CTS contradictory and nonsensical?

One second they're experts, next second they know nothing. We're supposed to believe the research they refuse to show us?

Interesting that AMD are saying they can patch these issues within weeks.

UhMarch 21, 2018 1:51 PM

"This is the kind of thing we hear ad nauseam from the Democratic side of the gun control debate"

This kind of political rider-argument is out of place in an unrelated discussion.
It's also a straw man. Further you don't even live in the country in question.
Linking such unrelated things or bring unrelated debates into this is deluded.

TomMarch 21, 2018 2:12 PM

What's new is that the company only gave AMD a day's notice, which breaks with every norm about responsible disclosure.

No, this has been done by the people who kept Meltdown and Spectre secret for many months and only notified a couple of companies in advance. However, lots of projects have been hit by Meltdown from one day to the other and they got it from the news. I'm talking about FreeBSD et al.

In fact, according to some FreeBSD developers, "responsible disclosure" is finished and rightly so. Read more: Re: Response to Meltdown and Spectre, tldr:

Thousands and thousands of honorable, well-intentioned and sincere men and women, most with only the purest of motives, have argued and debated, back and forth, for liteally decades now about the true meaning of, and true nature of "responsible disclosure", a topic which continues to be ernestly and reasonably debated between professionals. And yet here we have an instance of a single, dominant, for-profit corporation effectively making a mockery of all those debates by simply doing what it thought was in its own best interests and leaving everyone else to twist in the wind.

I, for one, intend to remember this the next time some geeky hacker-type
dude gets publically criticised for going public with some security flaw
before the affected vendor(s) had a patch ready for release.

The next time I see somebody (anybody) being blasted for having failed to
observe "responsible disclosure protocols", I, at least, will jump to
that person's defense simply by saying "Yea... So?"

Intel has just killed the entire notion of "responsible disclosure".
It simply doesn't exist anymore.

So, this is the new deal, CTS Labs did everything right.

best,
Tom

(required)March 21, 2018 2:21 PM

@Tom

" CTS Labs did everything right. "


Your supplied rant there only effectively applies to Intel's years-long failures.
Extrapolating that any disclosure is "responsible" because Intel failed so hard...

In a word, bullshit. 24 hours is not responsible disclosure for a dozen flaws.

They spent more time just registering catchy domains and making graphics for their stock-shorting plot.

I don't even care why you're defending them, you haven't thought much about this.

echoMarch 21, 2018 6:58 PM

@clive

Jurisprudence is quite the thing isn't it? As for prudence I better keep my mouth zipped. Walls have ears.

vas pupMarch 22, 2018 4:07 PM

Staying one step ahead of the cyber-spies:
http://www.bbc.com/news/business-43259900
Good threat intelligence can mean responders hit the ground running, says Jason Hill, a researcher at security firm CyberInt."If you understand how they operate and deploy these tools and use them to attack the infrastructure you know what to look and how to spot the tell-tale signs." In the past, nation state hackers have tried to bury themselves in a target network and siphon off data slowly."Criminal hackers have a more smash and grab mentality. They do it once and do it big," he says. More recently, he adds, it has got harder to separate the spies from the cyber-thieves.

Chris DrakeMarch 22, 2018 11:43 PM

To be fair, AMD did *invite* this kind of behaviour through the way they arrogantly put the boot into Intel over spectre/meltdown.

UmnamedMarch 23, 2018 2:50 AM

@Grauhut

"@Herman "That is how the BIOS update process is supposed to work."
A badly designed overly "user friendly" process, but yes, you are right."

Sadly, it's the best option we have. More secure BIOS update process (outside OS) would cause more damage than it'd solve. Without the possibility of OS level BIOS update, vast majority of PC would have outdated BIOS for all eternity. Current state with extra option to disable OS level BIOS update is the best option. The most secure option would be jumper, physically blocking write possibility. Every "code" solution is inherently more vulnerabl than simple hardware solution.

Also, software not being classic product, but just some form of tool without any warranty or responsibility, doesn't help either. You know, the standard eula bullshit like "...distributed as it is, without any responsibility or obligation to actually work" :-D

TruthMarch 23, 2018 9:28 AM

Chimera affects ASMedia ASM1042, ASM1142, ASM1143 (basically you can update the flash, if you have access to do so)
The website would infer that there are no Intel motherboards that use those USB controller chips:
ASM1042 ASMedia Universal Serial Bus 3.0 extended host controller
ASM1142 ASMedia Universal Serial Bus 3.1 host controller
ASM1143 ASMedia Universal Serial Bus 3.1 eXtensible Host Controller

So motherboards like the Z270-WS must not exist, with an Intel CPU and a ASMedia USB 3.1 controller.

GuestMarch 23, 2018 5:44 PM

@David:

From their disclaimer: “ The only thing that the attacker would need is local admin privileges and an affected machine.”

This is equivalent to “I found a novel way to steal all your money. All I need is your online bank account’s username and password.”

In fairness, it's more like "I found a way to let myself in to your bank account from now to the end of time, even if you change your password. I only need access for 5 minutes to backdoor you forever."

The average user may be able to reinstall their OS (implicitly wiping their drive in the process), but the malware would still be present and could re-infect their OS.

The attack CTS Labs described violates long-held expectations, and we should not let our scorn for their financial angle blind us to the threat posed by such attacks.

HmmMarch 24, 2018 1:58 PM

"AMD did *invite* this kind of behaviour through the way they arrogantly put the boot into Intel over spectre/meltdown."

Intel knew about the flaws for years, sat on them instead of even attempting to patch, and allowed the CEO to sell stocks before it eventually became fully public. Anyone giving them a boot shot is spot on for it. Making any direct comparison to AMD's 24 hours heads up is about as unrealistic as saying ASmedia USB controllers don't exist on Intel-compat mobos, or comparing flaws that all but require physical access to exploit to trivially-exploited no-password IME-on-by-default issues.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.