1. 9
    AMDFLAWS hardware security amdflaws.com
  1.  

  2. 10

    Here’s what the “exploits” seem to be:

    • MasterKey: Arbitrary code execution inside the secure processor, but requires the attacker to re-flash the BIOS.
    • Chimera: What if a vendor put malware in their chipset?
    • Ryzenfall: A vendor-signed driver can access protected memory regions and other things (Ryzen only).
    • Fallout: A vendor-signed driver can access protected memory regions and other things (EPYC only).
    1. 4

      Arbitrary code execution inside the secure processor, but requires the attacker to re-flash the BIOS

      This is the most hilarious one. “If you write code into the place for code, it will be executed! Now sell your AMD stock!”

      1. 4

        I mean that’s pretty much the same as the Intel ME vuln from December that had everyone in a tizzy.

        1. 2

          JTAG over USB is a bit more severe. You don’t need to reflash the BIOS to get into Intel’s ME.

          1. 5

            They turned on JTAG over USB by reflashing the BIOS to get into ME.

    2. 13

      Mmmmh, an anonymous domain registration, an unknown “CTS” security research firm publishing only one whitepaper for all vulnerabilities. Whitepaper published on a secondary website “safefirmware.com”, that is otherwise broken.

      No exploit has been published, there is no peer review, no responsible disclosure to verify the findings.

      This smells like FUD. The SP is probably broken and vulnerable, yes. But this crap seems only aimed at selling security services.

      1. 4

        How does “responsible disclosure” verify findings?

        1. 1

          My phrasing was a bit misleading, but the whole “exploit being published, peer review, responsible disclosure” was what I was getting at to verify the findings. These publications have to be transparent, reproducible and verified by third parties to be taken seriously.

        2. 6

          No exploit has been published, there is no peer review, no responsible disclosure to verify the findings.

          This is bullshit. Here’s peer review.

          I’m astounded at just how strong the backlash against this is, and the backlash reeks of damage control propaganda.

          AMD PSP is a hardware backdoor. Intel ME is a hardware backdoor. These things shouldn’t exist in the first place, and I wouldn’t put it past AMD and Intel to spend $$ sending armies of trolls trying to cover up the severity of what they’ve done.

          1. 0

            Of course AMD PSP shouldn’t exist in the first place.

            But the backlash against this is simply due to “it” being a ridiculous hit-job. I don’t care about damage to AMD.

            This is bullshit. Here’s peer review.

            Nice, they did not link it on their website. My first guess will always be that there is none unless shown otherwise.

          2. 2

            Seems to be the consensus about this site on Reddit, HN, etc. Someone’s either trying to make a name for themselves or Intel paid someone who paid someone who paid someone who is good at marketing.

            1. 1

              and a big connection to

              the Israeli Intelligence Corps Unit 8200

            2. 5

              I think it’s no coincidence this story dropped just as Intel announced to ramp up production in Israel.

              I could imagine these “security experts” (all with strong ties to Israel) were thrown some bone (the chipset vuln) by an Israel/Intel contact and filled the report up with other bogus vulns to try to make some Hedge-fund bucks with it.

              Without doubt, these guys are no researchers in the traditional sense (24h disclosure time, what?) and it all smells very fishy.

              1. 1

                what is the significance of pointing out them being Israeli? shouldn’t American researchers be questioned for their affiliation more harshly, as Intel is an American company?

                should my own work be questioned because I am also Israeli?

                1. 4

                  It’s not about Intel being an American company, but the fact they chose Israel for manufacturing. I don’t want to spread false facts or something and only stated it as something that I could imagine to have happened.

                  Don’t be offended I pointed out the Israeli connection. I work with Israelis on a daily basis and as with any country, there are good and foul apples found within.

              2. 4

                despite the bogosity of the fiasco they are attempting to create, there is a kernel of truth I wish we could address: both Intel and AMD processors all have coprocessors running closed-source firmwares, and that is a risk. how can security-minded folks impress upon the world that this layer of trust exists and should be viewed as a considerable downside to the products in question?

                1. 3

                  On the bright side, Risc-V boards are starting to become available. The HiFive is up for preorder on Crowdsupply.

                2. 3

                  Can I delete this story/can this story be deleted? This seems to be bogus.

                  1. 1

                    Interesting? Has there been some proposal to suggest this is bogus? (I don’t know one way or the other). I’d love to see some analysis that soundly debunks it.

                      1. 4

                        Been reading up a bit on it, and this thread is a very succinct summary of what I’ve been seeing. Thank you for posting. I’ve removed my upvote on the thread.

                        Do we need a tag for “fake news”? I was hoping not ):

                  2. 2

                    Here’s one take that this is serious research and the vulnerabilities matter, regardless of the other questions about how CTS has acted https://twitter.com/dguido/status/973628511515750400?s=21

                    1. 2

                      One more thread. Mixture of yawns and “it’s a real but overhyped vulnerability”: https://twitter.com/taviso/status/973622044200919040

                      1. 1

                        If you read that whole thread, @dguido admits that he was paid by CTS labs to provide his opinion on these flaws.

                        It’s a big problematic to cite someone when they have an incentive to lie.

                        1. 6

                          If your job is to review security findings, you’re probably going to get paid for it. That’s how jobs work.

                          1. 1

                            He preemptively states that he billed them for reviewing their work in private, not for making any public statement. Now, technically, there is money on the line: he stands to gain one week of his paid rate, and he stands to lose major credibility if he’s known to lend his name to unsound research.