Two developments:
- It looks like Fraser John Perring has told different facts to Reuters and Vice Motherboard. Reuters says that Perring received the report on Monday March 12. Vice Motherboard says that Perring received the report last week, which would be March 4 to 10.
- CTS Labs has released a “Clarification About the Recent Vulnerabilities“. It turns out that all 4 named vulnerabilities are only relevant AFTER an attacker has gained control of the system (“An attacker would only need to be able to run an EXE with local admin privileges on the machine”). I don’t see how the severity of these vulnerabilities would differ much from BIOS rootkit attacks that have existed for years. For example, the Vault 7 documents released by Wikileaks revealed that the CIA developed malware (‘evil software’) to spy on computers. In 2017, Intel Security released a patch to detect such software embedded into the BIOS. Viceroy Research did not write an obituary on Intel.
- Earlier speculation from myself and others on CTS’ research seems to be misguided. CTS Labs is not rehashing vulnerabilities that work without having control of the system (e.g. BadUSB). CTS Labs is presumably alleging novel flaws (although they don’t seem to be actually claiming that their discoveries are novel).
There are technical details that don’t make sense
The CTS clarification notes:
Attackers could load malware into the AMD Secure Processor before the CPU starts. From this position they can prevent further BIOS updates and remain hidden from security products. This level of persistency is extreme – even if you reinstall the OS or try to reflash the BIOS – it won’t work. The only way to remove the attacker from the chip, would be to start soldering out chips. (we have seen a motherboard that had a socket where you can switch chips – then you could just put a new SPI chip).
The document talks about malware on the AMD Secure Processor. The AMD Secure Processor sits on the same CPU die as the CPU (it’s part of the same chip as the CPU). CPUs are designed to be easy to remove; they are not attached to the motherboard with solder. Simply search Google or Youtube for “how to remove an AMD CPU“… a CPU is not a chip you remove with a soldering iron. I don’t get it. Whatever it is that the author was trying to explain, the author did not explain it correctly.
EDIT (3/20/2018): I think that what they are trying to say is that putting malware onto the Secure Processor allows an attacker to flash the BIOS with a version that doesn’t allow further changes to the BIOS. However, the claim that the changes cannot be undone may be a little extreme.
*Disclosure: I have a short position in AMD (see my posts tagged AMD). Despite that, I disagree with the ethics of what these charlatans are doing.
Links
The bear raid from Viceroy Research + CTS-Labs, and the NineWells Capital Management connection
The AMD bear raid from Viceroy + CTS-Labs + NineWells, volume II
The AMD bear raid from Viceroy + CTS-Labs + NineWells, volume IV – CTS Labs is a lie
EDIT (9:16PM 3/15/2018): Ian Cuttress of Anandtech has done some excellent work on the story:
- His live tech chat on Youtube gives an overview of the situation. He provides his take/opinion on the situation. He covers the technical security aspects much better than I do.
- Ian Cutress’ article on Anandtech – “Our Interesting Call with CTS-Labs” – has a transcript of his call with CTS Labs. Ian provides commentary on various aspects that don’t seem to add up.
EDIT (3/17/2018): Changed the sentence at the beginning from “CTS Labs is alleging flaws that are less severe.” to “CTS Labs is presumably alleging novel flaws (although they don’t seem to be actually claiming that their discoveries are novel).”
Glenn Chan's Random Notes on Investing 