NOTE: I AM NOT A SECURITY EXPERT. ANY OPINION HERE IS THE OPINION OF A LAYMAN. THE INFORMATION BELOW IS FOR EDUCATIONAL PURPOSES ONLY, AND SHOULD NOT BE USED FOR DECISIONS. THE AUTHOR DISCLAIMS ANY WARRANTY AS TO THE ACCURACY OF STATEMENTS BELOW. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE TEXT BELOW, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.I had a hard time even finding the website for CTS labs (for those wondering, it is cts-labs.com), and clicking around a bit it already feels very fishy. Most of the site is literally the same text pasted above a different list of external sources, and at best it is a very poorly executed company website. Not exactly what I would expect to see for a reputable security lab.
Next, the whitepaper explicitly states it does not give any details on the executions of the exploits. That alone is weird, as it allows literally no one (except maybe AMD, since they claimed to have given technical details to them) to verify that their findings are reasonable.
Ignoring that, let us next take a look at their supposed "attacks":
Masterkey: This one requires bios flashing capability. I am very sorry, but when an attacker can flash BIOS, it is game-over. That holds regardless of any flaws one might be able to exploit using that.
Ryzenfall: This requires "local-machine elevated administrator" access (pretty much full access to the operating system, and I guess from their wording that running inside a VM is not enough), and their text suggest it is an attack against the code running on the secure processor inside ryzen chips. Even if this is a legitimate problem, a simple firmware upgrade should be more than sufficient for mitigating it. Furthermore, requiring local administrator access on an OS running on bare metal is usually game over anyway, so this one again is probably not that big of an issue.
Fallout: Again, requires "local-machine elevated administrator", so all the previous caveats apply. Here they do not give any hints on how the exploit is supposed to work, or even how it is different from Ryzenfall.
Chimera: According to their claim, this is an exploit of the Promontory (or X370 for us consumers) chipset. They claim them to be some sort of pair of manufacturer backdoors, one implemented in hardware and the other in firmware. Given the fact that this is most likely a VERY complex chip given the diagrams AMD released for it, I seriously wonder how they can now that one of the found backdoors is implemented in hardware. Furthermore, they dont give any information as to the level of access they needed in order to exploit the problem.
Furthermore, all of the above attacks seem very specific in naming the companies that provided the (technology behind) the various components in the cpu attacked.
Combined, I would say that these attacks seem very much like scraping the bottom of the barrel, if they are real at all. There may be some small situations where Ryzenfall or Fallout might be relevant (e.g. where it is reasonable for an adversary to have administrator access but not declare the machine pwned), but I find it hard to find any realistic scenarios for that.
Schol-R-LEA, your (and the rest of the media's) assement that this seems mostly designed to raise as much of a stink as possible for stock price manipulation seems rather likely. Given that, I would not be surprised if this will lead to future legal action, and this prospect might also explain why (as far as I can find) AMD hasn't yet given any response to the supposed attacks.
There are more reasons to believe it is rather fishy, gamersnexus has a nice breakdown of them at
https://www.gamersnexus.net/industry/3260-assassination-attempt-on-amd-by-viceroy-research-cts-labs. One of the highlights for me is the following sentence in the legalese at the end of the whitepaper:
Quote:
Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.
This is basically them declaring that they may or may not have shorted amd stock, or are heavily invested in a company that just shorted amd stock. All in all, I wouldn't be surprised if this is (potentially illegal, I am no expert in securities fraud so I can't tell what is and isn't legal about this) stock manipulation.
Edit: I missed the AMD response, but it is literally just a stock response saying they are looking into it. The only thing of note is that cts-labs was apparently new to them as well.
Edit2: Also fishy for a security lab is that their website is not willing to load over https