kentoh - Fotolia
Leaked report on AMD chip flaws raises ethical disclosure questions
Researchers announced AMD chip flaws without the coordinated disclosure procedure, and a leak of the research to a short seller has raised further suspicions about the process.
Explosive research on AMD chip flaws released this week that broke vulnerability disclosure guidelines has been further marred by the involvement of short sellers and questions about ulterior financial motives.
CTS Labs announced four classes of AMD chip flaws after giving AMD just 24 hours' notice, rather than the standard 90-day disclosure window. But CTS Labs admitted to sharing the vulnerability report with other researchers one week ago, leading to questions of who knew what and when. The research was also leaked prior to public disclosure to Viceroy Research, a financial analysis firm that has advocated short selling stock in the past.
SearchSecurity questioned CTS Labs about its disclosure process, and Yaron Luk-Zilberman, former managing director at NineWells Capital Management and co-founder and CFO of Tel Aviv-based CTS Labs, said the company "verified [its] results carefully both internally and with a third-party validator, Trail of Bits, [and] delivered a full technical description and proof of concept of the vulnerabilities to AMD, Microsoft, Dell, HP, Symantec and other security companies."
Dan Guido, founder of security firm Trail of Bits, based in New York, told SearchSecurity that CTS Labs first contacted him the week of March 5, but he was not made aware of plans to announce the AMD chip flaws so soon. Guido said via Twitter that he had no prior relationship with CTS Labs, and the company contacted him through a "mutual friend."
"[CTS] told me they were planning on [disclosing to AMD]," Guido told SearchSecurity, adding that it is common for him to discuss disclosure with vendors in a situation like this. "I recommended they report the vulnerabilities to a CERT."
Guido has been vocal on Twitter that the AMD chip flaws are real and should be taken seriously -- echoing a sentiment shared by others, like Alex Ionescu, vice president of EDR strategy at CrowdStrike, based in Sunnyvale, Calif.
Adding to questions about the disclosure, Viceroy Research posted a scathing 25-page review of the potential financial liability of the AMD chip flaws approximately one hour after the CTS announcement, which claimed AMD's stock was "worth $0.00" and predicted the issues would lead to AMD filing for bankruptcy.
Viceroy founder Fraser Perring told SearchSecurity he isn't exactly sure when his company received the AMD chip flaw report. A Reuters story from Tuesday claimed Perring said Viceroy received the anonymously emailed copy of CTS Labs' research at around 4 p.m. Monday.
"We're trying to check, because we're getting a bunch of misinformation. We've got one report stating that we had the report well in advance, and then we've got another report that basically says that we only had it a few hours before," Perring told SearchSecurity. "From our perspective, we definitely had it in advance. It's likely to have been before [Monday at 4 p.m.]"
Perring admitted that after receiving the report, Viceroy showed it to one expert who recommended they consult other technical experts to determine the validity of the findings.
"The expert that we spoke to that corroborated the [AMD chip flaw] report and has been in contact with the other [experts] that have validated the findings actually said that a novice security analyst should have spotted this in development," Perring said. "We employed people who had more technical expertise, and, ironically, one of them is very public, but won't comment that he was consulted by us because he doesn't want the reputational damage."
Luk-Zilberman would not confirm the timeline of events and claimed CTS Labs was not responsible for sharing the AMD chip flaw report with Viceroy Research.
"Viceroy is not a client of CTS. We believe that Viceroy received our report from a third party with whom we had shared our report," Luk-Zilberman told SearchSecurity.
When asked who was sent the report other than the vendors on Monday and Guido before that, a CTS spokesperson said, "There was no one else."
Guido denied leaking the report to Viceroy and told SearchSecurity he was unaware of anyone else who may have been in possession of the AMD chip flaw report prior to Monday. Guido also said on Twitter this week that he has "no positions" on AMD stock and had "no arrangement to benefit" from CTS Labs' research.
The Reuters report further fueled suspicions of financial motives, with claims of a spike in short selling of AMD stock last Friday and Monday. CTS Labs' own legal disclaimer on the AMD chip flaws website admitted the company may have financial interest in AMD stock.
"The opinions expressed in this report are not investment advice nor should they be construed as investment advice or any recommendation of any kind," CTS wrote in the disclaimer. "Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."
Why did CTS ignore coordinated disclosure procedure?
CTS Labs has maintained the reason it did not follow the customary 30- to 90-day disclosure window was a matter of public safety.
"In our view, such a requirement is only pertinent to situations in which the researchers intend to make public their vulnerabilities -- in their full exploitable detail -- at the end of the period. The purpose of such a 'cooling' period is to allow the company to issue patches to the vulnerabilities before they go viral, while still having a deadline that pressures the company to act," Luk-Zilberman told SearchSecurity. "It is important to understand that CTS does not intend to make the vulnerabilities public. That is because of the very long time it will likely take to patch such hardware- and firmware-level vulnerabilities -- in our assessment, much longer than 90 days; perhaps many times longer."
Ilia Luk-Zilberman, CTO of CTS Labs, wrote in a public letter that the company believes the current responsible disclosure process is flawed.
"The main problem in my eyes with this model is that during these 30/45/90 days, it's up to the vendor if it wants to alert the customers that there is a problem. And as far as I've seen, it is extremely rare that the vendor will come out ahead of time notifying the customers," Luk-Zilberman wrote in the letter, adding that it is also troubling when the disclosure window closes and a vendor hasn't patched, but the technical details of a flaw have been released.
"I think that a better way would be to notify the public on day zero that there are vulnerabilities and what is the impact. To notify the public and the vendor together. And not to disclose the actual technical details ever unless it's already fixed. To put the full public pressure on the vendor from the get go, but to never put customers at risk."
When asked about the risks of the announcement of the AMD chip flaws giving malicious actors a guide -- even without technical details -- to find and exploit the same vulnerabilities CTS found, CTS declined to comment.
Yaron Luk-Zilberman added that he felt "it would be irresponsible not to notify users about the flaws in AMD products that put them at risk. Users, not AMD or ourselves, should decide whether and how to use vulnerable products."
Over the course of an hourlong phone call, Perring reiterated this sentiment as the reason for Viceroy's review of the AMD chip flaw financial impact.
"Prior to our publication of the report, we were made aware of the disclosure. We were informed by three experts that disclosing any report would not identify the vulnerabilities. Since then, we have been told that the vulnerabilities are on such a basic design level," Perring said. "Should users be aware of it? Is it in the public interest? On the basis of probability, consumers are buying materially flawed products with these vulnerabilities. Shareholders are investing hard-earned money into a company that is deficient in its security."
Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., told SearchSecurity via Twitter that he doesn't think "CTS even believes this argument."
"Based on the statements on their website, it appears likely they didn't give AMD time to deal with the flaws because they have a financial interest in AMD losing value," Williams said. "They make a valid point that vendors would prefer to not disclose a flaw until they have a patch -- and even then will often downplay the significance. But these statements are nothing short of disingenuous."
Yvette Connor, chief risk officer at Focal Point Data Risk in Tampa, Fla., told SearchSecurity CTS Labs could have more effectively established "a level of responsibility and risk management security awareness for which they can take credit" by giving AMD more time to investigate and respond to the report before announcing anything.
"Bottom line: Be responsible in your risk investigation. Share key data with target companies and allow for reasonable validation timelines. The negative brand implications resulting from a false positive can be massively adverse," Connor said. "This is especially true if the false positive is widely proclaimed. Also, CTS faces the risk of finding themselves at the receiving end of collateral brand damage, resulting from their rush to report their AMD findings."